Agentic systems can initiate actions, call tools, and continue workflows without a human approving each step. That means access, policy, and accountability behave like identity problems, not just model problems. IAM teams need to govern who or what can act, under what conditions, and with what evidence of control.
Why This Matters for Security Teams
agentic ai changes the security problem from model safety to action safety. Once an AI system can call tools, chain tasks, and continue without a human approving every step, IAM stops being a back-office control and becomes the primary enforcement layer for risk. That is why current guidance increasingly treats agent permissions, secret handling, and runtime policy as one problem rather than separate domains. NIST’s NIST AI Risk Management Framework and OWASP’s OWASP Agentic AI Top 10 both reflect that shift.
NHIMG research shows the operational reality is already visible: in the AI Agents: The New Attack Surface report, 80% of organisations said their AI agents had already acted beyond intended scope, while only 44% had policies in place to govern them. That gap matters because an agent that can access a system, retrieve a token, or invoke a workflow is effectively exercising identity, not merely inference. In practice, many security teams encounter this only after an agent has already touched data, triggered downstream automation, or exposed secrets rather than through intentional design.
How It Works in Practice
Security teams converge IAM and AI controls by treating the agent as a workload identity with bounded authority, not as a chat interface with broad trust. That usually means assigning a cryptographic identity to the agent, then issuing short-lived credentials and scoped tool access only when the task requires it. SPIFFE/SPIRE and OIDC-style workload identity patterns are useful here because they prove what the agent is and what execution context it is running in, which is more reliable than assuming a static role will remain appropriate across every step.
At runtime, policy decisions should be evaluated contextually. The question is not just “is this agent allowed to access S3?” but “is this specific agent, for this objective, at this time, with this approval trail, allowed to perform this action?” That is where policy-as-code approaches such as OPA or Cedar fit, alongside governance patterns described in CSA MAESTRO agentic AI threat modeling framework. The best practice is evolving, but the direction is clear: pre-defined access rules alone are too static for autonomous systems.
- Issue per-task secrets with short TTLs and revoke them automatically on completion.
- Separate the agent’s workload identity from the human operator’s identity and from the model itself.
- Log every tool invocation, data access, and permission grant as an audit event.
- Use approvals for high-risk actions, but do not rely on approvals as the only control.
This approach aligns with NHIMG’s analysis in Ultimate Guide to NHIs — 2025 Outlook and Predictions and the threat patterns discussed in the AI LLM hijack breach case study. These controls tend to break down when agents are given long-lived API keys and unrestricted network reach because compromise becomes persistent and lateral movement becomes trivial.
Common Variations and Edge Cases
Tighter runtime controls often increase operational friction, requiring organisations to balance automation speed against governance overhead. That tradeoff becomes most visible in multi-agent workflows, where one agent may plan, another may retrieve data, and a third may execute an external action. Best practice is evolving, but there is no universal standard for how to partition authority across those roles yet.
Some environments also blur the line between model and operator. Shared service accounts, embedded credentials in orchestration tools, and long-lived connectors can make it difficult to tell whether a failure is an IAM problem, an AI behavior problem, or both. The Moltbook AI agent keys breach illustrates why static secrets are especially dangerous when autonomous systems inherit them at scale. External guidance such as the NIST AI Risk Management Framework and the OWASP Top 10 for Agentic Applications 2026 supports this risk-based approach.
Edge cases emerge in regulated workloads, air-gapped systems, and legacy platforms that cannot support fine-grained token issuance. In those cases, organisations often start with compensating controls such as brokered access, privileged session recording, or gateway-mediated actions. The framework is simple: if an agent can act independently, then identity, authorization, and telemetry must be evaluated at the same moment as the action.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A1 | Agentic systems expand attack paths through tool use and autonomous actions. |
| CSA MAESTRO | M3 | MAESTRO models agent planning and execution risks across workflows. |
| NIST AI RMF | AI RMF governs trust, accountability, and risk for autonomous systems. |
Apply AI RMF to assign owners, define controls, and monitor agent behaviour continuously.
Related resources from NHI Mgmt Group
- How should security teams govern machine identity credentials in agentic AI environments?
- How does the rise of AI identities impact traditional IAM systems?
- How should security teams limit the risk from AI agents that have access to production systems?
- How should security teams govern AI agents that can access enterprise systems?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 23, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
