Because the trust boundary changes with the archetype. An embedded copilot, a citizen-built agent, a local coding assistant, and a fine-tuned model each expose different data paths, permissions, and runtime actions. A control that limits prompt leakage in one model may do nothing for tool abuse or endpoint exfiltration in another.
Why This Matters for Security Teams
AI security controls often fail to transfer because the deployment model changes the identity, trust boundary, and action surface at the same time. A browser copilot, a code assistant, and an autonomous agent do not consume data or invoke tools in the same way, so the same control can look effective in one architecture and irrelevant in another. That is why current guidance increasingly treats model placement, tool access, and credential scope as a single design problem rather than separate controls, as reflected in the CSA MAESTRO agentic AI threat modeling framework and Anthropic Project Glasswing.
The practical issue is that teams often inherit a control that was built for prompt filtering or human-operated access, then try to apply it to an agent that can chain tools, reuse secrets, or act on its own goals. That is where static RBAC, long-lived API keys, and perimeter-style assumptions start to break down. The control may still reduce one risk, but it will not address the higher-risk behaviour introduced by autonomy. NHIMG research on the Ultimate Guide to NHIs — Standards shows why NHI discipline matters here: identity, rotation, and visibility have to follow the workload, not just the application.
In practice, many security teams discover the mismatch only after a deployment model changes and an agent begins using tools in ways the original control never considered.
How It Works in Practice
The main reason controls do not transfer is that each AI deployment archetype produces different identity events. An embedded copilot may only need read access to a document or code context. A citizen-built agent might need delegated SaaS access. A local coding assistant may reach into file systems and package managers. A fine-tuned or autonomous agent can initiate workflows, call APIs, and move across systems without a human in the loop. The more autonomous the workload, the less useful it is to think in terms of static roles and the more useful it becomes to think in terms of runtime intent, workload identity, and just-in-time credential issuance.
That means the control plane should answer four questions at request time: what is the workload, what is it trying to do, what is it allowed to do right now, and how long should that access exist? In practice, this pushes teams toward ephemeral secrets, short-lived tokens, policy-as-code, and workload identity primitives such as SPIFFE-style identity rather than shared or manually handled secrets. The operational lesson aligns with the threat patterns described in DeepSeek breach, where exposed secrets and overly broad access become immediate attack paths.
- Use JIT credentials for tool calls, not standing credentials that persist beyond the task.
- Bind authorisation to intent and context, not just a coarse role label.
- Issue short-lived secrets with automatic revocation when the task completes.
- Log every tool invocation and downstream action with workload identity attached.
Best practice is evolving, but the direction is clear: access should be evaluated dynamically, with policy informed by the action being attempted, the sensitivity of the destination, and the autonomy level of the workload. These controls tend to break down when a single agent is allowed to reuse the same secrets across multiple tools because scope and lifetime no longer match the real attack surface.
Common Variations and Edge Cases
Tighter control often increases deployment friction, requiring organisations to balance operational speed against reduced blast radius. That tradeoff becomes sharper in environments where developers expect fast iteration, agents are chained together, or SaaS integrations depend on brittle legacy tokens. In those cases, a strict JIT model can feel slower than static access, but the alternative is usually hidden privilege that survives far longer than the task itself.
There is no universal standard for this yet, especially for multi-agent systems and mixed human-agent workflows. Some teams will use RBAC for coarse boundaries and layer intent-based checks on top at runtime. Others will move directly to ZTA-inspired policy evaluation and ephemeral credentials for every meaningful action. The right answer depends on whether the workload is merely assisting a user or making autonomous decisions with execution authority. For that reason, security teams should treat agentic systems differently from ordinary application workloads and map them back to the identity and access patterns described in the Ultimate Guide to NHIs — Standards, then compare the design with the control assumptions in CSA MAESTRO agentic AI threat modeling framework.
The hard edge case is the autonomous agent that can discover new paths, chain tools, and operate outside the original prompt flow. In those environments, a control tuned for one deployment model often fails because it assumes the workload will behave like a bounded application rather than an adaptive actor.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A08 | Agentic controls address autonomy, tool use, and dynamic authorization gaps. |
| CSA MAESTRO | MAESTRO models agentic threats that vary by deployment and trust boundary. | |
| NIST AI RMF | AI RMF fits governance of changing AI risk across deployment models. |
Threat model each AI archetype separately and align controls to its identity and action paths.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 4, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
