Subscribe to the Non-Human & AI Identity Journal
Home FAQ Agentic AI & Autonomous Identity How should security teams govern AI agents that…
Agentic AI & Autonomous Identity

How should security teams govern AI agents that browse and transact on behalf of users?

← Back to all FAQ
By NHI Mgmt Group Editorial Team Updated July 1, 2026 Domain: Agentic AI & Autonomous Identity

Security teams should govern AI agents as delegated actors with narrow, task-scoped permissions, not as enhanced browsers. The right model is to bind access to the specific action being performed, preserve auditability at the transaction layer, and separate machine identity from the human principal wherever possible.

Why This Matters for Security Teams

AI agents that browse, click, fill forms, and transact on behalf of users should be governed as delegated actors, not as upgraded browsers. The security risk is not just data exposure. It is unintended execution: an agent can follow a prompt, chain tools, and complete a transaction that a human never explicitly reviewed. That makes static IAM patterns too blunt for the job.

Current guidance suggests binding authority to the task, the session, and the target system rather than to a broad user role. This aligns with emerging agentic guidance in the OWASP Agentic AI Top 10 and NHI research on the attack surface introduced by autonomous behavior in AI Agents: The New Attack Surface report. NHIMG research found that 80% of organisations report AI agents have already performed actions beyond their intended scope, including unauthorised systems access and sensitive data sharing.

In practice, many security teams discover the control gap only after an agent has already placed an order, moved data, or exposed credentials, rather than through intentional governance design.

How It Works in Practice

Effective governance starts by treating the agent as a workload with its own identity and its own policy boundary. The agent should authenticate with machine identity, not borrowed human credentials, and receive only the narrow permissions needed for the current task. That means short-lived access tokens, explicit approval for high-risk actions, and transaction-level logging that shows what the agent attempted, what policy allowed it, and what data or system was touched.

In practice, teams are moving toward runtime controls instead of pre-approved role buckets. That usually includes:

  • Task-scoped permissions tied to one action, one target, and one time window.
  • Just-in-time credentials that expire automatically when the session ends.
  • Policy evaluation at request time using context such as purpose, destination, data sensitivity, and transaction value.
  • Separate audit trails for the human principal, the agent identity, and the downstream system account.
  • Step-up review or human confirmation for irreversible actions, such as fund transfer, record deletion, or external data sharing.

This is where framework alignment matters. The NIST AI Risk Management Framework and CSA MAESTRO agentic AI threat modeling framework both reinforce runtime accountability, while NHIMG’s Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs is useful for translating identity governance into operational controls.

Security teams should also expect secrets management to become a bottleneck if agents are given long-lived API keys or shared service accounts. When agents can browse across domains, the risk of token reuse, lateral movement, and silent privilege accumulation rises quickly. These controls tend to break down in large-scale, event-driven environments because policy decisions become too slow or too coarse for the agent’s pace of action.

Common Variations and Edge Cases

Tighter agent governance often increases friction, audit overhead, and approval latency, so organisations must balance autonomy against transaction risk. That tradeoff becomes more visible when agents support customer service, procurement, or finance workflows where speed matters and the business resists frequent step-up checks.

Best practice is evolving for multi-agent chains and delegated browsing sessions. There is no universal standard for this yet, but current guidance suggests separating low-risk navigation from high-risk transaction execution, so an agent can gather context without being able to commit funds, alter records, or exfiltrate sensitive content. The same principle applies when an agent uses a browser on behalf of a user: session cookies, form-fill data, and downstream API tokens should not all share the same lifetime or scope.

Teams should also watch for environments where the browser is only one tool in a larger orchestration path. If an agent can call email, storage, CRM, and payment APIs in sequence, simple page-level controls are not enough. The most useful external guidance here comes from Anthropic’s first AI-orchestrated cyber espionage campaign report and the AI LLM hijack breach, both of which show how quickly tool chaining can escape the original intent. In practice, governance fails first where the agent can switch from browsing to transacting without a fresh policy decision.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Agentic AI Top 10A2Covers agent tool abuse and runaway autonomy in delegated workflows.
CSA MAESTROMaps to threat modeling and runtime controls for agentic systems.
NIST AI RMFSupports governance, measurement, and accountability for autonomous AI behavior.

Model each agent path, then apply least privilege and step-up approval to sensitive actions.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 1, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org