Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Internet of agents: what it means for AI and IAM teams


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9223
Topic starter  

TL;DR: The rise of interconnected AI-to-AI systems expands the attack surface beyond human-to-machine workflows, with Gartner estimating that 80% of organisations will have deployed GenAI in production by 2026. The security model must shift from protecting prompts and users to governing agent capability, containment, traceability, and accountability before autonomous interactions scale beyond control.

NHIMG editorial — based on content published by Lakera: The Rise of the Internet of Agents: A New Era of Cybersecurity

By the numbers:

Questions worth separating out

Q: How should security teams govern AI agents that can hand work off to other agents?

A: Security teams should govern the full delegation chain, not only the first agent in the sequence.

Q: Why do AI agents create a bigger security problem than ordinary automation?

A: AI agents create a bigger problem because they can interpret context, choose actions at runtime, and interact with tools in ways that are not fully predetermined.

Q: What breaks when access review processes are applied to agent networks?

A: Access review breaks when the actor’s useful privilege window is too short or too dynamic for human cadence to catch.

Practitioner guidance

  • Map agent delegation chains end to end Inventory where an agent can receive context, call tools, delegate to another agent, and return results to humans or systems.
  • Constrain runtime actions rather than broad model access Define the smallest executable actions an agent may perform, then separate read, write, and handoff permissions.
  • Add propagation limits to agent workflows Set explicit boundaries on how far an agent’s context, outputs, or delegated instructions can travel.

What's in the full article

Lakera's full article covers the conceptual and operational detail this post intentionally leaves for the source:

  • The article’s longer examples of how human assistants, coding agents, and business functions change as AI systems become more autonomous.
  • The discussion of why the internet of agents raises risk beyond traditional human-to-machine AI use cases.
  • The article’s explanation of containment, traceability, visibility, accountability, and actionability as the security baseline for interconnected agents.
  • The broader argument for building a secure foundation before agent networks scale further.

👉 Read Lakera's analysis of the internet of agents and AI security risk →

Internet of agents: what it means for AI and IAM teams?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8662
 

Agent governance now depends on controlling action, not just access: The article is right that agentic systems change the security problem, but the deeper shift is that access is no longer the decisive boundary. Once agents can interpret context, choose tools, and pass work onward, the meaningful unit becomes the action chain. That is where accountability, containment, and review must sit. Practitioners should treat agent workflows as governed execution paths, not as enlarged user sessions.

A few things that frame the scale:

  • Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
  • Lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations, followed by inadequate monitoring and logging at 37% and over-privileged accounts at 37%.

A question worth separating out:

Q: What frameworks should teams use to evaluate AI agent identity risk?

A: Teams should align agent governance with OWASP Agentic AI guidance, NIST AI Risk Management Framework principles, and zero trust controls that limit trust propagation. The practical goal is to make agent activity attributable, bounded, and inspectable across tool use and delegation.

👉 Read our full editorial: The internet of agents is forcing a new security model



   
ReplyQuote
Share: