Notifications
Clear all
Topic starter
22/06/2026 10:12 am
TL;DR: AI-driven attackers are compressing the time from vulnerability exposure to working attack, while AI agents are expanding the pool of privileged identities that hold secrets and act independently, according to Delinea. The governance gap is no longer just credential protection, but whether standing privilege and runtime authorisation assumptions survive agentic behaviour.
NHIMG editorial — here’s why we think this discussion matters
Questions worth separating out
Q: What breaks when standing privilege is still present in privileged identity programmes?
A: Standing privilege creates a persistent path from initial access to escalation because credentials, sessions, and entitlements remain usable outside the moment they were needed.
Q: Why do AI agents complicate existing IAM and NHI controls?
A: AI agents complicate IAM and NHI controls because they can authenticate, hold secrets, and act with runtime discretion rather than only executing fixed workflows.
Practitioner guidance
- Map persistent privilege across all identity types Build an inventory of human admin accounts, service accounts, and agent identities that retain standing privilege or reusable tokens.
- Move privileged access to task-scoped elevation Require just-in-time access for administrative tasks and pair it with session controls that expire when the job ends.
- Separate secrets ownership from identity ownership Track which identities can retrieve secrets, which systems can use them, and which runtime contexts can replay them.
What to expect at the briefing
Delinea's full session covers the operational detail this post intentionally leaves for the source:
- The five best practices the speakers apply internally for privileged access and runtime authorisation.
- The specific signs of standing privilege that typically survive into production environments.
- The recommended approach to governing secrets, sessions, and AI agents as privileged identities.
- The starting-point checklist for finding where standing privilege still lives across the environment.
👉 Watch Delinea's on-demand session on standing privilege and AI agent governance →
AI agents and standing privilege: where identity controls are failing?
Explore further
22/06/2026 11:00 am
Standing privilege is no longer just a control weakness, it is an attacker timing advantage. AI-driven attacks compress the interval between exposure and exploitation so sharply that continuous access becomes more dangerous than many teams have modelled. The same persistent privilege pattern that affects human admins now applies to service accounts and agent identities, which means the attack surface is defined by time as much as by scope. Practitioners should treat standing access as a live blast-radius problem, not a policy housekeeping issue.
A few things that frame the scale:
- 96% of technology professionals identify AI agents as a growing security threat, and 66% believe this risk is immediate, according to AI Agents: The New Attack Surface report.
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.
A question worth separating out:
Q: Who should be accountable for AI agent privilege and secrets governance?
A: Accountability should sit with the team that owns the workload, the identity controls, and the secret lifecycle together, not with a single platform owner. For agent identities, that means security, IAM, and the application owner must share responsibility for scope, session boundaries, and offboarding.
👉 Read our full editorial: AI agents and standing privilege are collapsing attack windows
