Notifications
Clear all
Topic starter
08/06/2026 4:18 pm
TL;DR: AI agents, MCP workflows, and traditional infrastructure now share the same identity problem: fragmented access, static credentials, and audit blind spots, according to Teleport. The real shift is that identity governance must treat agents as first-class subjects while preserving task-scoped, traceable access across humans and machines.
NHIMG editorial — based on content published by Teleport: Securing Identity in the Age of AI, a buyer’s guide to identity governance for MCP and AI agents
By the numbers:
- 80% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
- Only 5.7% of organisations have full visibility into their service accounts.
- 96% of technology professionals identify AI agents as a growing security threat, and 66% believe this risk is immediate.
Questions worth separating out
Q: How should security teams govern AI agents that use MCP tools?
A: Treat MCP-connected agents as governed non-human identities, not as ordinary app integrations.
Q: Why do AI agents increase identity risk compared with traditional automation?
A: AI agents can decide which tools to call and when to act, so their access pattern is less predictable than scripted automation.
Q: What breaks when AI agents are governed like normal service accounts?
A: Service-account governance often assumes access is stable, narrowly scoped, and easy to certify later.
Practitioner guidance
- Map AI agents into the NHI inventory Classify every agent, MCP integration, token, and certificate as a governed non-human identity with an owner, purpose, and expiry condition.
- Replace static secrets with task-scoped credentials Issue short-lived certificates or equivalent ephemeral credentials for agent and workload access, and tie them to a single unit of work.
- Bind access to policy at the point of use Use RBAC and ABAC together so access decisions reflect task, environment, and trust context rather than a permanent role alone.
What's in the full article
Teleport's full blog post covers the operational detail this post intentionally leaves for the source:
- How Teleport applies cryptographic identity to humans, workloads, and AI agents in one access model.
- The phased implementation path for replacing VPNs and secrets with zero trust access and identity governance.
- The specific MCP and agentic AI controls the vendor maps to task-scoped access, auditability, and expiration.
- The buying criteria checklist used to evaluate unified identity platforms for AI-enabled infrastructure.
👉 Read Teleport's guide to securing identity in the age of AI →
AI agent identity governance: what changes for IAM teams?
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
08/06/2026 5:52 pm
AI agent governance is becoming an NHI problem before it becomes an AI problem. Once agents can call tools, access data, and trigger workflows, the identity challenge shifts from model behaviour to runtime privilege. That means the same governance weaknesses that plague service accounts, tokens, and API keys now apply to agent identities too. Practitioners should treat agent access as part of the NHI control surface, not as a separate AI-only category.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to the Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, which shows why lifecycle controls still lag behind access creation across NHI programmes.
A question worth separating out:
Q: How do organisations keep accountability when humans and agents share the same access model?
A: Keep a clear chain from request to action to approval, and record the human origin of agent-initiated work. That preserves attribution without pretending the human is executing every step. Accountability improves only when session logs, policy decisions, and tool usage all stay linked across the full identity chain.
👉 Read our full editorial: AI agent identity governance needs a unified access model
