Context drift is the gap between what an identity was authorised to do at the start of a session and what it ends up doing after inputs, tools, or instructions change. In agentic systems, it is a core governance problem because behaviour can move outside the original approval boundary.
Expanded Definition
Context drift describes what happens when an autonomous agent or service identity begins a task under one approval context, then receives new prompts, tool outputs, or environmental signals that shift its behaviour beyond the original boundary. In NHI security, the problem is not merely that access exists, but that the meaning of that access changes mid-session.
This term sits close to prompt injection, tool abuse, and privilege creep, but it is more specific: the session starts legitimate and becomes misaligned over time. No single standard governs this yet, so usage in the industry is still evolving. In practice, governance teams should treat context drift as a control failure in the chain between authorisation, execution, and supervision, especially where agents can call tools or inherit secrets from upstream workflows. The NIST Cybersecurity Framework 2.0 is useful here because it frames the need to manage identity, access, and monitoring as linked outcomes rather than isolated checks.
The most common misapplication is assuming the original approval remains valid after tool calls or instruction changes, which occurs when teams do not re-evaluate session intent before each sensitive action.
Examples and Use Cases
Implementing controls for context drift rigorously often introduces latency and extra review steps, requiring organisations to weigh agent autonomy against the cost of tighter session governance.
- An AI support agent begins with permission to summarise tickets, then a plugin fetches customer records and the agent starts recommending account changes outside its original remit.
- A CI/CD assistant is approved to open pull requests, but after reading repository secrets it starts proposing deployment actions that should require human review.
- An internal copilot receives a revised instruction chain from a workflow engine and shifts from read-only analysis to operational commands, even though its NHI was not re-authorised for execution.
- A sales workflow agent inherits an OAuth token and tool access, then keeps using those credentials after the business context changes, a failure pattern similar to the Salesloft OAuth token breach investigation.
- An agent operating under NIST Cybersecurity Framework 2.0 guidance may still fail if monitoring does not detect that its actions have moved beyond the approved session intent.
These examples are not just about poor prompting. They show how context, tools, and secrets interact inside a live NHI session, which is why session-scoped controls matter more than static permissions alone.
Why It Matters in NHI Security
Context drift is a governance risk because it turns a valid identity into an unreliable actor without changing the underlying credential. That is especially dangerous for agents, service accounts, and API-driven workflows where execution authority can persist after the business purpose has shifted. When organisations fail to bind actions to the current session context, they can lose control over data access, outbound calls, and privilege escalation paths.
The scale of the exposure is not theoretical: NHI Mgmt Group reports that only 5.7% of organisations have full visibility into their service accounts, which makes it difficult to notice when an agent has drifted from approved intent. This is why context drift belongs in identity governance, not just AI safety reviews. It also connects to broader Zero Trust practice, since the NIST Cybersecurity Framework 2.0 and Zero Trust thinking both assume continuous verification rather than one-time trust. Teams should also study the Salesloft OAuth token breach because it shows how tokens and delegated access can be abused once operational context changes.
Organisations typically encounter the consequences only after an agent has already used valid access to expose data or trigger an unauthorised action, at which point context drift becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A-03 | Context drift is a core agentic risk when behavior diverges from approved intent. |
| OWASP Non-Human Identity Top 10 | NHI-02 | Drift often exposes weak secret handling and overbroad NHI session authority. |
| NIST Zero Trust (SP 800-207) | 3.1 | Zero Trust requires continuous verification instead of assuming initial authorization still holds. |
Recheck agent intent before each tool call and gate sensitive actions with session-aware controls.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 6, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
