Notifications

Clear all

AI agent identity risk: what IAM teams are missing

Last Post

RSS

NHI Mgmt Group

(@nhi-mgmt-group)

Member Moderator

Joined: 1 year ago

Posts: 3789

Topic starter 10/06/2026 12:10 am

TL;DR: A monolithic AI agent pattern that mixes reasoning, execution, and credentials in one process creates a credential exfiltration risk that zero trust tooling was not built to absorb, according to Pomerium’s analysis of recent agent security research. The real gap is per-request identity verification and policy enforcement at the downstream service boundary, not just sandbox hardening.

NHIMG editorial — based on content published by Pomerium: Why identity-aware access is the missing layer in agentic security

By the numbers:

90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.
97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

Questions worth separating out

Q: How should security teams control AI agent access to internal services?

A: Security teams should control AI agent access at the service boundary, not only inside the agent runtime.

Q: Why do shared service accounts create risk for AI agents?

A: Shared service accounts hide which agent made a request, so they collapse accountability and make incident response slower.

Q: What breaks when AI agents are trusted only at the sandbox layer?

A: What breaks is downstream authorisation.

Practitioner guidance

Map the agent trust boundary Document where reasoning ends, where credentials live, and where downstream services first see the request so you can identify the real control point.
Remove shared accounts from agent paths Replace shared service accounts with individually attributable identities for each agent, workflow, or delegated workload so accountability remains intact.
Enforce per-request policy at the proxy Put identity-aware policy between the agent and the service so every call is evaluated for caller identity, task scope, and delegated authority.

What's in the full article

Pomerium's full blog covers the operational detail this post intentionally leaves for the source:

How the identity-aware access proxy enforces per-request policy for downstream services
How identity propagation and audit logging work across multi-hop agent request chains
How the architecture fits alongside managed agents and sandbox enforcement without replacing them

👉 Read Pomerium's analysis of identity-aware access for agentic security →

AI agent identity risk: what IAM teams are missing?

Explore further

View Full Forum → | NHI Foundation Course →

Quote

Topic Tags

Forum Statistics

9 Forums

5,021 Topics

7,166 Posts

13 Online

136 Members

Latest Post: Agentic AI security best practices for 2026: are your controls keeping up? Our newest member: Alex Recent Posts Unread Posts Tags

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed

#1 Authority in NHI Education, Research and Advisory, empowering organizations to tackle the critical risks posed by Non-Human Identities (NHIs), including AI Agents.

Get in Touch

Quick Links

FAQ

NHI 101 Articles

Legal & Policies