AI agents and NHIs: what a risk layer changes for IAM teams

TL;DR: As enterprises add AI agents and more non-human identities, authorization is shifting from an access-review problem to a runtime risk problem, according to Opal Security. The assumption that access can be safely reviewed after it is granted is breaking down as human, service, and agent identities behave differently at machine speed.

NHIMG editorial — based on content published by Opal Security: Securing the Autonomous Future: Why We Built Opal’s Risk Layer

By the numbers:

• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.

Questions worth separating out

Q: How should security teams govern access across humans, service accounts, and AI agents?

A: They should govern the workflow, not just the identity object.

Q: Why do static IAM and IGA models struggle with AI agents?

A: Static models assume entitlements are stable long enough to review and certify them after the fact.

Q: What breaks when access reviews are used as the main control for NHI risk?

A: Access reviews break when they are asked to validate access that is already ephemeral, delegated, or dynamically reused.

Practitioner guidance

• Map authorization by workflow, not just by account Trace how humans, service accounts, and AI agents participate in the same business process, then identify where policy decisions are made, reused, or bypassed.
• Prioritise high-stakes entitlements with blast-radius scoring Rank access by resource sensitivity, historical usage, and downstream impact so review queues focus on the entitlements most likely to create material exposure.
• Require first-party telemetry for access decisions Use direct system and application data to confirm how access is actually used, then feed that evidence into remediation and certification workflows.

What's in the full article

Opal Security's full product post covers the operational detail this post intentionally leaves for the source:

• The specific risk-layer workflow for ranking access issues by historical use, resource sensitivity, and behavioural signals.
• How the platform applies human-in-the-loop cleanup to improve remediation heuristics over time.
• The company’s explanation of how agent-aware authorization is composed across multi-step hybrid workflows.
• Examples of how the system uses remediation guidance and contextual data to support access decisions.

👉 Read Opal Security's analysis of autonomous authorization risk layers →

AI agents and NHIs: what a risk layer changes for IAM teams?

Explore further

View Full Forum →  |  NHI Foundation Course →