Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Claude Tag and shared AI agents: what changes for IAM teams


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9059
Topic starter  

TL;DR: Claude Tag gives a shared AI agent its own identity, credentials, and permissions inside Slack, so downstream systems see the agent rather than the human requester, according to Zenity. The governance problem shifts from user access to runtime control over what the agent is allowed to do before each tool invocation.

NHIMG editorial — based on content published by Zenity: Claude Tag Didn’t Create Another Identity Problem. It Created a Control Risk

Questions worth separating out

Q: How should security teams govern shared AI agents that act for multiple users?

A: Treat the shared agent as the governed identity, not the person who typed the request.

Q: Why do shared AI agents create more risk than user-bound assistants?

A: Because permissions belong to the agent, not the individual requester, so one identity can execute work for many people.

Q: What breaks when AI agent logs and system logs do not align?

A: Investigations lose the link between human intent and machine execution.

Practitioner guidance

  • Separate shared agents from human accounts in access reviews Inventory each shared AI agent as its own identity object, then review its permissions, connected systems, and approval paths independently from the people who trigger it in Slack.
  • Enforce pre-execution policy checks for every tool call Require inline evaluation before the agent can reach GitHub, Jira, Google Drive, Salesforce, or an MCP server, so the deny decision happens before the request leaves the control plane.
  • Correlate requester context with agent actions Join the human requester record with the agent's service-account log so security teams can reconstruct intent, action, and outcome from a single investigation trail.

What's in the full article

Zenity's full blog post covers the operational detail this post intentionally leaves for the source:

  • How Claude Tag's Slack-based sharing model changes request provenance and task attribution
  • Why Anthropic's own logging can differ from connected-system logs during investigations
  • Where ambient mode increases the likelihood of prompt injection and unintended downstream actions
  • What runtime control needs to inspect before an API, MCP, or tool call is allowed to execute

👉 Read Zenity's analysis of Claude Tag and shared AI agent control risk →

Claude Tag and shared AI agents: what changes for IAM teams?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8498
 

Claude Tag is not creating a new identity class so much as exposing an old governance blind spot. The article shows a shared agent with its own permissions acting on behalf of multiple users, which breaks the assumption that access can be evaluated only at the human edge. The implication is that identity governance now has to treat the agent as the control point, not the requester.

A few things that frame the scale:

  • 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, according to Ultimate Guide to NHIs.
  • Only 5.7% of organisations have full visibility into their service accounts, which means most teams cannot reliably inventory the identities behind shared agent access.

A question worth separating out:

Q: Who is accountable when a shared AI agent takes the wrong action?

A: Accountability sits with the organisation that granted the agent its permissions and control model, then with the teams that operate it day to day. The human requester may have initiated the conversation, but the security failure usually comes from the policy boundary that allowed the agent to execute without sufficient inline control.

👉 Read our full editorial: Claude Tag shifts enterprise AI from identity to control risk



   
ReplyQuote
Share: