Because they blur the line between user intent, system behaviour, and delegated access. A model can expose sensitive data, invoke tools, or move information between systems while operating under credentials that were never designed for that style of use. IAM and NHI teams therefore need policy, logging, and revocation controls that fit dynamic model behaviour.
Why This Matters for Security Teams
LLMs change the identity problem because they do not just authenticate and wait for approval. They infer, generate, summarize, and call tools while carrying context from one interaction to the next. That makes old IAM assumptions brittle: a single credential may now enable data exposure, cross-system action, or policy bypass at machine speed. Current guidance increasingly treats this as an agentic risk problem, not a simple application access issue, as reflected in the OWASP Agentic AI Top 10 and NIST’s AI governance guidance.
The operational danger is not that LLMs “become users,” but that they operate with delegated access that was never designed for autonomous action. That can create hidden privilege chains, weak revocation, and logging gaps when prompts, tool calls, and downstream API activity are not correlated. NHI programmes also inherit the same weaknesses seen in broader non-human identity estates, where NHIMG research in the 2024 Non-Human Identity Security Report found only 19.6% of professionals were strongly confident in securing workload identities. In practice, many security teams encounter LLM abuse only after a model has already moved data or invoked tools, rather than through intentional design review.
How It Works in Practice
Security teams need to treat LLMs as workload identities with runtime behavior, not as static application accounts. That means separating three layers: the human who initiated the request, the model that is reasoning over context, and the tool or service identity that actually performs the action. When those layers are collapsed into one shared service account, the organisation loses visibility into intent, authorization scope, and revocation boundaries. NHI guidance from NHIMG’s Top 10 NHI Issues highlights why credential sprawl and weak lifecycle control are recurring failure modes.
In practice, stronger patterns include:
- Just-in-time credentials that are issued per task and revoked immediately after completion.
- Short-lived tokens instead of long-lived API keys, because TTL matters more when actions are autonomous.
- Workload identity primitives such as SPIFFE or OIDC-bound service tokens to prove what the agent is.
- Real-time policy evaluation, using policy-as-code, so access is decided at request time with full context.
- Fine-grained logging that links prompt, tool invocation, and downstream API call into one audit trail.
This is where static RBAC often fails. An LLM’s access pattern is not stable enough for pre-defined role maps alone, because a single session may summarise documents, query a database, send mail, and trigger workflow automation. Intent-based or context-aware authorization is the emerging alternative, but current guidance suggests it should supplement, not replace, least privilege and explicit approval for sensitive actions. Security teams should align these controls with the risk signals described in the NIST AI Risk Management Framework and with the AI LLM hijack breach analysis of how prompt and tool abuse can cascade through connected systems. These controls tend to break down in environments where agents share one privileged connector account across many tools, because attribution and revocation become too coarse to stop lateral movement.
Common Variations and Edge Cases
Tighter control often increases latency and operational overhead, so organisations have to balance automation speed against blast-radius reduction. That tradeoff becomes visible in production environments that rely on many small integrations, especially where developers expect models to operate continuously across chat, code, and ticketing systems. Best practice is evolving, and there is no universal standard for how much autonomy should be pre-approved versus checked at runtime.
Edge cases matter. An internal support bot that only drafts responses may tolerate broader read access than a coding agent that can open pull requests or run deployment scripts. Likewise, a model wrapped in a single “assistant” application is easier to govern on paper, but it often hides the real risk: the downstream tokens and secrets used by plug-ins, connectors, and orchestration layers. NHIMG’s reporting on compromised non-human identities in the 2024 ESG Report: Managing Non-Human Identities shows why weak lifecycle controls remain a recurring breach factor. For governance, current guidance suggests starting with the highest-risk actions, then adding intent checks, JIT provisioning, and stronger revocation paths as autonomy expands.
In short, LLMs create IAM and NHI risk whenever they are allowed to act like operators without being managed like high-variance workload identities. That is why the most defensible programmes combine zero standing privilege, context-aware approval, and auditability instead of assuming a chatbot can be governed like a normal user account.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A2 | Covers tool misuse and unauthorized action by autonomous agents. |
| CSA MAESTRO | M1 | Addresses agent identity, trust boundaries, and privilege chaining. |
| NIST AI RMF | Provides AI governance structure for autonomous model risk. |
Apply AI RMF to document intended use, monitor behavior, and manage model-driven access risk.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 9, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
