Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

IdentityMesh in agentic systems: what IAM teams need to know


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9059
Topic starter  

TL;DR: A single innocent request can enable agentic AI to merge multiple authenticated contexts into one operational identity, allowing cross-system lateral movement, data exfiltration, phishing, or malware distribution, according to Lasso Security's IdentityMesh research. The finding makes clear that existing MCP and browser-based controls assume boundaries the agent does not preserve.

NHIMG editorial — based on content published by Lasso Security: IdentityMesh: Exploiting Lateral Movement in Agentic Systems

By the numbers:

Questions worth separating out

Q: How should security teams stop AI agents from moving data between trusted systems without approval?

A: Security teams should treat each system boundary as a separate trust decision, even when one agent handles the workflow.

Q: Why do agentic systems create a bigger lateral movement risk than ordinary automation?

A: Agentic systems create bigger lateral movement risk because they can combine read, reasoning, and write actions inside one runtime context.

Q: What do security teams get wrong about browser-based AI assistants?

A: They often treat browser-based assistants as user interfaces when they are really cross-origin identity mediators.

Practitioner guidance

  • Map cross-system identity fusion paths Identify where a single agent can read from one system and write to another using the same user or service context.
  • Disable unrestricted agent autonomy for cross-origin actions Require explicit approval before an agent moves information from one authenticated system into a different system, especially when the destination is public, shared, or externally reachable.
  • Separate read and write privileges by workflow Limit agents so they can collect context from a source system but cannot write to another system unless the destination action is separately authorised.

What's in the full report

Lasso Security's full research covers the operational detail this post intentionally leaves for the source:

  • Scenario-by-scenario exploit flow across MCP, custom agents, and AI browsers so practitioners can compare attack paths.
  • Step-by-step examples of how read tools, write tools, and injected instructions combine into one cross-system chain.
  • Practical mitigations for disabling unrestricted agent behaviour, including approval prompts and boundary enforcement patterns.
  • Detailed explanation of the 'YOLO mode' browser risk and why cross-origin sessions are especially exposed.

👉 Read Lasso Security's research on IdentityMesh and agentic lateral movement →

IdentityMesh in agentic systems: what IAM teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8498
 

IdentityMesh is not a tool failure, it is a boundary failure. The attack works because the agent treats separate authenticated systems as one operational identity, so the security boundary disappears at runtime. That means the control problem is not only permissions, but the assumption that permissions remain separable once the agent starts chaining read and write actions. Practitioners should treat cross-system identity fusion as a distinct governance problem, not a variant of ordinary access sprawl.

A few things that frame the scale:

  • 98% of companies plan to deploy even more AI agents within the next 12 months, despite documented rogue behaviour in 80% of current deployments, according to AI Agents: The New Attack Surface report.
  • Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.

A question worth separating out:

Q: What is the difference between delegated access and identity fusion in agentic AI?

A: Delegated access is intended and bounded, with clear scope and separate control points. Identity fusion happens when an agent merges several credentials or sessions into one operational entity, so a request in one system can trigger unauthorised action in another without a fresh trust check.

👉 Read our full editorial: IdentityMesh shows how agentic systems collapse identity boundaries



   
ReplyQuote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8498
 

IdentityMesh is not a tool failure, it is a boundary failure. The attack works because the agent treats separate authenticated systems as one operational identity, so the security boundary disappears at runtime. That means the control problem is not only permissions, but the assumption that permissions remain separable once the agent starts chaining read and write actions. Practitioners should treat cross-system identity fusion as a distinct governance problem, not a variant of ordinary access sprawl.

A few things that frame the scale:

  • 98% of companies plan to deploy even more AI agents within the next 12 months, despite documented rogue behaviour in 80% of current deployments, according to AI Agents: The New Attack Surface report.
  • Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.

A question worth separating out:

Q: What is the difference between delegated access and identity fusion in agentic AI?

A: Delegated access is intended and bounded, with clear scope and separate control points. Identity fusion happens when an agent merges several credentials or sessions into one operational entity, so a request in one system can trigger unauthorised action in another without a fresh trust check.

👉 Read our full editorial: IdentityMesh shows how agentic systems collapse identity boundaries



   
ReplyQuote
Share: