AI agent authority models: what IAM teams need to govern now

TL;DR: AI agents in production split into delegated, bounded, and autonomous authority models, each with different identity, attestation, and authorization requirements, according to 1Password. The deeper issue is assumption collapse: access review, static least privilege, and human-paced approval loops all break when agent behavior changes at runtime.

NHIMG editorial — based on content published by 1Password: AI agent authority models and the identity controls needed to secure them

By the numbers:

• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.
• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes.

Questions worth separating out

Q: How should security teams govern AI agents that act on behalf of a human?

A: They should require a traceable delegation chain, short-lived scoped tokens, and an auditable link between the human principal and the agent’s actions.

Q: Why do autonomous agents create more identity risk than ordinary automation?

A: Autonomous agents can change access needs while the task is running, which means least privilege cannot be fully decided at provisioning time.

Q: What breaks when bounded agents are given broad standing credentials?

A: The blast radius expands from one workflow run to every system those credentials can reach.

Practitioner guidance

• Define authority models before issuing access Classify each agent as delegated, bounded, or autonomous, then assign identity policies based on that authority chain instead of on the tool or workload name.
• Separate development and production trust domains Block any agent, local or remote, from carrying the same credentials across development and production.
• Make session revocation propagate across downstream systems Use continuous access evaluation so a revoked human session, changed policy, or security event terminates active agent access across every relying party the agent has touched.

What's in the full article

1Password's full article covers the operational detail this post intentionally leaves for the source:

• Protocol-by-protocol treatment of token exchange, WIMSE, CAEP, and OAuth claims for each authority model
• Local versus remote deployment controls, including attestation, process verification, and platform-managed identity
• Run-scoped controls for bounded agents, including how to keep development and production boundaries separate
• Autonomous-agent escalation handling, including sub-agent delegation and revocation cascades

👉 Read 1Password's analysis of AI agent authority models and identity controls →

AI agent authority models: what IAM teams need to govern now?

Explore further

View Full Forum →  |  NHI Foundation Course →