The Touchpoints Between AI and Non-Human Identities

Read the full research here: https://astrix.security/learn/blog/astrix-research-presents-touchpoints-between-ai-and-non-human-identities/?source=nhimg

As organizations rapidly adopt AI, especially autonomous agents—they're encountering a sharp increase in the use, complexity, and security risk of Non-Human Identities (NHIs) such as service accounts, API keys, and OAuth tokens.

This research investigates how modern AI systems interact with NHIs and outlines the urgent challenges this creates for identity governance and cybersecurity.

Key Insights

AI Agents 

• Unlike static scripts or bots, AI Agents make real-time decisions and operate autonomously, requiring dynamic and persistent access across systems.

• This shift introduces non-deterministic behavior, increased permissions, and broader NHI usage—making these agents harder to monitor and secure.

AI Systems and NHI Categories

Across AI use cases—Chatbots, RAG systems, Cloud LLMs, Enterprise AI Platforms, Browser & Computer Agents—NHIs serve as the primary access mechanism. Examples include:

• API keys for SaaS LLMs

• OAuth tokens for chatbot interactions

• IAM roles for cloud model deployments

• Database credentials for RAG pipelines

Emerging Risks

• Multi-NHI Agents: A single AI agent may span 10+ identities across environments. Without clear mapping, visibility and governance collapse

• NHI Explosion: Projected increase from 1:40 to 1:100 NHI-to-human ratio driven by AI adoption

• Sensitive Permissions Drift: AI Agents often inherit or require administrative-level access once limited to human admins

• Living-Off-The-Land (LOTL): Attackers can hijack AI-associated NHIs to stealthily move through networks, hiding in plain sight

Recommendations

1. Structured NHI Provisioning

• Define ownership, NHI types, access scope, credential handling, and expiry policies per agent

2. Comprehensive Visibility

• Maintain real-time maps of NHI ownership, granted permissions, and usage lifespans

3. Posture Hardening

• Use unique identities, least privilege policies, IP controls, and secure distribution practices

4. Behavioral Monitoring

• Establish baselines, monitor all NHI activity, and flag anomalies in AI execution

5. LOTL Defense Playbooks

• Employ automated responses and specialized detection to combat misuse of legitimate identities

Final Thoughts

AI innovation is accelerating—and so are the threats hidden behind non-human access. Organizations must act now to build AI-aware identity security programs that protect against the growing risks at the intersection of autonomous agents and machine identity sprawl.