Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Agentic identity monitoring: what IAM teams are missing


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9439
Topic starter  

TL;DR: Agentic identities need lifecycle-level monitoring because NHIs register, expand consent, call tools, and persist beyond the authorising user, creating an audit gap that traditional human-session models miss, according to Descope. The control problem is not visibility alone, but whether identity governance can keep pace with continuously changing machine and agent privileges.

NHIMG editorial — based on content published by Descope: Monitoring and Auditing Agentic Identities With Descope Auth Thoughts

By the numbers:

Questions worth separating out

Q: How should security teams monitor agentic identities without relying on human session assumptions?

A: They should monitor the full lifecycle, not just login events.

Q: Why do agentic identities complicate traditional IAM governance?

A: Because they do not follow the clean start-and-stop pattern that human identity programmes assume.

Q: What breaks when consent changes are not audited for non-human identities?

A: Governance loses the ability to prove who approved scope expansion and when it happened.

Practitioner guidance

What's in the full article

Descope's full blog post covers the operational detail this post intentionally leaves for the source:

  • Concrete examples of Descope audit events for registration, consent changes, connection creation, and policy denial.
  • Implementation detail for MCP authentication, dynamic client registration, and outbound token exchange.
  • Step-by-step examples showing how Snowflake access is mediated through scoped connection policies.
  • How custom audit events can be streamed into SIEM and observability tooling for correlation and alerting.

👉 Read Descope's analysis of monitoring and auditing agentic identities →

Agentic identity monitoring: what IAM teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8923
 

Continuous agentic access breaks the human-session model. Human IAM assumes a login, an action period, and a logout. That assumption fails when the actor is an NHI that can keep registering, requesting scopes, refreshing tokens, and calling tools while the original user context changes or disappears. The implication is that identity governance must stop treating audit as a post-event record and start treating it as the only reliable state model for agentic access.

A few things that frame the scale:

  • 98% of companies plan to deploy even more AI agents within the next 12 months, despite documented rogue behaviour in 80% of current deployments, according to AI Agents: The New Attack Surface report.
  • That same research found that only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation, according to AI Agents: The New Attack Surface report.

A question worth separating out:

Q: Who should own accountability for agentic identity access decisions?

A: The accountable owner should be the team or function that controls the identity lifecycle, not the agent itself and not a generic platform team. Each client, connection, and scope set needs an owner who can approve changes, respond to denials, and remove access when the relationship ends.

👉 Read our full editorial: Monitoring agentic identities exposes the NHI lifecycle gap



   
ReplyQuote
Share: