Use multiple discovery paths at once: declared agent registries, repository scanning, plugin and app store monitoring, network analysis, and identity analytics. The goal is not just to find traffic, but to correlate activity back to an owner, lifecycle state, and delegated identity so shadow AI can be governed instead of merely observed.
Why This Matters for Security Teams
AI agents are often deployed faster than they are registered, which means IAM inventories miss the very workloads that can hold tokens, call APIs, and trigger downstream actions. That gap matters because discovery is not just an asset-counting exercise; it is the first step in proving who owns an agent, what it can do, and when it should stop. Current guidance suggests teams should treat shadow agents as a control failure, not a visibility nuisance.
The risk is amplified by agentic behaviour: an agent may be created in a repository, embedded in a workflow tool, or exposed through a plugin marketplace without ever being listed in a central directory. NHIMG research on AI Agents: The New Attack Surface report shows the visibility gap is already operational, with only 52% of companies able to track and audit the data their AI agents access. That aligns with the emerging view in the OWASP Agentic AI Top 10 that unmanaged agent behavior is a core security issue, not an edge case. In practice, many security teams discover AI agents only after an incident response query or unexpected data access reveals them.
How It Works in Practice
Effective discovery uses multiple paths at once because no single control plane has a complete view. Security teams should combine declared agent registries, source control scanning, CI/CD inspection, cloud and SaaS app inventory, plugin and marketplace monitoring, network telemetry, and identity analytics. The goal is to correlate each agent to a human owner, a business purpose, a lifecycle state, and the delegated identity it uses at runtime.
Start with places where agents are intentionally defined: configuration files, repository manifests, infra-as-code, chatbot orchestration layers, and approval records. Then search for patterns that indicate autonomous execution, such as tool-calling libraries, API token injection, webhook subscriptions, scheduled jobs, and service accounts with broad scopes. Runtime telemetry should be mapped back to identity signals such as OIDC claims, workload identity certificates, or SPIFFE/SPIRE assertions so the team can tell whether a process is a sanctioned agent or an untracked clone. This is where the NHI lifecycle discipline described in NHI Lifecycle Management Guide becomes practical: discovery must feed registration, ownership, and revocation, not just reporting.
- Scan repositories for agent frameworks, tool definitions, and hard-coded secrets.
- Monitor app stores, browser extensions, and SaaS plugin catalogs for new agent capabilities.
- Correlate egress traffic, API calls, and token use to a known owner and approved purpose.
- Use identity analytics to flag service principals, workload identities, or OAuth grants with no business sponsor.
For policy context, teams should align discovery to runtime risk signals described in the NIST AI Risk Management Framework and the CSA MAESTRO agentic AI threat modeling framework. These controls tend to break down in environments where agents are embedded in shadow IT workflows and reuse human OAuth grants because ownership and intent become ambiguous.
Common Variations and Edge Cases
Tighter discovery often increases operational overhead, requiring organisations to balance coverage against noise and analyst fatigue. That tradeoff is especially sharp when agents are ephemeral, customer-facing, or generated dynamically by development teams, because the inventory can change faster than approval workflows can keep up.
One common edge case is a legitimate automation that behaves like an agent but is recorded as a generic service. Another is a vendor-hosted agent whose execution is visible only as outbound API traffic, with no local process evidence at all. Best practice is evolving here, and there is no universal standard for agent naming, lifecycle status, or ownership metadata yet. Security teams should therefore use minimum metadata requirements: who approved it, what data it can reach, what identities it assumes, and when it must be revalidated.
NHIMG’s Top 10 NHI Issues and the OWASP NHI Top 10 both reinforce the same operational point: discovery is only useful if it feeds governance. The agentic AI threat model in the MITRE ATLAS adversarial AI threat matrix is also relevant because unmanaged agents can pivot across tools once they are found. In practice, the hardest cases are federated SaaS environments where the agent lives outside enterprise logging and only appears after a suspicious API surge.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A1 | Discovery must surface unmanaged agent behavior and tool access. |
| CSA MAESTRO | STR-1 | MAESTRO guides threat modeling for autonomous agent discovery and control. |
| NIST AI RMF | AI RMF supports governing agent lifecycle, accountability, and risk. |
Inventory every agent, link it to an owner, and review its tool and data access continuously.
Related resources from NHI Mgmt Group
- How should security teams manage permissions for AI agents?
- How should security teams govern AI agents that use OAuth access?
- How should security teams limit the risk from AI agents that have access to production systems?
- How should security teams govern AI agents that can access enterprise systems?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 24, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
