Use policy enforcement at the agent layer, not just filters at the prompt layer. Limit tool permissions, validate retrieved content, separate trusted and untrusted context, and require human approval for sensitive actions. That combination reduces the chance that manipulated language becomes unauthorised execution.
Why This Matters for Security Teams
Prompt injection is not just a text safety issue. In agentic systems, manipulated content can change tool selection, retrieval paths, or the sequence of actions an OWASP Agentic AI Top 10 treats this as a core class of failure because the risk is execution, not simply harmful output. The real concern is that the agent may treat untrusted language as instruction and then act with valid credentials.
That is why NHI controls matter here. When an agent has standing access to APIs, internal data, or administrative tools, a single successful injection can become tool misuse, data exposure, or unauthorised change. The right response is to narrow the blast radius before the model ever decides. The OWASP NHI Top 10 and Top 10 NHI Issues both reinforce the same theme: over-privileged machine identities turn software mistakes into security incidents. In practice, many security teams encounter this only after an agent has already combined bad instructions with too much access, rather than through intentional testing.
How It Works in Practice
Effective reduction starts at the agent layer, where policy can inspect the request, the tool, the data source, and the current task context together. That means separating trusted system instructions from retrieved or user-supplied content, then validating every tool call against policy before execution. The emerging pattern is runtime authorisation, not static allowlists alone. For autonomous workloads, current guidance suggests that intent-based checks are more durable than role checks because the agent’s behaviour is goal-driven and can change from one step to the next.
A practical control set usually includes short-lived credentials, tight tool scopes, and human approval for high-impact actions. If an agent needs to read data, it should not automatically be able to write, delete, approve, or relay that data elsewhere. If it needs temporary access, issue Ultimate Guide to NHIs — Key Challenges and Risks and NIST Cybersecurity Framework 2.0 with just-in-time credentials that expire at task completion. For identity, use workload identity so the platform can prove what the agent is, not just what secret it holds. That makes revocation, tracing, and policy enforcement much more reliable than long-lived API keys.
- Use policy-as-code at request time so tool use is approved with full context.
- Classify retrieved content as untrusted unless it has been independently validated.
- Issue ephemeral secrets for the smallest possible task window.
- Require step-up approval for external calls, financial actions, and destructive changes.
- Log tool intent, target, and outcome so review can distinguish misuse from normal behaviour.
These controls tend to break down in loosely governed environments where agents chain multiple tools across teams and the same identity can reach both low-risk and high-risk systems.
Common Variations and Edge Cases
Tighter tool controls often increase operational overhead, requiring organisations to balance speed against the additional review and engineering effort. That tradeoff is real, especially in environments that rely on many third-party connectors or fast-moving internal workflows. Best practice is evolving, but there is no universal standard for this yet. Some teams use coarse allowlists, while others move to contextual policies that consider user intent, data sensitivity, and action type at runtime.
Edge cases usually appear when the agent must work across shared memory, long-running workflows, or multiple tools that were never designed for one another. In those cases, a simple prompt filter will not stop a malicious instruction from being reintroduced through retrieval or downstream tool output. The better pattern is layered defence: isolate untrusted context, enforce least privilege on every connector, and make high-risk actions explicit and reviewable. The OWASP Top 10 for Agentic Applications 2026 and Ultimate Guide to NHIs — Why NHI Security Matters Now both point to the same practical lesson: autonomy changes the failure mode, so controls must move from content screening to execution governance.
Where agents are allowed to learn, plan, and act over time, static RBAC alone becomes too blunt to contain risk because the next action is not always knowable at design time. That is why current guidance increasingly favours context-aware authorisation, short-lived secrets, and workload identity as the baseline for safer tool use.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A2 | Prompt injection and tool misuse are core agentic execution risks. |
| CSA MAESTRO | M1 | MAESTRO covers guardrails for autonomous agent behaviour and tool use. |
| NIST AI RMF | AI RMF addresses governance for unpredictable AI behaviour and misuse. |
Review agent tool calls at runtime and block unsafe actions before execution.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 1, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
