Notifications

Clear all

AI agent credentials and runtime authorisation: are your controls enough?

Last Post

RSS

NHI Mgmt Group

(@nhi-mgmt-group)

Member Moderator

Joined: 1 year ago

Posts: 8151

Topic starter 24/06/2026 7:11 pm

TL;DR: Static API keys and service accounts were built for predictable machine behaviour, but AI agents decide at runtime, creating an authorization gap that can let broad credentials be used in ways no one explicitly approved, according to 1Kosmos. Access review processes assume privilege persists long enough to be reviewed; autonomous actors can consume and discard authority inside the execution window, leaving governance blind to the action itself.

NHIMG editorial — based on content published by 1Kosmos: Why API Keys and Service Accounts Can’t Govern AI Agents

Questions worth separating out

Q: What breaks when AI agents rely on API keys for sensitive actions?

A: API keys break at the point where a task requires runtime judgment.

Q: Why do service accounts still leave AI agent governance gaps?

A: Service accounts give you ownership and inventory, but they usually do not validate the action at execution time.

Q: How should security teams govern AI agents that can choose their own tools?

A: They should govern the action, not just the identity object.

Practitioner guidance

Interpose policy at the tool-call boundary Evaluate each agent request before it reaches the target system.
Separate authentication from authorisation Keep API keys and service accounts as identity proof, but require a runtime policy decision for any sensitive or destructive operation.
Shorten the lifetime of action-scoped credentials Issue credentials only for a single approved operation where possible, and expire them immediately after use.

What's in the full article

1Kosmos's full article covers the operational detail this post intentionally leaves for the source:

The execution-plane architecture for intercepting MCP tool calls before they reach target systems.
How verifiable credentials are used to replace static API keys in runtime agent authentication.
The policy-threshold logic that determines when human approval is required for higher-risk actions.
The control-plane and lifecycle visibility problems that create ghost-agent risk when staff leave.

👉 Read 1Kosmos's analysis of why API keys and service accounts fail for AI agents →

AI agent credentials and runtime authorisation: are your controls enough?

Explore further

View Full Forum → | NHI Foundation Course →

Quote

Topic Tags

Forum Statistics

9 Forums

9,443 Topics

15.6 K Posts

51 Online

135 Members

Latest Post: Unified identity fabric: what this funding round means for IAM teams Our newest member: Alex Recent Posts Unread Posts Tags

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed

#1 Authority in NHI Education, Research and Advisory, empowering organizations to tackle the critical risks posed by Non-Human Identities (NHIs), including AI Agents.

Get in Touch

Quick Links

FAQ

NHI 101 Articles

Legal & Policies