The gap between what an AI agent was approved to do and what it actually does once it starts operating. In practice, drift appears when tools, data sources, prompts, or service identities change faster than governance reviews can keep up, creating hidden exposure and audit uncertainty.
Expanded Definition
Agent scope drift describes a mismatch between an AI agent’s approved operating boundary and the actions it later performs as tools, prompts, data sources, or service identities change. It is closely related to governance drift, but the emphasis here is on execution authority: what the agent can actually reach, modify, or disclose once it is running.
In NHI and IAM practice, the term matters because an agent is not a static workflow. A deployment that begins with tight RBAC and bounded tool access can drift into broader reach if connectors are added, permissions are inherited, or prompts are updated without a corresponding policy review. Definitions vary across vendors, and no single standard governs this yet, so teams should treat it as an operational control problem rather than a purely model-risk concept. The OWASP OWASP Agentic AI Top 10 and OWASP Top 10 for Agentic Applications 2026 both reflect this reality by focusing attention on over-broad execution paths and missing guardrails.
The most common misapplication is treating initial approval as permanent approval, which occurs when teams fail to revalidate tool access after environment, prompt, or identity changes.
Examples and Use Cases
Implementing agent scope controls rigorously often introduces slower change management, requiring organisations to weigh faster agent iteration against tighter review and revocation discipline.
- A customer support agent begins with read-only ticket access, then gains write access to a CRM after a workflow upgrade. If the new path is not reviewed, the agent’s effective scope now exceeds the original approval.
- An internal coding agent is allowed to open pull requests, but later inherits repository write privileges through a shared service account. The issue is not the model itself, but the expansion of the NHI behind it. NHIMG’s Analysis of Claude Code Security is relevant here because tool access and execution boundaries are central to safe agent deployment.
- An automation agent that can query payroll data is re-pointed at a broader HR dataset for a temporary project. The approved use case did not change, but the data exposure did, creating scope drift.
- An operations agent is granted a short-lived API key for incident response, then the credential is never revoked. Over time, the agent’s reachable systems become wider than the original incident playbook intended, a pattern echoed in the NIST AI Risk Management Framework.
- After a third-party connector is added, the agent can trigger downstream actions in systems the security team never mapped. NHIMG’s OWASP NHI Top 10 helps frame how agentic access paths create NHI risk.
Why It Matters in NHI Security
Agent scope drift matters because the agent’s authority is only as trustworthy as the controls around its runtime identity, secret handling, and tool access. When drift goes unnoticed, organisations lose confidence in audits, segregation of duties, and incident containment. The risk is amplified when long-lived secrets and permissive service accounts are used to support the agent, because the identity can silently outgrow the approved use case.
NHIMG research shows that only 5.7% of organisations have full visibility into their service accounts, which makes hidden scope expansion especially dangerous. A mature program therefore needs continuous entitlement review, connector inventory, and explicit approval for any new data source or action path. That discipline aligns well with the NIST AI Risk Management Framework and the OWASP Non-Human Identity Top 10, both of which emphasise traceability and control over machine identities. NHIMG’s Salesloft OAuth token breach is a reminder that once tokens or delegated access escape their intended boundary, the resulting exposure can be hard to spot and harder to unwind.
Organisations typically encounter agent scope drift only after an unexpected action, data exposure, or audit finding, at which point the term becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Scope drift often stems from weak secret and service account governance. |
| OWASP Agentic AI Top 10 | A2 | Agentic risk guidance covers unauthorized actions from expanding tool access. |
| NIST AI RMF | GOVERN | AI RMF governance requires traceable controls over changing system behavior. |
Review agent credentials, tool access, and revocation paths whenever scope changes.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 2, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
