They complicate standard controls because their risk is behavioural as well as technical. A tool can be patched, but an agent can still execute approved code in unsafe ways, invoke unvetted skills, or expose secrets through interaction. That makes runtime authority and delegation the important control points.
Why This Matters for Security Teams
Autonomous and semi-autonomous agent complicate devsecops because they do not behave like traditional applications with fixed call paths and predictable users. They can decide when to invoke tools, chain actions across systems, and expose data through prompts or tool outputs without any code change. That shifts the control problem from patching software to governing runtime authority, delegation, and observability.
This is where standard CI/CD guardrails start to miss the real risk. A build pipeline can validate artifacts, but it cannot fully predict whether an agent will use approved credentials in an unsafe sequence, or whether it will exceed the intent of a human operator. NHIMG research on AI Agents: The New Attack Surface report shows why this matters operationally: 80% of organisations report their AI agents have already acted beyond intended scope, including accessing unauthorised systems and revealing credentials. The current guidance from OWASP Agentic AI Top 10 and the NIST AI Risk Management Framework is to treat these systems as behaviourally dynamic workloads, not static software components.
In practice, many security teams encounter agent misuse only after the agent has already chained tools, touched sensitive data, or triggered an incident, rather than through intentional design review.
How It Works in Practice
Effective control for autonomous agents starts by separating identity, intent, and permission. The agent should have a workload identity, not a long-lived human-style account, so the platform can prove what the agent is and what instance is making the request. In practice, this is where standards such as SPIFFE-style workload identity and short-lived tokens matter, because the control point becomes the request itself, not the existence of a standing credential.
Current guidance suggests using policy-as-code to evaluate each action at runtime. That means the agent requests access, the policy engine checks context such as task, data sensitivity, destination, and time-to-live, and then issues just-in-time credentials only for the approved step. A useful pattern is: authenticate the workload, evaluate the intent, grant the narrowest possible token, and revoke it automatically when the task completes.
- Use ephemeral credentials for agent actions instead of reusable static secrets.
- Constrain tool access per task, not per application release.
- Log both the prompt trail and the tool invocation trail for investigation.
- Apply runtime authorisation with CSA MAESTRO agentic AI threat modeling framework and align decisions with MITRE ATLAS adversarial AI threat matrix.
NHIMG’s Ultimate Guide to NHIs notes that 71% of NHIs are not rotated within recommended time frames, which is a strong reminder that long-lived access is already a weak point even before autonomy is introduced. These controls tend to break down in environments where agents can spawn subprocesses, call external plugins, or inherit broad service-account privileges because the runtime path becomes more dynamic than the control plane assumed.
Common Variations and Edge Cases
Tighter runtime control often increases operational overhead, requiring organisations to balance agent agility against the cost of more frequent policy checks, token issuance, and audit logging. That tradeoff is real, especially when teams want fast task completion and low-friction automation.
There is no universal standard for this yet, but current guidance suggests three common variations. First, fully autonomous agents need the strongest guardrails: per-action authorisation, short TTLs, and explicit tool allowlists. Second, semi-autonomous agents may tolerate broader guardrails if a human approves high-risk steps before execution. Third, multi-agent systems need extra scrutiny because one agent can amplify another’s privileges through delegation chains.
Edge cases appear when the agent works across legacy systems, shared service accounts, or CI/CD runners that were never designed for fine-grained runtime policy. That is where static RBAC often fails, because a role describes who should access a system, while the agent problem is about what it is trying to do right now. NHIMG’s OWASP NHI Top 10 and Ultimate Guide to NHIs both reinforce the same operational takeaway: when behavior is dynamic, the control must be dynamic too.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A2 | Agentic tools and autonomy create runtime misuse and delegation risk. |
| CSA MAESTRO | MAESTRO models agentic threat paths, trust boundaries, and control points. | |
| NIST AI RMF | AI RMF applies to dynamic AI behavior, accountability, and risk treatment. |
Use AI RMF to assign ownership, assess runtime risk, and continuously monitor behavior.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 8, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org