Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

AI agent identity and NHI governance: are your controls keeping up?


(@unosecur)
Honorable Member
Joined: 1 year ago
Posts: 188
Topic starter  

TL;DR: AI agents and other NHIs authenticate through policy, attestation, and short-lived credentials rather than human MFA, according to Unosecur. The real shift is that identity programmes must govern non-interactive access, lifecycle, and runtime evidence as machine-native requirements, not as extensions of human login controls.

NHIMG editorial — based on content published by Unosecur: Rethinking identity for AI agents and other non-human identities

Questions worth separating out

Q: How should security teams govern AI agent identities in Zero Trust environments?

A: Security teams should govern AI agent identities with machine-native authentication, short-lived credentials, runtime policy, and continuous logging.

Q: Why do service accounts with standing privilege increase security risk?

A: Standing privilege increases risk because a compromised service account can be reused for later movement, broader access, and long-lived abuse.

Q: What breaks when human MFA is used for bots and AI agents?

A: Human MFA breaks machine workflows because bots cannot complete interactive approval steps in a reliable or secure way.

Practitioner guidance

  • Replace human MFA flows for machine identities Use app-only authentication, workload identity federation, or certificate-backed access for non-interactive actors.
  • Eliminate long-lived secrets from code and infrastructure Move service credentials into federation or managed identity patterns, then enforce expiry by design.
  • Bind authorization to attested workload identity Require attestation and mTLS where workloads need to prove runtime context, then tie policy decisions to namespace, image digest, node, or environment metadata.

What's in the full article

Unosecur's full blog covers the operational detail this post intentionally leaves for the source:

  • Step-by-step examples of app-only authentication and workload identity flows for non-interactive access
  • Implementation detail on federation, managed identities, and temporary credential patterns
  • Practical guidance on attestation and SPIFFE/SPIRE for workload identity assurance
  • Lifecycle control examples for ownership, logging, rotation, and de-provisioning

👉 Read Unosecur's analysis of identity controls for AI agents and NHIs →

AI agent identity and NHI governance: are your controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →  |  Our Services →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11491
 

Human MFA is the wrong control model for AI agent identities: MFA was designed for interactive users, not for non-interactive execution by software actors. AI agents and NHIs authenticate through machine-centric flows, so the security question becomes whether the identity can be trusted, scoped, and revoked without human prompts. The implication is that IAM programmes must stop treating bot access as a human login problem.

A few things that frame the scale:

  • 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
  • Only 5.7% of organisations have full visibility into their service accounts, which means most identity teams cannot reliably inventory machine access.

A question worth separating out:

Q: How do organisations know whether machine identity controls are working?

A: They know controls are working when every non-human identity has an owner, an expiry, a logged action trail, and no persistent secrets in code or configuration. If tokens survive long after the task, or if access cannot be tied to a workload and purpose, the governance model is not operating as intended.

👉 Read our full editorial: Rethinking identity for AI agents and NHIs in Zero Trust



   
ReplyQuote
Share: