TL;DR: AI agents break the old assumption that identity can be authenticated once, scoped statically, and audited later because they decide at runtime which tools, data, and services to use, according to Aembit and a 2025 SailPoint survey showing 80% of organisations observed unexpected or unauthorized agent actions. That makes delegation, auditability, and dynamic privilege control the real governance test, not traditional workload identity alone.
NHIMG editorial — based on content published by Aembit: AI agents challenge traditional identity models
By the numbers:
- 80% of organizations using AI agents have observed them acting unexpectedly or performing unauthorized actions.
- 69% of organizations now have more machine identities than human ones.
- Only 38% have automated certificate lifecycle management in place.
Questions worth separating out
Q: How should security teams govern AI agents that can choose tools at runtime?
A: Treat the agent as a delegated identity whose access must be evaluated when each request occurs.
Q: Why do AI agents complicate least-privilege design?
A: Least privilege becomes harder because the actor’s exact behaviour is not fully known before execution begins.
Q: What breaks when delegation chains are not explicitly tracked?
A: Accountability breaks first, then auditability.
Practitioner guidance
- Map which controls assume stable behaviour Identify where access reviews, approval workflows, and entitlement models still assume the actor will behave predictably long enough to be certified.
- Bind delegation into the credential model Require cryptographic linkage between the delegating user, the agent identity, and the permitted scope so audit records can reconstruct who authorised what and which actor executed each step.
- Separate task scope from identity scope Limit the agent’s usable privilege to the smallest operation needed at each request rather than granting broad capability for the full session.
What's in the full article
Aembit's full analysis covers the operational detail this post intentionally leaves for the source:
- Delegation-token mechanics for binding a user, an agent, and a scope into one auditable credential.
- Runtime access policy patterns for agent sessions that change behaviour during execution.
- Audit and observability considerations for tracing subagents, tool calls, and decision chains.
- Implementation context for agent identity and workload identity federation in real systems.
👉 Read Aembit's analysis of AI agent identity risk and workload IAM limits →
AI agent identity risk: are workload IAM controls keeping up?
Explore further
Static scoping is a workload assumption, not an agent control. Static access policies were designed for deterministic systems whose behaviour can be predicted before execution begins. That assumption fails when the actor is autonomous because the access path is decided at runtime, not by a predeclared script. The implication is that identity programmes must stop treating agent behaviour as bounded workload execution and start treating it as runtime authorisation risk.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- Only 20% of organisations have formal processes for offboarding and revoking API keys, which is one reason non-human identity governance still breaks under operational pressure.
A question worth separating out:
Q: Who is accountable when an AI agent exceeds its intended scope?
A: The organisation remains accountable, but operational accountability depends on whether the system preserved delegation evidence. Without a chain that binds the user, the agent, and the scope, investigators cannot reconstruct responsibility cleanly. Governance teams should treat that missing evidence as a control failure, not a logging inconvenience.
👉 Read our full editorial: AI agent identity risk is exposing the limits of workload IAM