An AI agent that remains active after its original purpose, project, or owner has ended. It still has valid credentials and can keep acting inside enterprise systems, which makes it an identity lifecycle problem as much as an AI operations problem.
Expanded Definition
A zombie agent is not simply “old automation.” It is an autonomous software entity that still has execution authority, tool access, and valid secrets after the business reason for its existence has ended. In NHI governance, that makes it a lifecycle failure: the agent was not fully discovered, owned, deprovisioned, or monitored.
Definitions vary across vendors because some teams reserve the term for LLM-driven agents, while others apply it to any lingering service account, bot, or workflow process. In practice, the useful distinction is operational: if the entity can still call APIs, reach data, or trigger actions without an active owner, it behaves like a zombie agent. That is why the topic sits between identity security, PAM, RBAC, JIT, and AI operations, not just “AI app cleanup.” The OWASP OWASP Agentic AI Top 10 is a useful reference point for the control failures that let autonomous systems persist too long.
The most common misapplication is treating a decommissioned agent as harmless because its project is archived, when the underlying secrets and permissions were never revoked.
Examples and Use Cases
Implementing zombie-agent controls rigorously often introduces operational friction, requiring organisations to weigh fast agent deployment against the cost of ownership, inventory, and offboarding discipline.
- A customer-support agent was replaced by a newer workflow, but its API key still allowed ticket updates and data export until secrets rotation exposed the gap. NHIMG research on the Moltbook AI agent keys breach shows how unattended keys can remain an active risk long after the original deployment.
- An internal code-review agent continued merging changes after the product team dissolved, because its service account remained in a broad RBAC group and no offboarding workflow existed.
- A procurement agent kept polling vendor systems months after the owner left the company, creating unnecessary third-party exposure and audit noise.
- An incident-response bot was cloned into a test environment, but the production credentials were reused, creating duplicate identities with unclear ownership.
- A finance assistant retained write access to ERP data even after the model prompt and orchestration layer were retired, because the token was never revoked.
For teams building agentic systems, the control problem aligns closely with the OWASP Top 10 for Agentic Applications 2026 and with threat-modeling guidance such as the CSA MAESTRO agentic AI threat modeling framework, both of which emphasize persistent authority as a design risk.
Why It Matters in NHI Security
Zombie agents matter because they turn a completed project into an active identity risk. Once the original business owner is gone, governance usually weakens: secrets are left in code, access reviews stop, and the agent is no longer tied to a clear change-management process. That creates the conditions for privilege accumulation, hidden lateral movement, and unowned automation that can survive well past its intended scope. NHIMG research shows that only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, which explains why abandoned automation often remains reachable.
This problem becomes more serious in environments following Zero Trust Architecture, because trust decisions must be continuously verified rather than inherited from old deployment state. The identity lifecycle for agents should therefore be mapped against the NIST AI Risk Management Framework and the NIST AI Risk Management Framework so ownership, monitoring, and deactivation are explicit. NHIMG also notes that OWASP NHI Top 10 discussions increasingly treat lifecycle failure as a core exposure, not a housekeeping issue. Organisations typically encounter the impact only after an audit failure, data access anomaly, or compromise, at which point the zombie agent becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST AI RMF and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Zombie agents persist because secrets and ownership were not revoked. |
| NIST AI RMF | AI RMF frames ongoing monitoring, accountability, and lifecycle risk for deployed agents. | |
| NIST Zero Trust (SP 800-207) | 4.1 | Zero Trust requires continuous verification instead of assuming old agent access is still valid. |
Assign accountable owners and monitor agent behavior until formal retirement is complete.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on May 16, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
