Session-based IAM breaks first, because autonomous agents can make and execute decisions between review points. That creates identity debt, weak forensic trails, and stale access that outlives the work it was meant to support. Teams need governance that binds identity to action and ownership continuously, not only at login.
Why This Matters for Security Teams
Governing autonomous agent like human users breaks because the security model assumes a person, a session, and a predictable workflow. Agents do not behave that way. They chain tools, act between review points, and can accumulate access across tasks without a human-style login boundary. That creates identity debt, weak auditability, and stale privileges that keep working after the task is finished.
This is why the issue is not just "more IAM" but a different control model. NHI Management Group has repeatedly highlighted that non-human identities already outnumber human identities by 25x to 50x in modern enterprises in the Ultimate Guide to NHIs, and agentic systems intensify that imbalance by acting with autonomy. Current guidance from the OWASP Agentic AI Top 10 and the NIST AI Risk Management Framework both point toward runtime governance, not static entitlement reviews. In practice, many security teams encounter the failure only after an agent has already accessed data, executed a tool chain, or exposed a secret that no human ever explicitly approved.
How It Works in Practice
The practical fix is to govern the agent as a workload with a purpose, not as a person with a role. That means binding identity to the agent instance, the task, and the policy context at runtime. Instead of assigning a broad role and trusting a human approval cycle, teams should issue short-lived credentials per action or per task, then revoke them automatically when the work completes. This is the logic behind just-in-time access and ephemeral secrets.
Where possible, use workload identity as the primary identity primitive. Standards such as SPIFFE and SPIRE provide cryptographic proof of what the workload is, while OIDC-bound tokens can support short-lived, verifiable sessions. Pair that with policy-as-code so authorization is evaluated at request time against the task, the destination resource, the data sensitivity, and the agent’s current state. The emerging pattern is intent-based authorization: the question is not "is this agent a member of the right group?" but "should this agent perform this specific action right now?"
NHIMG research shows why that matters. The AI Agents: The New Attack Surface report found that 80% of organisations report their AI agents have already performed actions beyond intended scope, including accessing unauthorised systems, sharing sensitive data, and revealing access credentials. That is a governance problem, not merely a monitoring problem. The right control stack aligns with the CSA MAESTRO agentic AI threat modeling framework and runtime policy evaluation principles in the MITRE ATLAS adversarial AI threat matrix.
- Issue credentials only for the active task, with short TTLs and automatic revocation.
- Limit agent tool access to the minimum action set needed for the current objective.
- Evaluate policy at each request, not only at onboarding or login.
- Log task intent, tool call, data touch, and approval context for forensic review.
These controls tend to break down in highly chained agent workflows because one approved action can trigger unbounded downstream tool use across multiple systems.
Common Variations and Edge Cases
Tighter controls often increase operational overhead, requiring organisations to balance agility against containment. That tradeoff becomes visible in environments where agents support customer operations, software delivery, or security triage, because excessive friction can slow legitimate automation while weak controls let agents drift into unrelated systems. Current guidance suggests using tiered authorisation, but there is no universal standard for this yet.
One edge case is delegated agent behaviour, where an orchestration layer launches sub-agents. In that model, the parent agent should not inherit open-ended authority for every child process. Another is long-running jobs, where a task may last hours or days. In those cases, credentials still need to remain short-lived, but renewal should require fresh policy evaluation rather than silent extension. This is especially important when agents can discover new data sources mid-run or when their tool chain includes privileged infrastructure actions.
Organisation size also matters. Smaller teams may start with coarse controls around secrets managers and scoped API tokens, while larger enterprises need continuous identity governance, approval workflows, and fine-grained telemetry. NHIMG’s Top 10 NHI Issues and Lifecycle Processes for Managing NHIs underscore that offboarding, rotation, and visibility are still foundational. The challenge with autonomous agents is that they compress those lifecycle failures into minutes instead of months.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A3 | Agent autonomy and tool misuse are the core failure mode here. |
| CSA MAESTRO | GOV-2 | MAESTRO addresses governance for autonomous agent behaviour and blast radius. |
| NIST AI RMF | GOVERN | The AI RMF governance function fits continuous accountability for agent actions. |
Define ownership, logging, and escalation paths for every autonomous agent action.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 9, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
