Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

AI agent sprawl: what it means for NHI governance teams


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9439
Topic starter  

TL;DR: AI agents are being deployed into customer support, security operations, and business workflows faster than most organisations can inventory, scope, or monitor them, according to Token Security. The governance gap is not just visibility: identity models built for stable, human-paced access do not fit software that creates and uses privileges at machine speed.

NHIMG editorial — based on content published by Token Security: NHI & the Rise of AI Agents, Uncovering Hidden Security Risks

By the numbers:

  • 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.

Questions worth separating out

Q: How should security teams govern AI agents as non-human identities?

A: Security teams should govern AI agents the same way they govern other privileged non-human identities: assign ownership, define purpose, scope access tightly, monitor behaviour continuously, and revoke credentials when the task ends.

Q: Why do AI agents increase NHI risk in enterprise environments?

A: AI agents increase risk because they are often created quickly, inherit broad permissions, and can touch multiple systems in one workflow.

Q: What breaks when AI identities are not decommissioned properly?

A: Orphaned AI identities keep credentials, permissions, and system reach after the business need has ended.

Practitioner guidance

  • Define AI identity classes before provisioning Separate AI workflows, AI agents, and agentic AI into distinct governance classes so access scope, ownership, and lifecycle rules match actual behaviour.
  • Map ownership for every AI-driven identity Require a human accountable owner for each AI identity, including service accounts used by AI systems and any credentials shared across environments.
  • Automate decommissioning and expiry checks Build retirement triggers into the identity lifecycle so dormant or task-complete AI accounts are revoked promptly.

What's in the full article

Token Security's full blog covers the operational detail this post intentionally leaves for the source:

  • The article breaks down the three AI identity categories with use-case examples that can help teams map real deployments to governance classes.
  • It outlines the specific discovery, lifecycle, and compliance questions security leaders should ask before AI rollout.
  • It describes the platform capabilities Token Security says it uses for AI identity discovery, monitoring, and lifecycle management.
  • It connects AI identity risk to concrete controls such as least privilege, audit logging, and decommissioning.

👉 Read Token Security's analysis of NHI risk in AI agents and agentic workflows →

AI agent sprawl: what it means for NHI governance teams?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8923
 

AI agent governance is becoming an NHI problem before it becomes an AI policy problem. The article is right to treat AI agents as non-human identities because the control failures are familiar: unclear ownership, excessive access, weak lifecycle discipline, and limited monitoring. The practical shift is that identity teams can no longer treat AI adoption as an app-layer issue. They have to govern the identity itself, or the access model expands faster than the programme can absorb.

A few things that frame the scale:

  • 98% of companies plan to deploy even more AI agents within the next 12 months, despite documented rogue behaviour in 80% of current deployments, according to AI Agents: The New Attack Surface report.
  • SailPoint also found that only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.

A question worth separating out:

Q: Who should be accountable for AI identity governance?

A: Accountability should sit with the business or technical owner that depends on the AI system, not with security alone. Security can define controls and monitor enforcement, but ownership must cover provisioning, review, and retirement. Without a named owner, the AI identity is effectively outside governance.

👉 Read our full editorial: AI agents expand NHI attack surface faster than IAM can govern



   
ReplyQuote
Share: