Notifications
Clear all
Topic starter
12/05/2026 7:35 pm
TL;DR: Agentic AI systems add autonomy to familiar identity risks by relying on broad non-human identities such as API keys, service accounts, and tokens, according to Entro Security’s analysis of OWASP agentic AI threats. The governance problem is no longer just secret sprawl, but uncontrolled tool use, privilege misuse, and confused-deputy behavior across connected systems.
NHIMG editorial — based on research published by Entro Security.
Questions worth separating out
Q: How should security teams govern AI agent credentials?
A: Treat AI agent credentials as privileged workload identities, not generic application secrets.
Q: Why do AI agents create more risk than traditional automation?
A: AI agents create more risk because they can interpret context, choose actions, and invoke tools autonomously.
Q: What is the difference between secrets rotation and agent governance?
A: Secrets rotation reduces the lifetime of credentials, while agent governance controls what those credentials can do.
Practitioner guidance
- Implement agent identity scoping Assign each AI agent a narrow workload identity, separate from human admin roles, and review every permitted tool, API, and datastore before deployment.
- Enforce policy gates before tool execution Require policy evaluation for sensitive actions such as data export, privilege changes, or external API calls, and log the decision path for auditability.
- Inventory all NHI secrets used by agents Map API keys, tokens, certificates, and service accounts to the exact workflows that depend on them, then remove unused credentials and rotate the rest on a schedule.
With 98% of companies planning to deploy even more AI agents within the next 12 months, per AI Agents: The New Attack Surface report, the control gap will widen unless teams separate agent permissions from human admin patterns?
👉 Read Entro Security’s analysis of OWASP agentic AI risks and NHI exposure →
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
12/05/2026 7:35 pm
A few things worth adding from our research at NHI Mgmt Group.
Agentic AI security is now an NHI governance problem, not a side topic in model risk management. The source article shows that autonomy, not just intelligence, changes the risk equation because agents act through credentials and permissions. When those identities are broad, the agent becomes a persistent execution surface rather than a bounded tool. Practitioners should govern agent identities with the same seriousness they apply to privileged human access.
A few things that frame the scale:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
A question worth separating out:
Q: When should organisations restrict autonomous tool access for AI agents?
A: Organisations should restrict autonomous tool access whenever an agent can touch sensitive data, make external calls, or trigger operational changes. If the action has financial, legal, or security impact, a human approval or policy gate is usually justified. The more connected the workflow, the tighter the control model should be.
👉 Read our full editorial: Agentic AI expands NHI attack surface and privilege risk
