Use a split model. Allow low-risk actions to proceed under tightly scoped, short-lived credentials, but route irreversible or high-impact actions through explicit human approval. That keeps automation usable while preserving accountability where the business impact is highest. The key is to separate routine execution from delegated authority, not to approve everything the same way.
Why This Matters for Security Teams
Agent actions become risky when the security model assumes stable, human-like behaviour. Autonomous systems do not follow fixed access patterns, and static RBAC often grants more than the task needs for longer than the task lasts. That is why current guidance favours a split approach: tightly scoped execution for routine work, and explicit approval for irreversible actions. The problem is especially visible when secrets are stored outside proper managers, a pattern highlighted in Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs, where credential sprawl and weak rotation remain common.
For agentic systems, this is not just an identity issue. It is an authorisation design issue tied to autonomy, tool use, and delegation. Frameworks such as OWASP Top 10 for Agentic Applications 2026 and NIST AI Risk Management Framework both point to governance that is contextual, not blanket-based. In practice, many security teams discover over-privileged agents only after an unexpected tool chain, data movement, or billing-impacting action has already occurred.
How It Works in Practice
The operating model is to separate execution authority from business authority. Low-risk actions, such as reading scoped data, drafting updates, or triggering reversible workflows, can use JIT credentials with short time-to-live, narrow scope, and automatic revocation on task completion. High-impact actions, such as deleting records, moving funds, publishing externally, or changing production policy, should be blocked pending human approval even if the agent can prepare the request.
Practitioners should anchor the agent to a workload identity, not a long-lived shared secret. That means using cryptographic identity and token exchange patterns, then issuing ephemeral secrets only when policy allows the specific action. Real-time policy evaluation is the key control point: evaluate intent, target resource, blast radius, environment, and step-up requirements at request time rather than relying on pre-defined role grants. This aligns with the direction of CSA MAESTRO agentic AI threat modeling framework and the governance expectations in NIST AI Risk Management Framework.
- Issue credentials per task, not per service lifetime.
- Bind tokens to the agent workload identity and the exact action context.
- Use policy-as-code for approval gates, logging, and step-up controls.
- Separate “can execute” from “can decide” so the agent can automate safely without self-authorising sensitive outcomes.
For teams mapping this to identity governance, the NHI-specific controls in OWASP NHI Top 10 are most useful when paired with agent-focused threat modelling. These controls tend to break down when agents can chain multiple low-risk tools into a single high-impact workflow because the policy engine sees each step separately rather than the cumulative intent.
Common Variations and Edge Cases
Tighter approval gating often increases friction, latency, and exception handling, so organisations have to balance speed against blast-radius reduction. Best practice is evolving, and there is no universal standard for how much autonomy should be delegated before a human must approve. For some workflows, especially customer support and internal IT, organisations can safely allow more automation if actions are reversible and well logged. For finance, production changes, or external communications, the approval threshold should be much lower.
Two edge cases matter most. First, “low-risk” actions can become high-risk when chained together, so policy should consider the full intent sequence, not just each tool call. Second, long-lived static secrets can silently turn a contained agent into a persistent foothold, which is why Ultimate Guide to NHIs — Regulatory and Audit Perspectives stresses auditability and revocation discipline. The operational lesson is simple: do not rely on trust in the model; rely on expiry, scope, and explicit authorisation boundaries. This is also where the OWASP Agentic AI Top 10 and NIST Cybersecurity Framework 2.0 remain practical references for control design and accountability.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Short-lived, scoped credentials directly address NHI over-privilege and rotation risk. |
| OWASP Agentic AI Top 10 | Agentic systems need runtime control over autonomous tool use and escalation paths. | |
| NIST AI RMF | AI RMF governance covers accountability for autonomous behavior and human oversight. |
Assign owners, define escalation thresholds, and document oversight for sensitive agent actions.
Related resources from NHI Mgmt Group
- How can organisations reduce developer AI data leakage without blocking adoption?
- How can organisations reduce the blast radius of compromised agent identities?
- How can organisations reduce AI agent blast radius without blocking adoption?
- How should organisations govern AI agent access without losing operational speed?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 6, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
