Prompt-level controls decide what enters the model, while runtime governance decides what the agent is allowed to do after the response. The second layer is stronger because it can inspect file access, process creation, and network activity in real time. That is where practical containment has to happen.
Why Prompt-Level Controls Are Not Enough for Autonomous Agents
Prompt-level controls are useful, but they only shape what enters the model and what it is likely to say. They do not stop an agent from taking a bad answer and turning it into a real-world action through tools, APIs, file systems, or network access. That gap matters because agents are autonomous, goal-driven workloads, not static users, and static RBAC often assumes predictable access paths that do not exist here.
Current guidance from OWASP Agentic AI Top 10 and NIST AI Risk Management Framework points to the same conclusion: control the action surface, not just the prompt surface. The practical problem is that an agent can chain benign-seeming steps into a harmful outcome, especially when secrets, approvals, or elevated tools are already available. NHIMG has seen this pattern in coverage such as OWASP NHI Top 10, where identity and authorisation failures become operational failures once the agent starts acting.
Astrix Security and CSA report that only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, which is a useful signal for agent governance too: confidence is low when controls stop at identity issuance and ignore runtime behaviour. In practice, many security teams encounter agent misuse only after a tool call, data movement, or privilege escalation has already happened, rather than through intentional policy design.
How Runtime Governance Enforces Intent, Identity, and Containment
runtime governance sits after the model response and before the agent completes an action. It evaluates the request in context: what the agent is trying to do, which workload is acting, what resource is targeted, whether the action matches policy, and whether the current risk state permits execution. That is why intent-based authorisation is emerging as the better fit for agents. The decision is made at request time, not defined once and trusted forever.
In practice, this means combining workload identity, JIT credentials, short-lived secrets, and policy-as-code. The agent should present cryptographic proof of what it is, not just a static secret. For implementation patterns, NIST Cybersecurity Framework 2.0 provides governance structure, while CSA MAESTRO agentic AI threat modeling framework is useful for mapping agent actions, tool chains, and escalation paths. A practical runtime stack often includes:
- Workload identity for the agent, such as SPIFFE/SPIRE or OIDC-backed service identity.
- JIT provisioning of credentials that expire when the task ends.
- Policy checks at each tool call, not just at session start.
- Logging of process creation, file access, and network activity for enforcement and investigation.
- Revocation when the agent deviates from the approved intent.
NHIMG’s coverage of the AI LLM hijack breach and Moltbook AI agent keys breach shows why this matters: once long-lived secrets exist, a prompt-only defense cannot stop misuse outside the model boundary. These controls tend to break down when agents operate across loosely governed SaaS tools and shared service accounts because runtime policy cannot reliably distinguish approved task chaining from silent privilege escalation.
Where the Boundary Gets Blurry in Real Deployments
Tighter runtime control often increases latency and operational overhead, so organisations have to balance containment against developer velocity and user experience. That tradeoff is real, and current guidance suggests there is no universal standard for how much friction is acceptable. The right answer depends on the agent’s blast radius, the sensitivity of the target system, and how quickly secrets can be revoked.
Edge cases usually appear when teams confuse agent prompts with policy controls. A prompt can request “only read customer records,” but runtime governance must still block export, exfiltration, or indirect access through another tool. The same is true for approval workflows: human-in-the-loop review helps, but it does not replace policy enforcement at execution time. For broader context on this governance gap, see Top 10 NHI Issues and Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs.
The biggest exception is low-risk, read-only automation with tightly scoped data and no side effects. Even there, best practice is evolving toward runtime checks because model behaviour can still drift, and agents can mis-handle tool output in ways the prompt never anticipated. In environments with shared credentials, broad service permissions, or weak audit logging, prompt-level controls collapse first because the agent can still act through whatever the runtime already trusts.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A2 | Addresses unsafe tool use and agent action control at runtime. |
| CSA MAESTRO | GOV-03 | Covers agent governance, lifecycle controls, and runtime risk decisions. |
| NIST AI RMF | Govern and manage AI risk across the model-to-action pipeline. |
Gate every tool call with policy checks and deny actions that exceed the approved intent.
Related resources from NHI Mgmt Group
- What is the difference between managed identities and hardcoded secrets for AI agents?
- What is the difference between human identity governance and AI agent governance?
- What is the difference between workload identity and API keys for AI agents?
- What is the difference between logging actions and logging intent for AI agents?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on May 28, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
