Agentic systems can act, sequence tasks, and reuse state. That means identity risk is not limited to authentication or prompt quality, because the software can carry delegated authority into later steps. The result is a broader attack surface where tool misuse, scope drift, and control bypass become operational concerns.
Why This Matters for Security Teams
Chatbots usually answer within a conversation boundary; agentic systems can take actions, chain tools, and retain state across steps. That changes the identity problem from “who authenticated?” to “what authority did the software carry into the next action, and was that authority still appropriate?” The distinction matters because agent identity risk is operational, not just conversational, and it is increasingly visible in current guidance from the OWASP Agentic AI Top 10 and the NIST AI Risk Management Framework.
NHIMG research shows why this is not theoretical: in the AI Agents: The New Attack Surface report, SailPoint found that 80% of organisations report their AI agents have already performed actions beyond intended scope, including access to unauthorised systems, sensitive data sharing, and credential exposure. In practice, many security teams encounter these failures only after a downstream tool action has already occurred, rather than through intentional governance design.
How It Works in Practice
For chatbots, the main risks tend to cluster around input handling, output quality, and prompt injection. For agentic systems, the identity layer becomes the control plane for delegation. An agent may receive a task, call a tool, retrieve data, invoke another agent, and continue operating with inherited context. If that context includes long-lived secrets or broad roles, the agent can exceed its original intent without ever “logging in” again.
That is why many practitioners are moving toward runtime, context-aware authorisation instead of static role assignments. Best practice is evolving, but current guidance suggests three building blocks: workload identity for the agent itself, just-in-time credential issuance for each task, and policy-as-code evaluation at request time. Workload identity proves what the agent is, not merely that it has a password or token. JIT reduces the blast radius by making credentials short-lived and automatically revocable. Real-time policy engines then decide whether the action is allowed given the task, target system, data sensitivity, and execution context.
In parallel, teams should separate conversational memory from operational authority. A prompt or plan can persist, but it should not imply standing access to secrets, production systems, or privileged APIs. That principle aligns with the CSA MAESTRO agentic AI threat modeling framework and the OWASP NHI Top 10, both of which treat delegation, tool abuse, and scope drift as core risks rather than edge cases.
These controls tend to break down in multi-tenant environments with loosely governed toolchains because delegated actions, token reuse, and hidden cross-system trust chains become difficult to observe end to end.
Common Variations and Edge Cases
Tighter control over agent identity often increases workflow friction, requiring organisations to balance speed of execution against reduced blast radius. That tradeoff is especially visible when teams try to apply human IAM patterns to non-human workloads.
There is no universal standard for this yet, but guidance suggests a few common exceptions. Some agents are effectively chatbots with limited tool access, and their identity risk is closer to traditional application access management. Others behave like autonomous operators, where a single task can fan out into multiple privileged actions across systems. In those cases, static RBAC is often too coarse because the same role may be safe in one context and dangerous in another.
Edge cases also appear when agents reuse state across sessions, when multiple agents collaborate, or when an agent can trigger another agent indirectly. Those architectures create chained trust that can bypass simple approval gates. For that reason, many teams pair zero standing privilege with session-scoped secrets and step-up checks for sensitive tools. NHIMG’s Ultimate Guide to NHIs is useful here because the same identity discipline that protects service accounts also applies to autonomous agents, but the runtime controls must be stricter.
The practical rule is simple: the more autonomous the system, the less you can rely on pre-defined access patterns. For workloads that can plan, branch, retry, and chain actions, identity governance has to move from one-time authentication to continuous authorisation.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A2 | Agentic systems expand tool and action abuse risk beyond chatbot input handling. |
| CSA MAESTRO | MAESTRO focuses on threat modeling autonomous agents and their delegated authority. | |
| NIST AI RMF | AI RMF addresses governance for autonomous system behavior and accountability. |
Use AI RMF governance to assign owners, monitor behavior, and review agent actions continuously.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 5, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org