Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

AI agent orchestration and audit chains: are your controls ready?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9079
Topic starter  

TL;DR: As AI agents move into production, the governance gap is no longer model output but runtime action: identity per instance, chain-of-custody audit, and external policy enforcement are all missing in most stacks, according to Cerbos. The critical failure is that current controls assume access can be reviewed after the fact, while agents make and execute decisions before review exists.

NHIMG editorial — based on content published by Cerbos: runtime policy for AI agents and the governance gap they expose

Questions worth separating out

Q: What breaks when AI agents share one long-lived identity across instances?

A: Shared long-lived identity breaks containment, revocation, and accountability because the real unit of action is the agent instance, not the agent class.

Q: Why do AI agents complicate existing IAM and audit models?

A: AI agents complicate IAM because they can delegate, chain actions, and select tools at runtime, which means access decisions are no longer fixed at provisioning time.

Q: How can security teams tell whether agent runtime controls are actually working?

A: Look for evidence that policy decisions happen outside the agent, that tool calls fail closed when the policy service is unavailable, and that each action carries sponsor and purpose context.

Practitioner guidance

  • Inventory all active agents and sub-agents Build a live register of agent instances, delegated assistants, and tool-connected workflows.
  • Assign sponsor-tied lifecycle ownership Require every agent to have a named human sponsor whose status governs the agent’s continued operation.
  • Externalise tool-call authorisation Place decisioning outside the agent’s reasoning loop so the policy engine evaluates each tool call before execution.

What's in the full article

Cerbos' full blog post covers the operational detail this post intentionally leaves for the source:

  • A runtime policy engine pattern for agent-to-tool calls, including how external authorisation is separated from agent reasoning.
  • A sponsor-tied lifecycle model for agent instances, with practical examples of what changes when ownership changes.
  • A chain-of-custody audit approach that preserves original purpose, approval, and delegation context across sub-agents.
  • Fail-closed testing considerations for policy-plane outages and what to verify before moving agents into production.

👉 Read Cerbos' analysis of runtime policy for AI agent orchestration →

AI agent orchestration and audit chains: are your controls ready?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8508
 

Per-instance identity is the right control boundary for agents. The article shows why class-based agent identity is already too coarse for governance. One long-lived API key cannot safely represent multiple spawned instances because the execution unit is the instance, not the label. Practitioners should treat per-instance identity as the baseline assumption for agent governance, otherwise accountability, scope, and revocation all become ambiguous.

A few things that frame the scale:

  • 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
  • Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared with nearly 1 in 4 for securing human identities.

A question worth separating out:

Q: Who should be accountable when an AI agent delegates work to a sub-agent?

A: Accountability should remain with the named human sponsor and the organisation operating the agent, because delegation does not erase ownership. If the governance model cannot preserve sponsor identity, purpose, and approval across the chain, the organisation cannot defend the action in audit or incident review.

👉 Read our full editorial: Runtime policy for AI agents: the governance gap teams are missing



   
ReplyQuote
Share: