Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Agentic AI access control: what static IAM gets wrong


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: Agentic AI systems are generating 148 times more authentication requests than human users and 60% of enterprises are expected to use AI agents within a year, creating authorization blind spots that legacy RBAC and OAuth cannot absorb, according to PlainID and CSA. Static permissions and context-blind access checks are no longer adequate when agents act at machine speed.

NHIMG editorial — based on content published by PlainID: Challenging the Status Quo: Why Agentic AI Demands a New Approach to Access Control

By the numbers:

Questions worth separating out

Q: How should security teams govern access for AI agents that change tasks at runtime?

A: Security teams should govern AI agents with task-scoped permissions, runtime policy checks, and logging that ties each action back to the initiating context.

Q: Why do static IAM roles create risk for agentic AI?

A: Static IAM roles create risk because they assume the identity's purpose is known in advance and will not change mid-session.

Q: What breaks when delegated access is used for autonomous agent workflows?

A: Delegated access breaks down when the organisation cannot tell whether a downstream action still matches the original approved intent.

Practitioner guidance

  • Map agent permissions to task scope, not job titles Replace broad, static role grants with narrowly bounded permissions tied to the specific action the agent is allowed to perform and the data it is allowed to touch.
  • Add runtime policy checks before sensitive actions Evaluate the request in context at the point of use, including data sensitivity, request volume, time of action, and whether the current action still matches the original intent.
  • Track delegation lineage across sub-agents Log the initiating identity, each handoff, and every downstream tool call so investigators can reconstruct who caused the final action even when execution is distributed.

What's in the full article

PlainID's full article covers the operational detail this post intentionally leaves for the source:

  • The article's deeper explanation of why context-blind RBAC and OAuth break down for agentic workflows.
  • PlainID's framing of the confused deputy problem and how it appears in AI agent behaviour.
  • The vendor's discussion of dynamic authorization concepts that go beyond this post's governance analysis.

👉 Read PlainID's analysis of why agentic AI needs dynamic access control →

Agentic AI access control: what static IAM gets wrong?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Static access control is the wrong mental model for agentic AI. RBAC and long-lived delegated permissions were built for identities whose access needs are stable enough to predefine. That assumption fails when an agent can change tasks, tools, and execution paths at runtime. The implication is that access control for agents must be treated as a dynamic decision problem, not a role assignment problem.

A few things that frame the scale:

  • 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
  • Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.

A question worth separating out:

Q: How can organisations tell whether AI agent controls are actually working?

A: Organisations should look for evidence that access decisions are being re-evaluated at runtime, that delegation chains are fully attributable, and that unexpected tool use is flagged before data leaves the authorised scope. If agents can access sensitive systems without a contextual check, the control is not working as intended.

👉 Read our full editorial: Agentic AI demands dynamic access control, not static IAM roles



   
ReplyQuote
Share: