TL;DR: Only 7% of organisations believe current controls would stop a compromised AI agent from operating, according to Akeyless, underscoring that credential protection alone does not address post-authentication misuse across machines, workloads, and autonomous systems. The real gap is runtime authority: access models built for persistent identities cannot govern action-level risk once access is granted.
NHIMG editorial — based on content published by Akeyless: AI agent identity security and the shift to runtime authority
By the numbers:
- Only 7% of organizations believe their current controls would actually prevent a compromised agent from operating.
- Akeyless secures over 220 billion machine identity interactions.
Questions worth separating out
Q: How should security teams control AI agents that can act after authentication succeeds?
A: Security teams should treat authentication as only the first checkpoint.
Q: Why do standing permissions increase risk for machine identities?
A: Standing permissions increase risk because they remain useful long after the original task ends.
Q: What do organisations get wrong about secrets rotation for AI systems?
A: They often assume rotation alone solves the problem.
Practitioner guidance
- Map standing privilege across machine and agent identities Inventory where service accounts, API keys, and AI agent credentials persist beyond the task they were created for.
- Convert long-lived secrets into task-scoped access Replace reusable credentials with short-lived, brokered sessions bound to a single workload, query, or operational task.
- Insert runtime policy before sensitive actions complete Enforce a control point that evaluates intent and context before a destructive query, configuration change, or data export is allowed.
What's in the full article
Akeyless's full article covers the operational detail this post intentionally leaves for the source:
- How the runtime authority model is enforced across AI agents, workloads, and privileged users in production flows.
- Deployment examples showing containerized gateways, local resiliency, and low-latency access brokering.
- The vendor's own implementation framing for zero credentials on the agent and zero direct connectivity.
- Field examples describing how enterprises apply dynamic ephemeral identity to cloud and multi-cloud environments.
👉 Read Akeyless's analysis of AI agent identity security and runtime authority →
AI agent credentials and runtime control: what are teams missing?
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
Static credential governance was built for identities that stay put, not actors that act and adapt at runtime. The article's core insight is that secrets management solves only the issuance problem, while modern AI agents and machine identities create risk after access is already granted. That means the traditional assumption that security ends at authentication no longer holds. Practitioners should treat post-authentication control as the new boundary of identity governance.
A few things that frame the scale:
- Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to The 2024 ESG Report: Managing Non-Human Identities.
A question worth separating out:
Q: Who is accountable when an AI agent misuses valid access?
A: Accountability stays with the organisation that granted the access and defined the operating model. If an agent can act without a runtime control layer, the failure is governance, not just security hygiene. Teams need clear ownership across IAM, PAM, platform engineering, and AI operations so runtime decisions are not orphaned.
👉 Read our full editorial: AI agent identity security needs runtime authority, not static access