Notifications
Clear all
Topic starter
22/06/2026 10:05 am
TL;DR: Copilot Studio’s low-friction agent deployment is accelerating access to internal systems through MCP servers, but it also exposes a structural problem: agents are being granted broadly scoped, static credentials with no central policy or incident record, according to Aembit. The issue is not agent creation, but whether identity and access controls can govern runtime behaviour, task by task.
NHIMG editorial — what this means for AI and NHI governance
Questions worth separating out
Q: How should security teams govern AI agents that connect to internal systems through MCP servers?
A: Security teams should treat each agent as a distinct identity with narrowly scoped, task-specific access and central policy enforcement.
Q: Why do static credentials create more risk for AI agents than for traditional applications?
A: Static credentials create more risk because agent behaviour is generated at runtime and may span multiple tools or systems in one session.
Q: What breaks when AI agent access is inherited directly from the user who triggered the workflow?
A: Direct inheritance collapses two different subjects into one security decision.
Practitioner guidance
- Classify every Copilot Studio agent as a separate identity subject Create a distinct entitlement model for agents that connect to internal systems, even when the workflow is user-triggered.
- Replace persistent access with task-scoped credential issuance Issue ephemeral credentials only for the specific action the agent needs, then revoke them immediately after completion.
- Require central policy checks for every agent-to-resource decision Place access decisions behind a central control layer that can evaluate context, intent, and target system before any MCP call succeeds.
What's in the full announcement
Aembit's full article covers the operational detail this post intentionally leaves for the source:
- How the Copilot Studio integration maps context from the human identity provider into agent access decisions
- What the blended identity model looks like in practice for runtime access control and session-scoped credentials
- How the interactive enterprise AI readiness checklist helps teams identify rollout gaps before production
- What the live demonstration at Identiverse shows about policy enforcement and audit context
👉 Read Aembit's analysis of Copilot Studio agent identity and access control →
Copilot Studio agents and static credentials: what changes for IAM teams?
Explore further
22/06/2026 10:50 am
Static credentials are the wrong trust model for agents that act at runtime. The article describes a deployment pattern in which agents can reach internal systems with credentials that do not meaningfully expire with the task. That is an NHI governance failure because the access object is persistent while the work is ephemeral. The practitioner conclusion is simple: the identity model must follow the session, not the integration.
A few things that frame the scale:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation, according to SailPoint.
A question worth separating out:
Q: How do you know if AI agent access controls are actually working?
A: Look for evidence that every agent request is evaluated centrally, every credential is task-scoped, and every decision is logged with enough context to reconstruct the action. If agents can reach systems without a traceable policy decision, the controls are decorative rather than operational.
👉 Read our full editorial: Copilot Studio agents expose the limits of static access models
