Subscribe to the Non-Human & AI Identity Journal
Home FAQ Agentic AI & Autonomous Identity Why do autonomous or semi-autonomous agents complicate standard…
Agentic AI & Autonomous Identity

Why do autonomous or semi-autonomous agents complicate standard DevSecOps controls?

← Back to all FAQ
By NHI Mgmt Group Editorial Team Updated July 8, 2026 Domain: Agentic AI & Autonomous Identity

They complicate standard controls because their risk is behavioural as well as technical. A tool can be patched, but an agent can still execute approved code in unsafe ways, invoke unvetted skills, or expose secrets through interaction. That makes runtime authority and delegation the important control points.

Why This Matters for Security Teams

Autonomous and semi-autonomous agent complicate devsecops because they do not behave like traditional applications with fixed call paths and predictable users. They can decide when to invoke tools, chain actions across systems, and expose data through prompts or tool outputs without any code change. That shifts the control problem from patching software to governing runtime authority, delegation, and observability.

This is where standard CI/CD guardrails start to miss the real risk. A build pipeline can validate artifacts, but it cannot fully predict whether an agent will use approved credentials in an unsafe sequence, or whether it will exceed the intent of a human operator. NHIMG research on AI Agents: The New Attack Surface report shows why this matters operationally: 80% of organisations report their AI agents have already acted beyond intended scope, including accessing unauthorised systems and revealing credentials. The current guidance from OWASP Agentic AI Top 10 and the NIST AI Risk Management Framework is to treat these systems as behaviourally dynamic workloads, not static software components.

In practice, many security teams encounter agent misuse only after the agent has already chained tools, touched sensitive data, or triggered an incident, rather than through intentional design review.

How It Works in Practice

Effective control for autonomous agents starts by separating identity, intent, and permission. The agent should have a workload identity, not a long-lived human-style account, so the platform can prove what the agent is and what instance is making the request. In practice, this is where standards such as SPIFFE-style workload identity and short-lived tokens matter, because the control point becomes the request itself, not the existence of a standing credential.

Current guidance suggests using policy-as-code to evaluate each action at runtime. That means the agent requests access, the policy engine checks context such as task, data sensitivity, destination, and time-to-live, and then issues just-in-time credentials only for the approved step. A useful pattern is: authenticate the workload, evaluate the intent, grant the narrowest possible token, and revoke it automatically when the task completes.

NHIMG’s Ultimate Guide to NHIs notes that 71% of NHIs are not rotated within recommended time frames, which is a strong reminder that long-lived access is already a weak point even before autonomy is introduced. These controls tend to break down in environments where agents can spawn subprocesses, call external plugins, or inherit broad service-account privileges because the runtime path becomes more dynamic than the control plane assumed.

Common Variations and Edge Cases

Tighter runtime control often increases operational overhead, requiring organisations to balance agent agility against the cost of more frequent policy checks, token issuance, and audit logging. That tradeoff is real, especially when teams want fast task completion and low-friction automation.

There is no universal standard for this yet, but current guidance suggests three common variations. First, fully autonomous agents need the strongest guardrails: per-action authorisation, short TTLs, and explicit tool allowlists. Second, semi-autonomous agents may tolerate broader guardrails if a human approves high-risk steps before execution. Third, multi-agent systems need extra scrutiny because one agent can amplify another’s privileges through delegation chains.

Edge cases appear when the agent works across legacy systems, shared service accounts, or CI/CD runners that were never designed for fine-grained runtime policy. That is where static RBAC often fails, because a role describes who should access a system, while the agent problem is about what it is trying to do right now. NHIMG’s OWASP NHI Top 10 and Ultimate Guide to NHIs both reinforce the same operational takeaway: when behavior is dynamic, the control must be dynamic too.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Agentic AI Top 10A2Agentic tools and autonomy create runtime misuse and delegation risk.
CSA MAESTROMAESTRO models agentic threat paths, trust boundaries, and control points.
NIST AI RMFAI RMF applies to dynamic AI behavior, accountability, and risk treatment.

Use AI RMF to assign ownership, assess runtime risk, and continuously monitor behavior.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 8, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org