Because authentication proves a subject was present, not that the subject intended a specific downstream action. FIDO2, OTPs, and push prompts can establish identity or session control, but they do not prove the human approved a supplier negotiation, invoice change, or workflow commit made later by an agent.
Why This Matters for Security Teams
Strong authentication can confirm a person or process was present, but it does not bind that presence to every later action an agent takes. That distinction matters because autonomous and semi-autonomous systems can chain tools, reuse sessions, and make decisions long after the initial login. Guidance from the OWASP Agentic AI Top 10 and the NIST AI Risk Management Framework both point to the same operational problem: identity alone does not create accountability for downstream intent, context, or authority.
This is why teams that rely on FIDO2, OTP, or push prompts often believe they have solved approval risk when they have only reduced login risk. The real issue is later action attribution, especially when a workflow commit, supplier change, or data export happens through an agent operating under a valid session. NHIMG research on AI LLM hijack breach shows how quickly compromised non-human identities can be turned into active abuse paths once credentials or sessions are in play. In practice, many security teams encounter accountability failures only after an agent has already executed an unauthorized change, rather than through intentional review of the approval chain.
How It Works in Practice
Accountability for agents requires more than authentication; it requires a control stack that can explain what the agent was allowed to do, at what time, with which context, and under whose authority. For human users, authentication usually anchors a session. For agents, that session may span multiple tools, prompts, APIs, and delegated steps. Current guidance suggests shifting from static role assignment to runtime authorization, where policy decisions are evaluated at the moment of action using task context, destination, data sensitivity, and risk signals.
In practice, this means pairing authentication with workload identity, short-lived credentials, and policy-as-code. A workload identity gives cryptographic proof of what the agent is, while just-in-time issuance limits what it can do for a narrow purpose window. Frameworks such as CSA MAESTRO agentic AI threat modeling framework and MITRE ATLAS adversarial AI threat matrix are useful because they force teams to think about tool chaining, lateral movement, and post-authentication abuse instead of treating login as the control objective.
- Issue ephemeral credentials per task, not long-lived secrets reused across jobs.
- Evaluate authorization at request time using intent, data classification, and action scope.
- Log the full delegation chain so each agent action is attributable to a policy decision.
- Separate authentication of the operator from authorization of the agent’s next step.
NHIMG’s The State of Secrets in AppSec highlights how secret sprawl and delayed remediation undermine control even when teams feel confident in their programs. These controls tend to break down in environments where agents inherit broad API access, shared service accounts, or flat approval workflows because the original authentication event no longer maps cleanly to the action that caused harm.
Common Variations and Edge Cases
Tighter authentication often increases operational overhead, requiring organisations to balance stronger proof of presence against the complexity of delegated automation. That tradeoff becomes sharper in high-volume environments, where agents act continuously and human reauthentication for every step would destroy usability. There is no universal standard for how much human approval should sit in the loop for agentic workflows, so best practice is still evolving.
Some organisations try to solve accountability with step-up prompts alone, but that approach works poorly when the agent’s next move is unpredictable or when a legitimate session is later repurposed by an attacker. The more robust pattern is to combine authentication with runtime guardrails, explicit task boundaries, and revocation on completion. The OWASP NHI Top 10 and the NIST AI Risk Management Framework both reinforce that the control objective is trustworthy action, not merely trusted login.
Vendor-managed copilots, multi-agent pipelines, and delegated approval bots are the hardest edge cases because they blur the line between human intent and machine execution. In those settings, the question is not whether authentication succeeded, but whether the organisation can prove which policy permitted a specific downstream action and whether that permission should have existed at that moment.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A1 | Agentic misuse begins after login, so runtime action control is central. |
| CSA MAESTRO | MAESTRO addresses delegated autonomy, tool chaining, and agent accountability. | |
| NIST AI RMF | GOVERN | AI RMF GOVERN covers accountability, traceability, and role clarity. |
Bind each agent action to policy evaluation at request time, not to the initial authentication event.
Related resources from NHI Mgmt Group
- Why is it crucial to adopt new authentication methods in MCP usage?
- Why do strong customer authentication controls still fail against authorised fraud?
- Why do ephemeral credentials still leave risk in machine access models?
- Why do phishing-resistant methods still fail against man-in-the-middle attacks?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 9, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
