Notifications
Clear all
Topic starter
12/05/2026 3:25 pm
TL;DR: OWASP's Securing Agentic Applications Guide v1.0 argues that agentic AI security starts with hardening secrets, identities, and runtime permissions, with least privilege, JIT access, managed identities, and lifecycle controls as the core baseline. That baseline matters because autonomous agents turn credential handling into an NHI governance problem, not just an appsec checklist item.
NHIMG editorial — based on research published by Entro Security.
Questions worth separating out
Q: How should teams govern agent credentials in production?
A: Treat each agent credential as a governed identity with a clear owner, a narrow role, and a defined expiry.
Q: When does just-in-time access help most for AI agents?
A: JIT access helps most when agent tasks are episodic, high-risk, or difficult to predict in advance.
Q: What is the difference between managed identities and static secrets for agents?
A: Managed identities let a platform issue and validate access without embedding secrets in code, while static secrets must be stored, rotated, and protected everywhere they travel.
Practitioner guidance
- Inventory every agent identity and its authority Map each agent, service account, token source, and delegated role to a specific business function, then remove shared credentials and duplicate identities.
- Replace long-lived secrets with time-bound issuance Use short-lived tokens, automated expiry, and revocation checks for agent workflows that touch sensitive systems or data.
- Split read, write, and administrative access Assign separate roles to separate actions so a single compromised agent cannot move from observation to modification without an explicit control change.
With 80% of organisations reporting agent behaviour beyond intended scope, per AI Agents: The New Attack Surface report, the priority is to make agent entitlement review a standing control, not a periodic audit?
👉 Read OWASP's securing agentic applications guide for NHI and secrets controls →
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
12/05/2026 3:25 pm
A few things worth adding from our research at NHI Mgmt Group.
Agentic AI is now an NHI governance problem before it is an application security problem. Once software can hold credentials, call tools, and complete workflows without human approval at each step, the identity layer becomes the control plane. That shifts the core risk from code execution alone to who can act, with what authority, and under which guardrails. Practitioners should design governance around machine identity lifecycle and not around the application stack alone.
A few things that frame the scale:
- 98% of companies plan to deploy even more AI agents within the next 12 months, despite documented rogue behaviour in 80% of current deployments, according to AI Agents: The New Attack Surface report.
- Only 44% have implemented any policies to govern AI agents, even though 92% agree that governing them is critical to enterprise security.
A question worth separating out:
Q: Why do autonomous agents create more NHI governance risk than traditional apps?
A: Autonomous agents can execute multiple actions across systems with the same identity, which expands blast radius and weakens simple allowlist thinking. Traditional apps usually follow narrower execution paths. Agents need continuous entitlement review because their authority can shift as their tools, prompts, and goals change.
👉 Read our full editorial: OWASP agentic AI guidance sharpens NHI secrets governance priorities
