TL;DR: AI agents now access databases, invoke APIs, update records, and make production decisions at machine speed, which makes one-time authentication insufficient for governance, according to Akeyless. The core shift is from identity at login to runtime control over action, context, and privilege, because access review assumptions break when execution is continuous.
NHIMG editorial — based on content published by Akeyless: Runtime Identity Security for AI agents
By the numbers:
- 94% of organizations use AI agents.
- 84% say AI agents can access sensitive data.
- 83% acknowledge a single compromised credential could affect multiple major systems.
Questions worth separating out
Q: How should security teams govern AI agents that can change actions at runtime?
A: Security teams should govern runtime AI by correlating identity, data, and intent before trusting an action path.
Q: Why do AI agents complicate traditional IAM and PAM controls?
A: AI agents complicate IAM and PAM because they can make decisions, chain tools, and act faster than human review cycles can respond.
Q: What breaks when AI agents are given broad inherited permissions?
A: Broad inherited permissions break the assumption that access is tied to a narrow business need.
Practitioner guidance
- Separate agent authentication from action authorization Treat login or workload identity validation as only the first gate.
- Eliminate standing credentials from agent workflows Replace embedded API keys, passwords, and long-lived tokens with task-scoped access that expires automatically after the approved action completes.
- Define approved agent intents and blocked action classes Write policies around the objectives an agent may pursue and the actions it may never perform, such as destructive database changes or unauthorized environment creation.
What's in the full article
Akeyless's full article covers the operational detail this post intentionally leaves for the source:
- How the vendor defines Runtime Identity Security across discovery, secretless access, runtime authority, and forensic traceability.
- Examples of intent-based authorization decisions, including how requested actions are evaluated against an agent's stated purpose.
- The architecture behind SecretlessAI and Distributed Fragments Cryptography for keeping credentials and keys out of the agent itself.
- The vendor's own framing of Zero Standing Privilege and agentic identity intelligence in production workflows.
👉 Read Akeyless's analysis of Runtime Identity Security for AI agents →
Runtime Identity Security for AI agents: what changes for IAM teams?
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
Runtime identity is the right category, but it is really an NHI control problem with autonomous consequences. AI agents are non-human identities, but their runtime behaviour introduces a level of action variability that traditional NHI governance does not assume. The decisive shift is not that they exist, but that they decide and act continuously inside the session. Practitioner implication: governance models must distinguish static machine identity from actors that can re-plan while executing.
A few things that frame the scale:
- 92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so, according to AI Agents: The New Attack Surface report.
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
A question worth separating out:
Q: Who is accountable when an AI agent causes a security incident?
A: Accountability should sit with the business owner, the system owner, and the security function together, because agent behaviour crosses operational boundaries. Organisations need a defined owner for approval, monitoring, and retirement, plus audit evidence that shows what the agent accessed and why.
👉 Read our full editorial: Runtime Identity Security redefines access control for AI agents