Agentic AI systems rely on OAuth tokens, service accounts, and API keys to interact with external systems. An agent executing a multi-step workflow may use an OAuth token for SaaS authentication, an API key to call an external data service, a service account to access cloud storage, and a certificate to authenticate to a microservice — all in the course of completing a single task. Each is a distinct NHI requiring governance.
Why This Matters for Security Teams
Agentic AI does not use one identity in one place the way a human user does. A single autonomous workflow can chain an OAuth token, a service account, an API key, and a certificate across different systems, often in minutes. That turns identity governance into an execution problem: what the agent can do, when it can do it, and how quickly those privileges disappear. Static RBAC is useful, but it is not sufficient for goal-driven software.
This is why NHI classification matters. Each token, key, and certificate is a separate control point, and each one can be abused if it is over-scoped, long-lived, or stored outside a secrets manager. NHIMG research shows that 96% of organisations store secrets outside secrets managers in vulnerable locations, and 79% have experienced secrets leaks; that is directly relevant to agentic systems because agents consume secrets continuously, not occasionally. For the broader agentic threat model, see the OWASP NHI Top 10 and the OWASP Agentic AI Top 10.
In practice, many security teams encounter NHI sprawl only after an agent has already chained access across systems and left no clear audit trail.
How It Works in Practice
Agentic AI systems usually draw from a mix of NHIs, chosen by the target system rather than by the agent itself. OAuth tokens are common for SaaS and delegated APIs, service accounts are used for cloud and internal platform access, API keys appear in external data and model endpoints, and certificates often authenticate service-to-service calls. The agent may need all four in one workflow, but it should not hold them all for the full session. Current guidance suggests treating each credential as task-scoped and revocable, not as a durable entitlement.
Practically, that means building around workload identity and runtime policy rather than static user-style access. A workload identity such as SPIFFE or OIDC-based service identity gives you cryptographic proof of what the agent is, while intent-based authorisation decides what it is trying to do at request time. That is more aligned to agent behaviour than predeclared roles. NIST’s NIST AI Risk Management Framework and MITRE ATLAS adversarial AI threat matrix both reinforce the need to evaluate risk dynamically, while NHIMG’s Ultimate Guide to NHIs remains the best grounding for lifecycle control.
- Issue JIT credentials per task, not per agent lifetime.
- Bind each secret to a narrow audience, short TTL, and clear revocation path.
- Evaluate policy at request time using context such as tool, destination, data class, and step in the workflow.
- Log every token use as an NHI event, not just an application event.
These controls tend to break down when agents operate across many tenants or external SaaS tools because identity context is lost at each integration boundary.
Common Variations and Edge Cases
Tighter credential scoping often increases orchestration overhead, requiring organisations to balance safety against workflow reliability. That tradeoff is real, especially when agents must call legacy systems that only support long-lived API keys or shared service accounts. There is no universal standard for this yet, so best practice is evolving toward shorter lifetimes, brokered access, and just-enough privilege rather than a single universal pattern.
Two edge cases matter most. First, some agents need to act on behalf of a user, which creates delegation questions: the user’s OAuth token may represent consent, but the agent still needs its own workload identity and policy envelope. Second, multi-agent architectures can multiply the problem because one agent’s output becomes another agent’s input, increasing the chance of accidental privilege chaining. For emerging governance patterns, compare the Analysis of Claude Code Security with the Moltbook AI agent keys breach, which shows how quickly exposed agent keys become an operational incident.
In mature environments, the practical answer is not “one identity type” but “one identity per trust boundary,” with JIT provisioning, real-time policy checks, and revocation tied to task completion rather than calendar time.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A03 | Agentic workflows need runtime controls for tool use and credential exposure. |
| CSA MAESTRO | MAESTRO-2 | MAESTRO maps well to autonomous workflow identity and access boundaries. |
| NIST AI RMF | GOVERN | AI RMF governance covers accountability for autonomous agent behaviour. |
Constrain each agent action with task-scoped authorisation and revoke credentials on completion.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on May 16, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
