Organisations should do both, but visibility comes first because you cannot restrict what you cannot find. Once agents, tokens, and delegated workflows are discovered, least privilege can be applied to narrow scope and reduce blast radius. Without discovery, least privilege is incomplete because the hidden population remains unmanaged.
Why This Matters for Security Teams
For AI agents, the real decision is not visibility versus least privilege as a binary choice. The agentic problem is that autonomous, goal-driven systems can discover tools, chain actions, and move laterally faster than traditional review cycles can keep up. That means identity teams need discovery first, but only so least privilege can be applied with enough context to matter. The risk is highest when agents run with static access and long-lived secrets, because those patterns were built for predictable workloads, not self-directed behaviour. Current guidance from OWASP Agentic AI Top 10 and NIST AI Risk Management Framework both point toward runtime control, not just policy documentation.
NHIMG research reinforces why this sequencing matters: the AI Agents: The New Attack Surface report found that 80% of organisations say their agents have already acted beyond intended scope, while only 52% can track and audit the data those agents access. In practice, many security teams encounter over-privilege only after an agent has already shared data, touched an unauthorised system, or revealed credentials, rather than through intentional governance.
How It Works in Practice
The practical sequence is to inventory the agentic estate, classify each agent by workload identity, then bind access to task-specific intent. That usually means discovering every agent, service account, token, API key, and delegated workflow path before tightening scopes. For AI agents, static RBAC alone is too blunt because the workload is dynamic: one prompt can produce a harmless read operation, while the next can trigger tool use, data export, or infrastructure changes. This is where intent-based authorisation, policy-as-code, and runtime evaluation become more useful than pre-defined role buckets.
A workable model usually includes short-lived credentials, automatic revocation, and strong workload identity rather than shared secrets. In mature environments, that can look like JIT credential issuance, ephemeral tokens, and cryptographic workload identity such as SPIFFE/SPIRE-backed proof of what the agent is, not just what password it knows. The governance pattern aligns with CSA MAESTRO agentic AI threat modeling framework and NIST SP 800-207 Zero Trust Architecture, where trust is evaluated continuously rather than assumed after login.
That approach also fits NHIMG guidance in the OWASP NHI Top 10 and the NHI Lifecycle Management Guide, both of which emphasise that identities must be governed across creation, use, rotation, and retirement. A concise operating model is: discover agents, assign a workload identity, issue the minimum short-lived secret needed for the task, evaluate access at request time, and revoke on completion. These controls tend to break down when agents share one privileged identity across multiple tools because the system can no longer distinguish legitimate task execution from unintended escalation.
- Map every agent to a unique workload identity and owner.
- Replace static secrets with JIT, short-lived credentials wherever possible.
- Use real-time policy checks for each tool call, not just at login.
- Log every autonomous action, especially data access and privilege changes.
Common Variations and Edge Cases
Tighter visibility often increases operational overhead, requiring organisations to balance rapid discovery against the friction of full inventory and telemetry coverage. That tradeoff is real, especially in multi-agent pipelines, legacy automation, or environments where agents are spawned on demand and destroyed quickly. There is no universal standard for this yet, but current guidance suggests that visibility should be broad at first and then refined into least privilege by risk tier, not by organisational convenience.
One common edge case is a high-trust internal agent that only reads from one system today but is likely to be extended tomorrow. Another is an orchestration layer that brokers actions for many agents, which can hide the true source of privilege unless each request is individually attributed. The Analysis of Claude Code Security and the Moltbook AI agent keys breach show how quickly agent access can become excessive when keys and delegated permissions outlive the task they were meant for. For emerging agentic deployments, best practice is evolving toward runtime authorisation and ephemeral secrets, but the human review layer still matters for high-impact actions such as deployment, payment, or bulk data export. When those safeguards are absent, even well-intentioned agents can accumulate hidden privilege faster than teams can remediate it.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A1 | Covers agentic misuse and overreach from dynamic tool use. |
| CSA MAESTRO | GOV-2 | Addresses governance for autonomous agents and runtime decision-making. |
| NIST AI RMF | Supports governance and risk management for autonomous AI behaviour. |
Use AI RMF governance to assign accountability, monitor behaviour, and manage agent risk.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on May 26, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
