The enterprise loses the usual boundary between user activity and system activity. Shell access lets the agent run scripts, browse files, and automate actions that are hard to distinguish from legitimate work. Without sandboxing and endpoint controls, a compromise can move from data exposure to remote execution with very little friction.
Why This Matters for Security Teams
Allowing an AI assistant to reach a shell on an unmanaged device turns a conversational workflow into an execution path that security teams cannot reliably observe or contain. The agent can read local files, invoke binaries, chain commands, and persist temporary state outside enterprise controls. That is not a normal least-privilege problem. It is an autonomy problem, and the risk is amplified when the assistant can operate faster than a human can review its actions.
This is why OWASP Non-Human Identity Top 10 and Top 10 NHI Issues both emphasise that credential scope, execution context, and lifecycle controls must be designed together. When the endpoint itself is unmanaged, the usual assumptions behind EDR, device posture checks, and file-system trust break down. Even if the agent is well-intentioned, shell access can expose secrets, internal paths, and cached tokens that were never meant to leave the workstation.
NHIMG research shows how quickly exposed credentials are abused in the wild, with attacker activity beginning within minutes once keys are public, as described in LLMjacking: How Attackers Hijack AI Using Compromised NHIs. In practice, many security teams encounter agent shell abuse only after sensitive files have already been accessed or an endpoint has already been used as a launch point for further compromise.
How It Works in Practice
The core failure is that the assistant becomes an active operator on a device that the enterprise does not own or govern. Once shell access exists, the agent can run commands that look like ordinary user activity, but the blast radius is much larger because the assistant may chain tasks automatically. Static RBAC is a poor fit here because the agent’s intent changes by prompt, by tool output, and by local environment. Current guidance suggests treating this as a workload identity problem rather than a user session problem.
Practical containment starts with short-lived credentials, runtime policy checks, and a device trust boundary that does not assume the endpoint is safe. A stronger model uses ephemeral tokens, per-task authorization, and explicit denial of sensitive actions such as reading browser caches, enumerating SSH material, or exporting files. If the agent needs execution authority, that authority should be bounded by context and revoked immediately when the task completes.
- Use workload identity to prove what the agent is, not just who launched it.
- Issue JIT credentials per task and keep TTLs short enough to reduce replay risk.
- Enforce policy at request time with controls such as OPA or Cedar rather than relying on pre-approved shells.
- Restrict shell scope to sandboxed paths and blocked commands, especially on BYOD or contractor devices.
For implementation direction, the NHI Lifecycle Management Guide and Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs both reinforce that issuance, use, rotation, and revocation must be automated. For broader control framing, NIST Cybersecurity Framework 2.0 aligns well with asset governance and protective controls, but it still needs agent-specific enforcement to account for autonomous behaviour. These controls tend to break down when the device is unmanaged and the assistant can inherit ambient user privileges from cached sessions, local tokens, or synchronized developer tooling.
Common Variations and Edge Cases
Tighter shell restrictions often increase friction for legitimate automation, requiring organisations to balance operational speed against the risk of uncontrolled execution. That tradeoff is especially visible in developer laptops, contractor environments, and incident-response workflows where users expect local autonomy and fast debugging.
There is no universal standard for this yet, but current guidance suggests treating BYOD as a high-risk execution zone unless the agent runs inside a managed sandbox or a remote workstation with enforced logging. A shell on a personal device is not equivalent to a shell in a corporate VDI, because the organisation cannot reliably attest to local patching, disk encryption, background processes, or other software that can intercept tokens and outputs.
Edge cases also matter. An AI assistant may be safe for read-only tasks but become unsafe once it can write files, execute scripts, or access developer secrets stored in environment variables. This is where Ultimate Guide to NHIs — Key Challenges and Risks is useful: the issue is not only credential theft, but also uncontrolled privilege chaining across tools and local resources. In practice, unmanaged endpoints are often where a benign assistant first becomes a durable foothold.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A1 | Shell access on unmanaged devices creates agentic abuse and tool-chain risk. |
| CSA MAESTRO | TR-02 | MAESTRO addresses runtime trust and agent execution boundaries. |
| NIST AI RMF | GOVERN | AI RMF governs accountability for autonomous assistant behaviour and misuse. |
Assign ownership, define acceptable agent actions, and review runtime outcomes continuously.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 6, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org