Notifications
Clear all
Topic starter
07/06/2026 8:15 pm
TL;DR: AI agents, MCP, ephemeral clients, and API access across trust domains are drawing growing focus, according to Curity’s recent how-to and article set, underscoring how identity controls are being stretched by dynamic, non-human execution paths. The gap is no longer theoretical: governance built for stable credentials and human-paced review cannot fully model runtime agent behaviour.
NHIMG editorial — based on content published by Curity covering AI agents, ephemeral clients, and API access across trust domains: recent how-tos, articles, and code examples on identity for non-humans
Questions worth separating out
Q: How should security teams govern AI agents that use delegated API access?
A: Treat delegated API access for AI agents as a governance path, not just an authentication event.
Q: Why do ephemeral clients change identity risk calculations?
A: Ephemeral clients reduce standing exposure, but they also make trust harder to inspect after the fact.
Q: What breaks when access across trust domains is not tightly scoped?
A: When cross-domain access is not tightly scoped, identities can carry trust farther than intended, especially through chained API calls and delegated tokens.
Practitioner guidance
- Inventory agent and client identity paths Map every AI agent, ephemeral client, and delegated API path that can reach production data, then identify where trust is granted at registration versus runtime.
- Separate issuance from authorisation Make sure the system that creates an ephemeral client or agent credential is not the same control that approves downstream business access.
- Define revocation for short-lived identities Document how to terminate access when an ephemeral client, agent, or delegated token is no longer needed, including downstream token propagation and cached session state.
What's in the full article
Curity's full how-to covers the operational detail this post intentionally leaves for the source:
- Step-by-step guidance for connecting AI agents to SQL data sources without collapsing trust boundaries.
- Code examples for implementing OpenID Connect and OpenID Authorization Exchange patterns in non-human flows.
- Practical handling of ephemeral clients and client ID metadata documents in real deployments.
- Integration guidance for API access across trust domains and fallback authentication patterns.
👉 Read Curity's guidance on AI agents, ephemeral clients, and API trust →
Dynamic trust for AI agents and ephemeral clients: what changes?
Explore further
07/06/2026 10:06 pm
Dynamic agent access turns static NHI assumptions into governance debt. Curity’s focus on AI agents and dynamic trust reflects a broader shift: access is no longer always a stable entitlement that can be reviewed after the fact. The governance model built around fixed service accounts and predictable usage windows becomes less reliable when the actor can make runtime decisions about when and how to request access. Practitioners should treat that as a structural change in identity control, not just a tooling update.
A few things that frame the scale:
- 88.5% of organisations acknowledge that their non-human IAM practices lag behind or are merely on par with their human identity and access management efforts, according to The 2024 Non-Human Identity Security Report.
- Only 35.6% of organisations cite managing consistent access across hybrid and multi-cloud environments as their top NHI security challenge.
A question worth separating out:
Q: How can organisations tell whether their NHI controls are keeping up with AI agents?
A: Look for controls that can prove who requested access, which tool was used, what scope was granted, and whether the identity could be revoked cleanly. If those answers require manual reconstruction across logs, the programme is behind the behaviour it is trying to govern.
👉 Read our full editorial: AI agents and ephemeral clients widen the NHI governance gap
