When should organisations rotate secrets used by AI agents?

Rotate secrets immediately when they are shared across multiple systems, exposed in logs or code, or used by agents with broad access. In agentic environments, rotation is not just a hygiene task. It is a containment control that limits how far compromised credentials can spread through tools, workflows, and dependent services.

Notifications

Clear all

Why do AI agents turn NHI governance into an urgent issue?

Last Post

RSS

Entro Security

(@entro)

Estimable Member

Joined: 1 year ago

Posts: 79

Topic starter 11/05/2026 5:04 pm

TL;DR: OWASP’s Agentic Top 10 for 2026 maps the main failure modes in AI agents to identity, tool, memory, and supply-chain risk, showing that most incidents start with overprivileged or exposed non-human identities, not with the model alone, according to OWASP. The governance problem is now operational, because agent security collapses when secret sprawl and implicit trust outpace least-privilege control.

NHIMG editorial — based on research published by Entro Security.

By the numbers:

92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so.
80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.

Questions worth separating out

Q: How should security teams govern AI agents without creating excessive friction?

A: Start by treating each agent as a non-human identity with a defined owner, purpose, and access boundary.

Q: Why do AI agents increase NHI governance risk compared with traditional automation?

A: AI agents can interpret context, choose tools, and chain actions dynamically, which means their behaviour is less predictable than scripted automation.

Q: What is the difference between agent security and NHI security?

A: Agent security focuses on what the AI system says or does at runtime, while NHI security governs the identities, secrets, and permissions that let it act in the first place.

Practitioner guidance

Inventory every agent-facing NHI Map API keys, service accounts, OAuth tokens, and PATs used by agents across cloud, SaaS, CI/CD, and internal tools.
Assign distinct identities to agents Stop letting agents ride on human sessions or shared credentials.
Reduce blast radius for exposed secrets Prioritise rotation and permission narrowing for secrets that multiple agents, microservices, or workloads depend on.

Teams need a control plane that combines identity inventory, privilege review, and behaviour monitoring before usage scales further?

👉 Read OWASP’s full analysis of the 2026 Agentic Applications Top 10 →

Explore further

View Full Forum → | NHI Foundation Course → | Our Services →

Quote

Topic Tags

Forum Statistics

9 Forums

2,778 Topics

2,934 Posts

13 Online

109 Members

Latest Post: ERP access governance: what security teams miss at go-live Our newest member: Mr NHI Recent Posts Unread Posts Tags

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed

#1 Authority in NHI Education, Research and Advisory, empowering organizations to tackle the critical risks posed by Non-Human Identities (NHIs), including AI Agents.

Get in Touch

Quick Links

NHI FAQ

NHI 101 Articles

Legal & Policies