Look for inconsistent model routing, missing prompt logs, unexplained token spend, tool access that differs by team, and sessions that bypass the central gateway. Those are signs that the organisation has multiple unmanaged policy paths rather than one controlled identity and data plane.
Why This Matters for Security Teams
Claude Code and similar tools are not just software features. They are agentic workloads that can read context, call tools, and take actions across systems. Once those actions happen outside a central identity and policy plane, governance becomes advisory instead of enforceable. That is where inconsistent routing, missing logs, and bypassed gateways become operational risk rather than isolated anomalies. NIST’s Cybersecurity Framework 2.0 still applies, but only if the organisation can actually observe and control the workload path. NHIMG’s Analysis of Claude Code Security highlights how quickly these environments create fragmented control points when teams adopt different entry paths, brokers, and permissions. The real issue is not just tool usage, but whether every request is tied back to one accountable identity, one policy decision, and one auditable session trail. In practice, many security teams only discover governance drift after an incident review reveals separate policy paths that were never meant to exist.
How It Works in Practice
The most reliable signals of boundary drift are control-plane inconsistencies. If one team routes through a gateway with logging and content policy while another team invokes the same agent through a local plugin or direct API key, the organisation no longer has one enforcement model. That is why current guidance suggests treating agent access as workload identity, not as a user convenience layer. Frameworks such as NIST CSF 2.0 help define the governance expectation, but implementation depends on request-time policy evaluation, short-lived credentials, and complete telemetry.
Security teams should look for the following patterns:
- Sessions that originate outside the approved broker or gateway.
- Prompt and tool logs that are incomplete, delayed, or missing for specific teams.
- Token spend that rises without matching changes in approved usage.
- Different model routing rules for the same task class across business units.
- Tool permissions that expand informally through local configuration rather than central approval.
NHIMG’s Top 10 NHI Issues reinforces a common failure mode: unmanaged identity sprawl almost always hides behind convenience. For agentic tools, best practice is evolving toward ephemeral credentials, policy-as-code, and workload proof using mechanisms such as OIDC-backed tokens or SPIFFE-style identity. That matters because an agent can chain tools, change objectives, and escalate privilege in ways a static approval model never anticipated. These controls tend to break down when developers can bypass the central gateway with local keys, because the organisation loses the only reliable record of what the agent was allowed to do.
Common Variations and Edge Cases
Tighter gateway control often increases friction for developers and can slow experimentation, so organisations have to balance speed against auditability. There is no universal standard for how much autonomy an agent should retain, especially in fast-moving engineering environments. Some teams accept limited local execution for low-risk tasks, while others require every action to pass through a governed broker. The right answer depends on the sensitivity of the tools, data, and downstream systems involved.
Edge cases usually appear in hybrid environments. For example, a tool may be governed in the central SaaS interface but not in a desktop extension, or one model may be pinned to a policy stack while another is routed through a fallback provider. That creates the illusion of compliance while leaving real attack paths open. NHIMG’s Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs is useful here because lifecycle control is what exposes whether identities are truly governed from issuance through revocation. When teams need a deeper benchmark for risk visibility, the State of Non-Human Identity Security is especially relevant: only 1.5 out of 10 organisations are highly confident in securing NHIs, which reflects how often hidden policy paths persist until they are explicitly tested.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | Addresses agentic tools that bypass governed workflows and logging. | |
| CSA MAESTRO | Covers governance for autonomous agent workflows and tool use. | |
| NIST AI RMF | Supports risk governance for AI systems operating beyond intended boundaries. |
Map every agent path to approved controls, then block direct access that escapes central policy enforcement.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 23, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
