What breaks is accountability. The organisation may see actions, logs, and alerts, but it cannot reliably tie them to a governed identity with clear scope and revocation. That creates uncontrolled blast radius, especially when agents can reach sensitive systems through shared tokens, delegated service accounts, or broad API access.
Why This Matters for Security Teams
AI agents do not fail like ordinary applications. They can chain tools, pivot across systems, and repeat risky actions at machine speed while appearing “normal” in logs. Without identity governance, security teams lose the ability to answer the most basic question: which governed workload performed the action, under what authority, and how quickly can that authority be revoked? That gap turns observability into noise and weakens incident response, compliance, and containment.
Current guidance from OWASP Agentic AI Top 10 and NIST AI Risk Management Framework points toward runtime controls, traceability, and bounded authority rather than static trust in the agent itself. NHIMG research shows why that shift matters: in the 2026 Infrastructure Identity Survey, 70% of organisations grant AI systems more access than they would give a human employee doing the same job. That is not a policy gap alone. It is an identity gap that expands blast radius before anyone notices.
In practice, many security teams discover the problem only after an agent has already touched data or systems beyond its intended scope, rather than through intentional governance.
How It Works in Practice
Identity governance for AI agents starts by treating the agent as a workload with a lifecycle, not a user with a fixed role. The practical pattern is to issue a verifiable workload identity, then bind that identity to narrowly scoped, short-lived access that is evaluated at request time. That usually means cryptographic workload identity, such as SPIFFE-style identities or OIDC-backed tokens, plus policy enforcement that can inspect task context before allowing a tool call.
In mature environments, the control plane should answer four questions for every agent action: what is this agent, what is it trying to do, what data or system is it asking for, and is the request still within its approved scope? This is where intent-based authorisation is emerging as the better model for autonomous systems. Static RBAC cannot keep up when an agent’s next move depends on prior outputs, prompt changes, tool feedback, or external events. Request-time policy evaluation with policy-as-code, such as OPA or Cedar, is better suited to this problem than pre-defined access rules alone.
- Use a distinct workload identity for each agent, environment, and function.
- Prefer JIT credential issuance with short TTLs over shared or long-lived secrets.
- Bind access to task context, not just role membership.
- Revoke credentials automatically when a task ends or behaviour drifts.
- Log the identity, policy decision, and target resource for each action.
NHIMG’s Ultimate Guide to NHIs and the OWASP NHI Top 10 both reinforce the same operational point: unmanaged credentials are the failure path, not just the symptom. These controls tend to break down in shared service-account environments because one identity is reused across multiple agents, tools, and teams, making attribution and revocation imprecise.
Common Variations and Edge Cases
Tighter identity governance often increases operational overhead, so teams have to balance autonomy against control, especially during rapid experimentation. There is no universal standard for this yet, and current guidance suggests that the right model depends on how much damage an agent could do if it behaves unexpectedly.
One common edge case is the “copilot” agent that starts as advisory but later gains execution authority. If governance is only applied after deployment maturity, the organisation inherits hidden access paths and stale secrets. Another is multi-agent orchestration, where one agent delegates to another and privilege gets amplified across the workflow. In those cases, the safest pattern is to assign each agent its own identity boundary and require explicit approval for delegation hops.
NHIMG’s AI Agents: The New Attack Surface report shows how quickly scope drift becomes visible in real operations, with many organisations reporting agents that have already acted beyond intended boundaries. That is why identity governance must cover lifecycle, delegation, and revocation together, not as separate projects. Where agents operate across highly dynamic infrastructure, these controls become harder to sustain because policy latency and human approval steps can lag behind machine-speed changes.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A2 | Agentic misuse grows when access is not tied to runtime intent. |
| CSA MAESTRO | M4 | MAESTRO addresses agent boundaries, delegation, and runtime control. |
| NIST AI RMF | GOVERN | AI RMF governance covers accountability and traceability for autonomous systems. |
Model agent delegation paths and require policy checks before privilege can expand.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 7, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
