Use endpoint artefacts first. Look for agent directories, service definitions, local ports, and process names that prove the software is installed and active. Network traffic alone is too ambiguous because legitimate browser and API activity can look identical to agent behaviour. Discovery should produce an inventory of where the agent runs, what it can reach, and whether it is sanctioned.
Why This Matters for Security Teams
shadow ai agents are difficult to spot because they often behave like ordinary automation until they quietly start reaching data, tools, or systems outside the intended workflow. That makes discovery a security and governance problem, not just an inventory exercise. Network monitoring alone is rarely enough, because browser sessions, API calls, and legitimate service traffic can all resemble agent activity. Practitioners need endpoint proof first, then correlation to sanctioned ownership and scope.
Current guidance from the OWASP Agentic AI Top 10 and NIST AI Risk Management Framework points toward treating agents as active workloads with their own execution footprint, not as a vague category of “AI usage.” That means looking for local service definitions, startup jobs, agent directories, runtime processes, and the tokens or keys that let the agent operate. NHIMG analysis of the AI LLM hijack breach shows why this matters: once an agent is present, its reach can expand faster than manual review cycles can keep up.
In practice, many security teams first discover shadow agents only after a data access review or incident response inquiry has already exposed them.
How It Works in Practice
Effective discovery starts on the endpoint and host layer, because that is where the software leaves durable evidence. Security teams should look for installed packages, container images, systemd services, scheduled tasks, launch agents, CLI wrappers, and process names associated with autonomous workflows. The goal is not merely to find an executable, but to establish whether the workload is active, what account launched it, what network endpoints it reaches, and whether it holds secrets that allow tool use.
A practical workflow is to correlate multiple signals:
- process trees and parent-child relationships that show repeated autonomous execution
- local ports, IPC channels, and service bindings that indicate an always-on agent
- file system artefacts such as agent configs, prompt stores, cache directories, or tool manifests
- secret material such as API keys, tokens, or certificates stored on disk or injected at runtime
- outbound connections to model providers, internal APIs, SaaS tools, and orchestration backends
This is where endpoint telemetry, EDR, and workload logging become more valuable than passive network heuristics. The NHI Lifecycle Management Guide is useful here because discovery should end in an inventory that ties each agent to an owner, purpose, privilege scope, and expiry model. For agentic systems, OWASP NHI Top 10 and the CSA MAESTRO agentic AI threat modeling framework both reinforce that discovery must capture behaviour, not just installation.
Discovery should also ask whether the agent is sanctioned, because sanctioned and shadow agents often share infrastructure. A model gateway, development workstation, or CI runner may host both approved and unsanctioned workloads. These controls tend to break down in highly containerised environments where short-lived pods, ephemeral credentials, and shared build agents make ownership ambiguous.
Common Variations and Edge Cases
Tighter discovery often increases operational overhead, requiring organisations to balance visibility against noise, privacy, and change-management constraints. That tradeoff is real, especially when agents are embedded inside developer laptops, CI/CD pipelines, or low-code platforms that were never designed for software inventory at this level.
Best practice is evolving for browser-based agents and managed SaaS copilots. There is no universal standard for this yet, so teams usually need to combine endpoint inspection with identity logs and egress review. In those cases, a browser extension, session token, or local profile may be the only durable clue that an agent is operating. If the environment prohibits full endpoint agents, the fallback is to use asset inventory, proxy logs, and cloud access logs together, but that will miss some locally executed automation.
One useful benchmark from SailPoint’s AI Agents: The New Attack Surface report is that 48% of organisations report a complete blind spot in tracking and auditing AI agent data access. That gap is why discovery should be treated as continuous control validation, not a one-time sweep. The MITRE ATLAS adversarial AI threat matrix and NIST AI Risk Management Framework both support this operational posture: find the agent, map its reach, and prove who can change or remove it.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10, OWASP Non-Human Identity Top 10 and CSA MAESTRO define the specific risk controls and attack patterns relevant to this topic.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A01 | Shadow agents create hidden attack surface and uncontrolled tool access. |
| OWASP Non-Human Identity Top 10 | NHI-01 | Discovery must identify non-human identities and their ownership. |
| CSA MAESTRO | MTR-2 | MAESTRO addresses agent discovery, monitoring, and governance. |
Inventory every agent runtime, tool path, and secret to close hidden access paths.
Related resources from NHI Mgmt Group
- How should security teams govern AI agents that can access enterprise systems?
- How should security teams manage permissions for AI agents?
- How should security teams govern AI agents that use OAuth access?
- How should security teams limit the risk from AI agents that have access to production systems?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 9, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
