LLM security focuses on inputs, outputs, and data leakage at the model layer. AI agent security adds the execution layer, where tool use, privilege boundaries, and identity controls determine what the system can actually do. In practice, agents require both content controls and hard authorization controls.
Why Securing Agents Is a Different Problem Than Securing LLMs
LLM security is mainly about preventing harmful prompts, output leakage, and training or retrieval data exposure. AI agent security starts after the model responds: the agent can call tools, open tickets, move files, query systems, and trigger workflows. That shifts the risk from content control to execution control, where identity, privilege boundaries, and runtime authorisation matter more than the generated text itself.
This is why current guidance treats agentic systems as a separate attack surface, not just a bigger chatbot. The OWASP Agentic AI Top 10 and NHIMG’s OWASP NHI Top 10 both emphasise that autonomous behaviour expands the blast radius when identities and secrets are not constrained. SailPoint’s AI Agents: The New Attack Surface report found that 80% of organisations said agents had already acted beyond their intended scope, which is a useful reminder that scope creep is not theoretical. In practice, many security teams encounter agent misuse only after a tool action or data access has already occurred, rather than through intentional testing.
How AI Agent Security Works in Practice
For agents, the key question is not just “what did the model say?” but “what was the agent allowed to do right now?” Static RBAC often fails here because an autonomous workload does not follow a fixed human job description. Its actions depend on the task, the prompt chain, the retrieved context, and the tools it can reach. That is why intent-based or context-aware authorisation is gaining attention: decisions are made at runtime, based on the action the agent is trying to perform, not just its nominal role.
Operationally, strong agent security combines workload identity, short-lived credentials, and policy enforcement at the point of tool use. Workload identity should prove what the agent is through cryptographic identity, such as SPIFFE/SPIRE or OIDC-backed workload tokens, while JIT credentials keep secrets ephemeral and task-scoped. That reduces the value of stolen tokens and limits lateral movement if an agent is manipulated. NIST’s NIST AI Risk Management Framework is helpful for governance, while the CSA MAESTRO agentic AI threat modeling framework maps the specific risks introduced by tool use and autonomy.
- Issue per-task, short-lived secrets instead of long-lived API keys.
- Evaluate policy at request time with full context, using policy-as-code where possible.
- Separate tool permissions from model prompts so content injection cannot silently expand authority.
- Log every high-risk action, especially those that touch secrets, production data, or admin endpoints.
NHIMG’s Moltbook AI agent keys breach and the LiteLLM PyPI package breach both illustrate how quickly exposed credentials become operational risk when software agents can act immediately. These controls tend to break down when agents are granted broad production access because policy checks are bypassed or only enforced at onboarding, not at execution time.
Common Variations and Edge Cases
Tighter agent controls often increase orchestration overhead, so organisations have to balance speed of automation against the cost of runtime governance. That tradeoff is real, especially in teams trying to move from prototype to production quickly.
There is no universal standard for agent authorisation yet, but current guidance suggests the safest pattern is to keep the model untrusted and the action layer highly constrained. A customer-support agent, for example, may be allowed to draft a response but not issue refunds or export account data without an explicit approval step. A coding agent may be allowed to propose changes but not merge to production unless a human or higher-trust workflow reauthorises the action. This is where intent-based controls outperform simple role checks, because the same agent may need different permissions for different tasks.
Edge cases appear when agents are chained together, when one agent brokers another agent’s access, or when MCP connectors expose more capability than the base model should have. The AI LLM hijack breach and the DeepSeek breach show why secrets handling and exposure discipline matter even before autonomy is added. For standards-led design, the OWASP Top 10 for Agentic Applications 2026 and NIST AI Risk Management Framework are the most practical references. Best practice is evolving, but the direction is clear: secure the model for content risk, then secure the agent for authority risk.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A1 | Agentic apps need runtime control of autonomous actions and tool use. |
| CSA MAESTRO | TA-01 | MAESTRO addresses threats from autonomous orchestration and tool chaining. |
| NIST AI RMF | GOVERN | AI RMF governance covers accountability for autonomous AI behaviour. |
Assign ownership, approve use cases, and monitor agent actions under a formal governance process.
Related resources from NHI Mgmt Group
- What is the difference between managed identities and hardcoded secrets for AI agents?
- What is the difference between workload identity and API keys for AI agents?
- What is the difference between logging actions and logging intent for AI agents?
- What is the difference between human identity governance and AI agent governance?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on May 16, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
