TL;DR: AI systems are now retrieving internal data, invoking APIs, modifying records, and triggering workflows autonomously across enterprise environments, according to Lakera's analysis and cited Gartner estimates that 15% of day-to-day work decisions will be made autonomously by agentic AI by 2028. Access review processes assume access persists long enough to be reviewed; autonomous actors can acquire and discard privileges within a single session.
NHIMG editorial — based on content published by Lakera: AI Has Stopped Asking for Permission. Has Your Security Team Noticed?
By the numbers:
- As of today, 14% of organizations have already deployed autonomous agents into live production environments.
- Reported AI security incidents jumped 67% year-over-year as organizations moved from pilots to production.
Questions worth separating out
Q: What breaks when AI agents are governed like normal application accounts?
A: Normal application-account governance assumes the actor has stable intent, stable tool use, and a reviewable privilege window.
Q: Why do AI agents complicate least privilege?
A: Least privilege is usually defined at provisioning time, but agent intent is assembled at runtime from prompts, context, and tool selection.
Q: How do security teams know if an AI agent is exceeding its intended scope?
A: Look for tool calls that extend beyond the original user request, unexpected access to internal documents, or actions that chain across systems without a separate approval step.
Practitioner guidance
- Define tool-level authorisation for every agent Assign explicit permissions to each API, database, and workflow tool an agent can reach.
- Map approval boundaries to the action itself Require a policy decision at the point of execution for high-impact actions such as record changes, external messages, and workflow triggers.
- Correlate agent telemetry across context and output Collect logs for prompts, retrieved documents, tool calls, and outputs in one investigative path.
What's in the full article
Lakera's full article covers the operational detail this post intentionally leaves for the source:
- The article maps the three AI exposure surfaces in more detail, including how each one changes the control design.
- It expands on the agentic threat landscape diagram and the sequence from prompt to tool use to output.
- It explains the AI Defense Plane concept with more implementation context for teams building layered controls.
- It points to real-world examples from Dropbox and Nubank that show how the framework is being applied in practice.
👉 Read Lakera's analysis of AI agent identity risk and execution-layer security →
AI agent identity risk: are enterprise controls keeping up?
Explore further
Access review processes were designed for actors whose privileges persist long enough to be observed. That assumption fails when the actor is autonomous because access can be acquired, used, and discarded within a single session. The implication is not a new control, but a broken governance premise: review cadences no longer guarantee a reviewable state. Autonomous systems change the timing of privilege in a way human IAM and conventional NHI governance do not expect. If the actor can choose tools and act without approval gates, the old audit window closes before recertification starts. Practitioners need to recognise the collapsed assumption before they build around it.
A few things that frame the scale:
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
A question worth separating out:
Q: Who is accountable when an AI agent performs an unauthorized action?
A: Accountability sits with the programme that granted the agent access, defined the policy boundary, and approved the integration. If ownership is split across product, security, and platform teams, gaps appear in logging, review, and rollback. Clear ownership is the only way to assign responsibility when autonomy blurs the operator chain.
👉 Read our full editorial: AI agent identity risk is outpacing enterprise IAM controls