AI agent identity risk: are workload IAM controls keeping up?

TL;DR: AI agents break the old assumption that identity can be authenticated once, scoped statically, and audited later because they decide at runtime which tools, data, and services to use, according to Aembit and a 2025 SailPoint survey showing 80% of organisations observed unexpected or unauthorized agent actions. That makes delegation, auditability, and dynamic privilege control the real governance test, not traditional workload identity alone.

NHIMG editorial — based on content published by Aembit: AI agents challenge traditional identity models

By the numbers:

• 80% of organizations using AI agents have observed them acting unexpectedly or performing unauthorized actions.
• 69% of organizations now have more machine identities than human ones.
• Only 38% have automated certificate lifecycle management in place.

Questions worth separating out

Q: How should security teams govern AI agents that can choose tools at runtime?

A: Treat the agent as a delegated identity whose access must be evaluated when each request occurs.

Q: Why do AI agents complicate least-privilege design?

A: Least privilege becomes harder because the actor’s exact behaviour is not fully known before execution begins.

Q: What breaks when delegation chains are not explicitly tracked?

A: Accountability breaks first, then auditability.

Practitioner guidance

• Map which controls assume stable behaviour Identify where access reviews, approval workflows, and entitlement models still assume the actor will behave predictably long enough to be certified.
• Bind delegation into the credential model Require cryptographic linkage between the delegating user, the agent identity, and the permitted scope so audit records can reconstruct who authorised what and which actor executed each step.
• Separate task scope from identity scope Limit the agent’s usable privilege to the smallest operation needed at each request rather than granting broad capability for the full session.

What's in the full article

Aembit's full analysis covers the operational detail this post intentionally leaves for the source:

• Delegation-token mechanics for binding a user, an agent, and a scope into one auditable credential.
• Runtime access policy patterns for agent sessions that change behaviour during execution.
• Audit and observability considerations for tracing subagents, tool calls, and decision chains.
• Implementation context for agent identity and workload identity federation in real systems.

👉 Read Aembit's analysis of AI agent identity risk and workload IAM limits →

AI agent identity risk: are workload IAM controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →