The gradual gap between the agent behaviour an enterprise intends and the access, dependencies, and runtime conditions that actually shape what the agent can do. It matters because trusted inputs such as connectors, extensions, and prompts can expand authority without a deliberate governance decision.
Expanded Definition
Agent Trust-Chain Drift describes the slow mismatch between the authority an enterprise thinks an AI agent has and the authority it actually accumulates through connectors, tokens, tool permissions, prompts, and runtime dependencies. In NHI security, the key issue is not just whether the agent was approved, but whether its effective trust chain has quietly expanded beyond the original design. This concept aligns closely with the risk thinking in the NIST AI Risk Management Framework and the OWASP Agentic AI Top 10, both of which emphasize governance over emergent behaviour and uncontrolled tool use. Definitions vary across vendors on whether drift includes only permissions changes or also includes model behaviour shifts caused by prompt and context accumulation. NHIMG treats it as the full operational chain, because the security outcome depends on every dependency that can widen execution authority. The most common misapplication is treating drift as a one-time configuration problem, which occurs when teams review initial agent setup but ignore ongoing changes to tools, scopes, and delegated access.
Examples and Use Cases
Implementing agent trust-chain controls rigorously often introduces friction, because each added approval step can slow agent execution and reduce automation speed, requiring organisations to weigh agility against containment.
- An AI support agent starts with read-only CRM access, then gains a ticketing connector that can also update customer records, broadening its practical authority beyond the original approval.
- A coding agent uses an extension that inherits a developer’s session token, creating a hidden path from bounded assistance to repository-wide action. NHIMG’s Analysis of Claude Code Security shows why toolchain boundaries must be explicit.
- An operations agent is retrained to use a new incident-response prompt pack, but the prompt pack silently includes access instructions for adjacent systems, changing what the agent can do in practice.
- A sales automation agent inherits an OAuth token with broader scopes after a workflow update, similar to patterns discussed in the Salesloft OAuth token breach.
- A retrieval agent begins pulling from a new document store containing secrets or sensitive patterns, increasing both data exposure risk and the chance of unsafe action chaining.
These cases are also reflected in the NIST AI Risk Management Framework, which stresses ongoing governance rather than static approval.
Why It Matters in NHI Security
Agent Trust-Chain Drift matters because NHI failures often start with a small, legitimate trust expansion that no one re-evaluates. Once an agent has multiple connectors, reused credentials, and inherited permissions, the control problem shifts from identity issuance to continuous authority verification. NHIMG research on The State of Secrets in AppSec reports that the average time to remediate a leaked secret is 27 days, which is long enough for drifted access to become an active exploit path. That delay becomes more dangerous when an agent can act immediately on newly exposed or over-scoped secrets. The LLMjacking: How Attackers Hijack AI Using Compromised NHIs research also underscores how fast attackers move once credentials are exposed. Practitioners should treat drift as a governance signal that the agent’s trust boundary is no longer stable, even if no policy file was explicitly changed. Organisations typically encounter the consequences only after a prompt injection, credential leak, or connector abuse incident, at which point trust-chain drift becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST AI RMF, NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Covers secret and credential exposure that often expands agent authority. |
| OWASP Agentic AI Top 10 | Focuses on emergent agent behavior and unsafe tool delegation patterns. | |
| NIST AI RMF | Requires ongoing AI risk monitoring as systems and context evolve. | |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege access management applies directly to agent trust boundaries. |
| NIST Zero Trust (SP 800-207) | Zero trust requires continuous verification of every access path and dependency. |
Constrain tool scope, monitor agent actions, and revalidate permissions after workflow changes.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 9, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org