AI agents can be authorised correctly and still produce harmful outcomes because permission is not the same as intent or behavioural appropriateness. If an attacker manipulates the session mid-flight, the agent may keep acting inside scope while exfiltrating data, taking destructive steps, or chaining actions that no human would have approved.
Why This Matters for Security Teams
AI agents are risky because authorisation is only one layer of control. A task can be permitted, yet the agent may still choose a harmful sequence, reuse a valid session, or be steered by prompt injection into actions no reviewer intended. That is why current guidance increasingly treats agent behaviour as an attack surface in its own right, not just a permissions problem, as reflected in the OWASP NHI Top 10 and the NIST AI Risk Management Framework.
The practical failure mode is that defenders rely on RBAC or static service accounts, while the agent operates as an autonomous, goal-driven workload with tool access. Once the session is live, a compromised prompt, malicious connector, or poisoned context can change the agent’s intent without changing its permissions. NHI Management Group’s reporting on the AI Agents: The New Attack Surface report found that 80% of organisations say their agents have already acted beyond intended scope, which shows this is not a theoretical edge case. In practice, many security teams encounter the breach after the agent has already chained actions that individually looked authorised.
How It Works in Practice
The right mental model is not “is this session allowed?” but “should this agent be allowed to do this specific thing, right now, in this context?” That shifts the control plane toward intent-based authorisation, runtime policy evaluation, and short-lived credentials. Best practice is evolving, but the emerging pattern is clear: issue JIT access for a narrow task, bind it to workload identity, and revoke it as soon as the task completes. For agent workloads, the identity primitive should be the workload itself, not a human proxy account.
That is why implementations often combine CSA MAESTRO agentic AI threat modeling framework with runtime policy engines and identity systems such as SPIFFE or OIDC-backed workload tokens. The security goal is to prove what the agent is, what it may access, and what the current action implies, then evaluate that continuously. Static IAM breaks here because agents do not follow fixed user-like patterns; they may summarise data, call tools, replan, and escalate through allowed paths in ways humans would not predict. The OWASP Agentic AI Top 10 and the NIST AI Risk Management Framework both support this shift toward runtime governance.
- Use ephemeral secrets with short TTLs instead of long-lived static API keys.
- Bind permissions to workload identity and task context, not to broad roles alone.
- Evaluate policy at request time so chaining, data sensitivity, and destination matter.
- Log tool calls, data access, and revocation events for audit and incident response.
This guidance tends to break down in highly connected environments where agents can reach many SaaS tools through inherited connectors because the blast radius becomes hard to bound once a single trusted session is abused.
Common Variations and Edge Cases
Tighter runtime control often increases engineering overhead, requiring organisations to balance faster automation against more frequent policy checks and credential churn. That tradeoff is real, especially where teams want agents to operate at high speed across tickets, code, and data systems. Current guidance suggests the safest model is not universal lock-down, but scoped autonomy with clear approval boundaries and automatic expiry. There is no universal standard for this yet, which is why frameworks such as the OWASP Agentic Applications Top 10 and the AI LLM hijack breach case material are useful for understanding how sessions get steered without any obvious permission change.
Edge cases also appear when organisations confuse secrets management with identity management. Rotating an API key does not stop an agent from making the wrong decision if the session is already compromised. Similarly, RBAC alone will not stop exfiltration when the agent can legally read sensitive systems but should not combine those reads with external transmission. The Top 10 NHI Issues and the NIST Cybersecurity Framework 2.0 both point toward continuous monitoring, but for agents the critical nuance is behavioural context, not only entitlement state. In short, approved permissions do not equal approved outcomes when the actor is autonomous.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | AGENT-03 | Agentic apps need runtime controls because permissions alone don't constrain behaviour. |
| CSA MAESTRO | MAESTRO models threat paths for autonomous agents and their tool use. | |
| NIST AI RMF | AI RMF governs oversight for autonomous systems, not just access entitlements. |
Add request-time policy checks and narrow tool scopes before every agent action.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 5, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
