Agentic AI systems autonomously request and use multiple NHIs for task execution — often creating new identities dynamically. Where a traditional application uses one or two service accounts, a single agent executing a complex workflow may create and consume dozens of NHIs. Multiply across hundreds of concurrent agent instances and the identity creation rate becomes extraordinary. This scale creates conditions for compromise propagating through interconnected agent identities.
Why Autonomous Agents Accelerate Identity Sprawl
Agentic AI changes identity sprawl because the workload is no longer a fixed application with a stable access map. An autonomous agent can plan, retry, branch, call tools, delegate to sub-agents, and request fresh access as its objective evolves. That means identity creation is driven by runtime intent, not by a neat catalogue of approved service accounts. In practice, security teams often discover this only after a workflow has already created more NHIs than the team expected to exist at all.
This is why static IAM models struggle. Role-based access control was built for predictable job functions, not for goal-driven software that can change its own sequence of actions mid-task. Current guidance increasingly points toward intent-based authorisation, but there is no universal standard for this yet. The practical problem is not just count, but churn: each new agent, session, tool call, or delegated step can introduce another identity boundary to govern. For a broader baseline on this problem, see Ultimate Guide to NHIs and OWASP Agentic AI Top 10.
Research from NHI Mgmt Group shows the scale of the wider exposure: Ultimate Guide to NHIs reports that NHIs outnumber human identities by 25x to 50x in modern enterprises, which means agentic expansion lands on top of an already crowded identity estate.
How JIT Credentials and Workload Identity Reduce the Blast Radius
The practical answer is to stop treating every agent interaction as a standing entitlement. Instead, issue just-in-time credentials for a narrowly scoped task, bind them to workload identity, and revoke them automatically on completion. That shifts the control plane from “who is this user?” to “what is this autonomous workload allowed to do right now?” This is where workload identity primitives such as OIDC-issued tokens and SPIFFE/SPIRE-style identity become important, because they prove what the agent is in cryptographic terms rather than relying on a reused password, API key, or long-lived secret.
Short-lived secrets matter more for agents than for humans because autonomous workflows can chain actions at machine speed. A token with a long TTL is not just a convenience; it is a propagation path. The more steps an agent can execute without re-authentication, the more likely it is that a compromised context persists across tool calls. NIST’s AI governance guidance in the NIST AI Risk Management Framework and the implementation patterns discussed in MITRE ATLAS adversarial AI threat matrix both support tighter runtime control, while OWASP NHI Top 10 highlights how secret exposure and overprivilege combine into fast-moving compromise paths.
- Use per-task or per-session credentials, not standing secrets.
- Bind each token to the specific workload identity, environment, and action scope.
- Evaluate access at request time using policy-as-code rather than pre-baked static roles.
- Revoke access automatically when the objective completes or the context changes.
These controls tend to break down when agents must operate across loosely governed toolchains and legacy systems that cannot validate runtime context.
Where Current Guidance Breaks Down in Real Agentic Environments
Tighter credential controls often increase orchestration overhead, requiring organisations to balance faster automation against more frequent policy checks and revocations. That tradeoff becomes visible in multi-agent pipelines, where one agent may spawn several others, each with different tool permissions, data access needs, and token lifetimes. Best practice is evolving, but current guidance suggests that a single shared service account is usually the wrong abstraction once agents begin acting autonomously.
Another edge case is delegation. If an agent can hand off work to another agent, then identity sprawl is no longer just about issuance volume. It becomes about lineage, traceability, and revocation depth: which downstream identities were created, which ones inherited access, and which ones must be killed when the parent task fails. The same concern appears in AI LLM hijack breach and Moltbook AI agent keys breach, where exposed or overbroad agent credentials amplified the impact of compromise. External threat reporting in the Anthropic first AI-orchestrated cyber espionage campaign report also reinforces that autonomous systems can be turned into scalable access brokers, not just passive tools.
In environments with legacy APIs, static vendor integrations, or poorly instrumented secret stores, the guidance often collapses back to manual exception handling, which is exactly where sprawl becomes hardest to see and easiest to exploit.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A2 | Agent autonomy and tool use expand identity sprawl and access paths. |
| CSA MAESTRO | GOV-03 | Governance of agentic workflows is essential when identities are created dynamically. |
| NIST AI RMF | GOVERN | AI governance must address accountability for autonomous identity issuance and use. |
Limit agent tool scope and require runtime approval for new identity creation or privilege expansion.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on May 16, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
