TL;DR: AI can dynamically compose actions across live data, and Delinea’s October 2025 analysis shows that orphaned agents, exposed session tokens, and overly broad access create breach and compliance risk when authorization is reduced to a single gate. The real issue is that identity programmes still assume access is stable, reviewable, and human-paced.
NHIMG editorial — based on content published by Delinea: It’s guardrails, not gates, that balance AI innovation and security
Questions worth separating out
Q: How should security teams govern AI agents that can chain actions across live systems?
A: Teams should govern AI agents as runtime actors, not as static accounts with a one-time approval.
Q: Why do AI agents complicate least privilege in IAM programmes?
A: AI agents complicate least privilege because their exact action path is often not knowable before execution begins.
Q: What breaks when session tokens are exposed in AI workflows?
A: When session tokens are exposed, an attacker can replay the token and inherit the authenticated session without defeating login controls again.
Practitioner guidance
- Map AI agent runtime reach Inventory which live data sources, command paths, and privileged actions each AI agent can touch after authentication.
- Treat exposed session tokens as active compromise Assume replay risk whenever unhashed tokens, backups, or logs expose bearer credentials.
- Add lifecycle ownership to every AI agent Assign a named owner, review cadence, and retirement trigger for each agent that can pull live data or make decisions.
What's in the full article
Delinea's full blog post covers the operational detail this post intentionally leaves for the source:
- The specific examples behind the university chatbot, token exposure, orphaned agent, and controlled AI authorization scenarios.
- The session-level authorization logic used to evaluate intent, need, risk, and asset sensitivity.
- The practical framing behind the four questions that determine whether AI authorization should proceed.
- The video demonstration of how Iris AI is described as working inside privileged sessions.
👉 Read Delinea's analysis of AI guardrails, session tokens, and orphaned agents →
AI agent guardrails and identity controls: are gates enough?
Explore further
Gate-based authorization is too narrow for AI agents that compose actions at runtime. The article shows that the decisive risk is not simply whether an AI system is authenticated, but whether it can chain decisions after entry without a new control point. That pattern sits squarely in the gap between IAM entry checks and privileged session behaviour. Practitioners should treat AI agents as session actors, not just logged-in entities, because the attack surface is created by action chaining rather than login alone.
A few things that frame the scale:
- Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks, according to The 2024 ESG Report: Managing Non-Human Identities.
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirmed and 26% suspected.
A question worth separating out:
Q: Who is accountable when an orphaned AI agent keeps accessing live data?
A: Accountability should sit with the business or technical owner who approved the agent’s purpose and access scope, not with the team that last touched the code. If no owner exists, the identity is already out of governance. Organisations should require a retirement trigger, recertification point, and escalation path for every live agent.
👉 Read our full editorial: AI agent guardrails expose the limits of gate-based authorization