Deterministic security breaks because model output is probabilistic, while authorization requires a binary decision. A language model can describe safe behaviour, but it cannot guarantee enforcement under novel prompts, new tools, or changing tasks. Security teams need an external policy engine, not self-policing behaviour.
Why This Matters for Security Teams
When a model is asked to enforce its own permissions, the security boundary shifts from a deterministic control to a probabilistic recommendation. That is fundamentally unsafe for authorisation because a model can appear consistent in routine cases and still fail under prompt injection, tool chaining, or task drift. The issue is not whether the model can explain policy, but whether it can reliably enforce it under adversarial conditions. NHI Mgmt Group’s Ultimate Guide to NHIs — Key Challenges and Risks shows how unmanaged non-human identities already expand attack surface; self-enforcement adds another layer of ambiguity on top of that risk.
This matters because agents and LLM-driven workflows increasingly sit between secrets, APIs, and sensitive actions. Once the model can decide, then act, then justify the action, security teams lose a clean separation between policy and execution. That is why current guidance from the OWASP Non-Human Identity Top 10 treats weak identity and secrets governance as an access-control problem, not just a hygiene problem. In practice, many security teams encounter over-permissioned agent behaviour only after a tool has already been invoked, rather than through intentional authorisation design.
How It Works in Practice
The safer pattern is to keep policy enforcement outside the model and use the model only to request actions. A runtime policy engine evaluates the request, the context, and the identity of the workload before any privileged step is taken. For agentic systems, that usually means combining workload identity, short-lived credentials, and policy-as-code so the agent can prove what it is, request what it needs, and receive only the minimum permission for that task.
In practice, teams are moving toward intent-based or context-aware authorisation, where the decision is made at request time rather than pre-baked into static roles. That aligns with emerging thinking in the OWASP Non-Human Identity Top 10 and with NHI lifecycle concerns documented by NHI Mgmt Group. The important distinction is that the model may describe intent, but an external control decides whether that intent is allowed. Common implementation elements include:
- workload identity for the agent, such as SPIFFE or OIDC-backed proof of identity
- JIT credentials that expire after the task, not long-lived static secrets
- real-time policy evaluation using policy-as-code and contextual inputs
- tool-level allowlists that separate read, write, and destructive actions
- logging that records the model request, policy decision, and executed action separately
This is especially important where an agent can call multiple tools in sequence, because a safe-looking first step can become an unsafe final state after chaining, escalation, or data exfiltration. The security model must assume the agent may choose an unexpected path. Current guidance suggests treating the model as an untrusted decision support layer, not as the policy authority itself. These controls tend to break down when teams let the model directly broker production secrets because the approval path and the execution path become the same thing.
Common Variations and Edge Cases
Tighter external enforcement often increases operational overhead, requiring organisations to balance stronger control against latency, policy maintenance, and developer friction. That tradeoff is real, especially in fast-moving agentic workflows where teams want low-friction access to tools and data. Best practice is evolving, but there is no universal standard for letting a model self-authorise sensitive actions.
Some teams try a middle ground by allowing the model to draft a permission request while a policy engine approves or denies it. That can work for low-risk workflows, but it still fails if the request context is incomplete or if tool scopes are too broad. The emerging standard is to bind authorisation to the workload, the task, and the current context, not to a static role that the model interprets on its own. NHI Mgmt Group’s research on secrets exposure and weak offboarding reinforces why long-lived credentials are especially dangerous in these flows, and the ASP.NET machine keys RCE attack is a reminder of how one exposed secret can turn into broad compromise.
In high-regulation environments, self-enforcement also breaks auditability. A binary deny from an external policy engine is easy to defend; a model-generated explanation is not. That is why current guidance from the NIST AI Risk Management Framework and agent-focused frameworks such as the NIST AI Risk Management Framework emphasises governance, traceability, and human accountability around automated decisions.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | Agentic systems must not self-authorise privileged actions. | |
| CSA MAESTRO | MAESTRO addresses identity, tools, and runtime control for agents. | |
| NIST AI RMF | AI RMF covers governance and accountability for automated decisions. |
Bind agent actions to external policy, ephemeral access, and audited execution.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 10, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
