The AI Agent Authorization Gap

Executive Summary

Enterprise AI agents have crossed the threshold from experimentation into production. They automate tasks, retrieve data, generate code, manage cloud infrastructure, and execute financial transactions—often without meaningful human review at the moment of action. The security question this creates is not principally about what these agents do; it is about as whom they do it, and under whose authorization they act.

The authorization gap examined in this paper is the systemic mismatch between the authority enterprise AI agents exercise in practice and the identity governance frameworks that are supposed to constrain that authority. Agents are widely deployed with credentials borrowed from human user accounts, shared service accounts with inherited administrative privileges, or long-lived API tokens with no defined owner, no expiration, and no monitoring. At the same time, organizational confidence in the protections supposedly governing these systems is high—a disparity that constitutes a significant structural risk in enterprise security today.

A January 2026 survey by CSA and Aembit of 228 IT and security professionals found that only 36 percent of organizations assign a dedicated identity to AI agents, while 43 percent rely on shared or generic service accounts and 31 percent operate agents under a human user’s identity—with some organizations reporting more than one approach in use [1]. A separate survey of 919 executives and practitioners by Gravitee found that 88 percent of organizations reported confirmed or suspected AI agent security incidents in the preceding year, while only 14 percent sent agents to production with full security or IT approval [2]. Both surveys focus on organizations actively engaging with AI agent deployment, and findings should be interpreted in that context; nonetheless, the figures describe not an emerging risk but a live exposure.

This paper provides a structured analysis of the authorization gap: its root causes, its consequences, the emerging standards and frameworks attempting to address it, and the practical controls enterprises should implement now. It draws on CSA’s own research including the MAESTRO agentic AI threat modeling framework, the AI Controls Matrix (AICM), and CSA’s AI Organizational Responsibilities guidance, and situates enterprise action within the evolving regulatory and standards landscape.

Introduction and Background

The Agentic Shift in Enterprise AI

For most of the period from 2023 through 2025, enterprise AI deployment was characterized by what might be called a supervised pattern: human users queried AI systems, reviewed outputs, and decided what to do next. The model operated as an advisor rather than an actor. This pattern preserved most of the identity and accountability infrastructure that organizations had built for human-operated workflows, because the consequential actions—sending the email, executing the trade, deleting the record—were still performed by identified human users through audited access paths.

That pattern has now changed materially. The deployment of AI agents that can plan, call external tools, write and execute code, and take sequences of actions without human review at each step has shifted the AI model from advisor to actor. As of early 2026, 80.9 percent of organizations have moved past AI agent planning into active testing or production deployment [2]. A CSA survey found that 67 percent of respondents use task-automation agents, 52 percent use data-retrieval agents, 50 percent use code-generation agents, and 50 percent use security and monitoring agents [1]. Within twelve months, 73 percent of respondents expect AI agents to be very important or critical to their operations [1].

This shift is consequential not because AI agents are inherently less trustworthy than human users, but because the security infrastructure organizations built to govern human access—identity federation, role-based access control, audit logging tied to authenticated principals, just-in-time privilege elevation, and credential lifecycle management—was designed around the assumption that the actor at the other end of an access request is a human being with organizational accountability. AI agents, operating autonomously across systems and time zones, break several foundational assumptions embedded in that infrastructure, particularly those governing accountability and behavioral predictability.

Why Existing IAM Infrastructure Falls Short

Traditional Identity and Access Management systems assign credentials to individuals or to named services, bind those credentials to specific organizational roles, and rely on human accountability chains to enforce appropriate use. A user who exceeds their authorization can be disciplined, retrained, or terminated. A service account assigned to a specific application has a defined owner who is responsible for its use. These accountability mechanisms are not mere procedural conveniences; they are fundamental to how organizations reason about authorization decisions in practice.

AI agents do not fit cleanly into either category. They are not humans, so the accountability structures designed for human users do not transfer. They are not static applications with bounded, predictable behavior, so the service-account model designed for well-defined software processes does not apply. They operate as autonomous decision-making entities that can chain together tool calls, interact with multiple systems in a single task, and vary their behavior based on context and instruction—sometimes in ways that were not anticipated at the time the access was granted.

The result is what this paper terms the authorization gap: a structural space between the authority agents exercise in practice and the identity governance frameworks nominally responsible for constraining that authority. Agents fall into this gap not through malicious intent but through the simple inadequacy of existing infrastructure to handle a new class of principal.

The Non-Human Identity Proliferation Context

AI agents do not emerge from a vacuum. They arrive into enterprise environments already experiencing significant governance stress from the broader proliferation of non-human identities (NHIs). Service accounts, API keys, OAuth tokens, certificates, and bot credentials already outnumber human users by ratios that security teams struggle to track: industry estimates place the ratio between 40:1 and 100:1 in typical enterprises, with some hyper-automated environments exceeding this range considerably [3][4]. According to Protego research, a Fortune 500 financial institution auditing its identity landscape in 2024 found more than 4.2 million non-human identities across its environment [3].

AI agents amplify this problem in three ways. First, they generate NHIs at a rate that exceeds human governance capacity: each agent deployment typically requires multiple credentials to interact with the tools and APIs it needs. Second, they exercise those credentials in dynamic, context-dependent ways that are harder to predict and audit than the static, well-understood behavior of traditional service accounts. Third, they create accountability ambiguity—because an agent acts on behalf of a human user, an organizational objective, or an automated workflow, it can be genuinely unclear who bears responsibility when something goes wrong.

The Authorization Gap: Anatomy of a Systemic Risk

Identity Without Governance

The most immediate manifestation of the authorization gap is simple: agents operate without discrete, governed identities. The Gravitee survey found that roughly 22 percent of organizations treat AI agents as independent, identity-bearing entities [2]. Most organizations instead assign agents to one of three categories that were designed for entirely different purposes: human user accounts (sharing credentials with a person), application or workload identities (sharing credentials with a software service), or shared service accounts (credentials shared among multiple systems or users with no clear individual owner).

Each of these approaches creates a different set of risks. When agents operate under human user credentials, they inherit the full permissions of that user, including any accumulated privileges that exceed what the agent itself would need. When the agent takes a privileged action, it is attributed to the human user in audit logs—degrading the accuracy of accountability systems that depend on those logs. When agents operate under shared service accounts, the credential typically carries accumulated permissions from multiple use cases, lacks a clear owner for ongoing governance, and may persist long after the agent it was created for has been decommissioned.

Perhaps most significantly, 68 percent of organizations report that they cannot clearly distinguish AI agent activity from human activity in their logs [1]. This is not a minor analytical inconvenience. It means that when an AI agent takes an action that causes a security incident—exfiltrates data, escalates privileges, modifies a configuration—the organization cannot reliably determine that it was an agent that did it, what the agent was trying to accomplish, or what chain of instructions led to the action. Without that information, meaningful incident response is structurally impaired.

The Privilege Inheritance Problem

Closely related to identity governance is the problem of privilege inheritance. When an agent is assigned to an existing identity—a human user account or a pre-existing service account—it inherits whatever permissions that identity carries. Those permissions were typically granted to address the original account’s access needs, not the agent’s. In practice, this means agents routinely operate with permissions that exceed what they need for any given task, often dramatically so. The OWASP Non-Human Identity Top 10, published in 2025, cataloged the consequences: overprivileged identities represent a consistently exploited attack surface, with compromised NHIs regularly enabling lateral movement and privilege escalation that would not have been possible had minimal required permissions been enforced [4].

For AI agents specifically, the privilege inheritance problem is compounded by the dynamic, chaining nature of agent behavior. An agent that can execute code, write to a database, and invoke external APIs—even if each individual capability is theoretically justified—creates attack surface through the combination. An adversary who can influence the agent’s behavior through prompt injection, tool-output manipulation, or supply-chain compromise can direct the agent to use its inherited privileges in ways that the original access grant did not intend.

Accountability Fragmentation and Ownership Gaps

Beyond identity and privilege, the authorization gap includes a governance layer: the absence of clear organizational ownership for AI agent identity and access decisions. The CSA survey found that 28 percent of respondents identify security as the primary owner of AI agent identity, 21 percent cite development or engineering, 19 percent cite IT, 9 percent cite IAM teams, and 9 percent report no clear owner at all [1]. No single function has consolidated ownership in most organizations, and 63 percent of respondents report that different teams describe AI agents inconsistently [1].

This fragmentation means that access decisions for AI agents are often made by whoever deploys them—typically development teams focused on getting functionality working—without systematic review by IAM or security teams. The absence of a central owner also means that no one is tracking the full population of agents running in an environment, auditing their credential state, or enforcing decommissioning when agents are no longer needed. The Gravitee survey found that only 21 percent of organizations maintain a real-time inventory of active agents [2], and roughly 47 percent of deployed agents are actively monitored or secured [2].

The Confidence-Control Maturity Disconnect

A particularly concerning dimension of the authorization gap is what the data reveals about organizational self-assessment. In the Gravitee survey, 82 percent of executive respondents expressed confidence that their existing policies protect against unauthorized agent actions [2]. This confidence is not entirely unfounded: many large enterprises have existing policies governing service account creation, credential hygiene, and access reviews—policies designed before AI agents existed and not systematically extended to cover them.

Only 14 percent of organizations report that AI agents go to production with full security or IT approval [2]. Shadow AI—agents deployed without organizational knowledge or governance—is a significant and growing contributor to the incident rate: shadow AI breaches cost an average of $4.63 million per incident, approximately $670,000 more than a standard data breach [5][19]. The gap between executive confidence and operational reality is not merely an irony; it represents a structural blind spot in enterprise AI governance that enables risk to accumulate beneath the threshold of organizational awareness.

Attack Surface Analysis: How the Gap Is Exploited

Credential Abuse and Lateral Movement

The most direct exploitation path through the authorization gap is credential abuse: obtaining or misusing the credentials an AI agent holds to gain access to systems the attacker could not otherwise reach. Because agents typically hold credentials that exceed their operational needs—and because those credentials are often not monitored with the same rigor as human user credentials—they present an attractive target.

The 2025 incident involving a major SaaS-to-SaaS integration platform illustrated this dynamic concretely: attackers who compromised OAuth tokens connecting multiple platforms gained access to hundreds of downstream customer environments through a single credential compromise [3]. AI agents multiply this risk because they are connected to more tools by design and because their credential footprint is typically more poorly governed than that of traditional services.

Long-lived credentials amplify the exposure further. When an API key or service account password can persist for months or years without rotation, a compromise that goes undetected for even a brief period provides sustained access. The OWASP NHI Top 10 identifies long-lived credentials as a root-cause amplifier across the majority of NHI-related incidents, noting that the combination of over-privilege and long credential lifetime creates the conditions for attacks to produce disproportionate outcomes [4].

Prompt Injection and Authorization Hijacking

A risk category specific to AI agents—and one that has no meaningful analogue in traditional IAM—is authorization hijacking through prompt injection. An AI agent instructed to summarize a document or retrieve data from a website may encounter malicious instructions embedded in that content, directing it to take actions it was not authorized to take: exfiltrate data to an external endpoint, elevate privileges, modify records, or call additional tools with the permissions it holds.

The CSA Agentic AI Red Teaming Guide identifies this as one of twelve critical vulnerability categories for agentic systems [6]. Because the agent executes the injected instructions using its own legitimate credentials, the malicious action appears in audit logs as a legitimate action by an authorized principal—making detection and attribution extremely difficult. The damage potential of prompt injection attacks scales with the agent’s credential footprint: an agent with minimal scoped permissions can cause limited damage even if its behavior is hijacked; an agent operating with inherited administrative credentials can cause widespread data exfiltration, privilege escalation across domains, or configuration changes affecting production systems.

Multi-Agent Trust Chain Exploitation

As enterprises deploy architectures in which agents orchestrate other agents—an orchestrator directing specialized sub-agents to complete components of a larger task—the authorization problem becomes recursive. Sub-agents may inherit the authority of the orchestrator, may hold their own credentials, or may accept instructions from the orchestrator without authenticating the orchestrator’s identity or verifying that the instructions fall within authorized scope.

The CSA Agentic AI Red Teaming Guide characterizes multi-agent exploitation as a distinct threat category, noting that trust relationships established between agents during orchestration can be manipulated by adversaries who gain influence over any point in the chain [6]. The OWASP Top 10 for Agentic Applications (2026), developed with input from more than one hundred industry experts, identifies identity and privilege abuse as a top-tier risk, noting that the ability of agents to autonomously chain tools creates significant opportunities for privilege escalation that zero-trust identity management must address [7].

Scope Creep and Configuration Drift

Over time, agents accumulate permissions. Developers grant additional access to unblock a workflow, temporary expansions become permanent through inattention, and agent configurations drift away from the minimal required footprint documented at initial deployment. The OWASP MCP Top 10—specifically MCP02:2025, Privilege Escalation via Scope Creep—identifies this pattern in Model Context Protocol deployments: permissions granted to MCP-connected agents expand incrementally until the agent holds broad or administrative access that was never explicitly authorized [8].

This pattern is not deliberate. It emerges from the organizational dynamics of agent deployment: developers are incentivized to ensure functionality, not to minimize permissions; access reviews that work well for human users are rarely applied to agents; and the distributed ownership documented earlier means no one is tracking the cumulative permission state of any given agent across its lifecycle.

The Standards Landscape: Emerging Frameworks and Their Current Limits

SPIFFE, OAuth, and the Push Toward Short-Lived Credentials

The identity standards community has recognized the AI agent problem, and meaningful work is underway. SPIFFE (Secure Production Identity Framework for Everyone) provides a foundational standard for issuing cryptographically verifiable, short-lived identities to workloads. Each workload receives a unique identifier in the form spiffe://trust-domain/workload/path, proven through cryptographic means and validated by peers—eliminating the need for long-lived static credentials [9].

For AI agents, SPIFFE-based workload identity offers a path toward treating each agent as a distinct, cryptographically identified principal with credentials that expire automatically. CyberArk’s integration of JWT SVID identity tokens for agent authentication represents an early implementation of this approach in production environments [10]. The combination of SPIFFE-issued identities with OAuth 2.0 authorization flows creates a pattern in which an agent can prove who it is (SPIFFE) and be granted what it may access (OAuth) on a per-task basis rather than through persistent credentials.

An IETF draft proposal for Agentic JWT extends the OAuth 2.0 model to address delegation chains in multi-agent architectures, providing a mechanism by which an orchestrating agent can delegate a bounded subset of its authorization to a sub-agent without transferring its full credential scope [11]. This addresses the recursive authorization problem in multi-agent systems, though the proposal is at an early stage and broad implementation remains some years away.

Microsoft Entra Agent ID

Microsoft’s introduction of Entra Agent ID, which moved from preview to general availability in 2025, represents the first major enterprise identity platform to offer first-class support for AI agent identities. Under this model, each AI agent receives its own Entra identity, subject to the same adaptive access policies, real-time risk detection, lifecycle management, and network-level controls applied to human users and traditional workloads [12]. Agents authenticate using federated identity credentials rather than passwords or certificates, and governance activities—including access reviews and decommissioning—are managed through the standard Entra identity governance toolchain.

Microsoft’s approach operationalizes the principle that AI agents should be treated as distinct identity-bearing entities rather than as extensions of human users or generic service accounts. It also reflects the reality that robust enterprise tooling for agent identity management is currently available primarily within major platform vendor ecosystems; organizations using heterogeneous environments or multi-cloud deployments face greater implementation complexity.

OWASP Frameworks

Two OWASP frameworks published in 2025 provide structured risk taxonomies directly relevant to the authorization gap. The OWASP Non-Human Identity Top 10 catalogs the ten highest-consequence risk categories for NHIs, including overprivileged identities, improper offboarding, secret leakage, long-lived credentials, and insecure authentication protocols [4]. The OWASP Top 10 for Agentic Applications (2026) maps these NHI risks into the agentic context, identifying identity and privilege abuse as a top-tier risk and introducing the Least-Agency principle—an extension of least privilege that specifies agents should be granted only the minimum level of autonomy required to complete their defined task [7].

Together, these frameworks provide a vocabulary and prioritization structure for enterprise risk assessment. They do not yet constitute prescriptive implementation guidance, and their adoption in enterprise security programs is uneven, but they represent an important convergence of community consensus around what the problems are.

NIST AI RMF and the Emerging Regulatory Context

The National Institute of Standards and Technology launched the AI Agent Standards Initiative in February 2026, publishing concept papers focused on software and AI agent identity and authorization [13]. This marks a significant transition: agent identity governance is moving from a technical best-practice discussion within the security community into a regulatory compliance framework that organizations will be required to address.

The EU AI Act’s enforcement phases are rolling out through 2025 and 2026, with broad enforcement beginning August 2, 2026 [18]. While the Act does not prescribe specific technical controls for agent identity, it establishes accountability requirements for high-risk AI systems that are directly implicated by the authorization gap: organizations must be able to demonstrate who authorized an AI system’s actions, what it was authorized to do, and what happened when it acted. An organization that cannot distinguish AI agent activity from human activity in its logs—as 68 percent of CSA survey respondents cannot—is structurally ill-equipped to meet these accountability requirements.

Recommendations

Closing the authorization gap requires action across three time horizons. Immediate actions address the most acute exposures using controls that can be implemented with existing infrastructure. Short-term architectural changes build the identity-centric enforcement layer that makes governance sustainable at scale. Strategic initiatives position the organization to benefit from emerging standards and to meet the compliance obligations taking shape in the regulatory environment.

Immediate Actions

Conduct an agent credential audit. The foundation of any authorization governance program is knowing what you have. Organizations should audit all AI agent deployments to identify what credentials each agent holds, whether those credentials are shared with other principals, when they were last rotated, and who owns them. This audit will typically surface agents operating under human user credentials, service accounts with accumulated permissions that exceed any current business justification, and credentials with no documented owner—each category requiring immediate remediation.

Eliminate human credential delegation. Any AI agent operating under a human user’s identity should be migrated to a dedicated identity as a priority. This is the single highest-risk configuration in the current landscape: it degrades audit integrity, assigns excessive permissions, and creates attribution failures that impair incident response. Organizations should treat human-delegated agent credentials as a P0 remediation item.

Establish an agent inventory. Before any meaningful governance can be applied, organizations need a real-time inventory of active agents, the credentials they hold, the tools they can access, and the teams responsible for them. Without this inventory, credential audits are one-time snapshots rather than ongoing governance, and decommissioning agents when they are no longer needed is structurally impossible.

Apply emergency credential scoping. Where agents hold shared service account credentials with accumulated over-permissions, organizations should apply immediate scoping: identify the minimum set of permissions required for the agent’s current tasks and reduce the credential to that scope. This will create friction—some things the agent currently does may stop working—and that friction is informative: it reveals the gap between what the agent was authorized to do and what it had been doing.

Short-Term Architectural Changes

Assign discrete identities to all AI agents. Each agent should operate under a unique, dedicated identity that is not shared with any other principal—human or machine. This identity should have a defined owner, a documented access scope, a defined lifetime, and a revocation mechanism. Platforms with first-class agent identity support (such as Microsoft Entra Agent ID) should be used where available; organizations using other identity platforms should extend their existing workload identity infrastructure to cover agents.

Implement per-task credential issuance. Rather than granting agents persistent access to tools and APIs, organizations should implement architectures in which credentials are issued on a per-task basis and expire automatically when the task completes. This pattern—implemented using SPIFFE, short-lived OAuth tokens, or platform-native short-lived credential mechanisms—materially reduces the attack surface available to an adversary who compromises or manipulates an agent, because the credential is valid only for the current task and then reverts to zero.

Deploy MCP gateways with policy enforcement. For organizations using Model Context Protocol to connect agents to tools, MCP gateways provide a centralized policy enforcement point that can authenticate agents, evaluate authorization requests against defined policies, log all tool access, and block requests that exceed scope [8]. This architecture moves policy enforcement from agent-level configuration—which is fragile, inconsistent, and hard to audit—to a controlled gateway layer.

Establish agent-specific logging and attribution. Organizations should configure their logging infrastructure to distinguish AI agent activity from human user activity using identity metadata rather than behavioral heuristics. Every action taken by an agent should be logged with the agent’s identity, the task context that authorized the action, and a reference to the human principal or organizational objective on whose behalf the task is being performed. This enables the accountability traceability that incident response and regulatory compliance require.

Strategic Initiatives

Build an agent identity governance program. Agent identity governance should be treated as a distinct program within the enterprise IAM function, with ownership in the IAM team and defined policies for agent lifecycle management: onboarding, access review, change management, and decommissioning. This program should be aligned with the organization’s existing NHI governance work—the same credential hygiene and lifecycle management disciplines that apply to service accounts and API keys should apply to AI agents, extended to address agent-specific considerations.

Adopt the NIST AI RMF Agentic Profile. As NIST finalizes its agentic extensions to the AI Risk Management Framework, organizations should integrate these into their AI governance programs [17]. The Agentic Profile addresses agent autonomy, tool-use risk, runtime behavioral governance, and delegation chain accountability in a structured format that integrates with existing NIST-aligned governance programs and provides a basis for demonstrating compliance with EU AI Act accountability requirements.

Implement behavioral monitoring and anomaly detection. Identity governance establishes what agents are authorized to do; behavioral monitoring detects when they deviate from that authorization. Organizations should deploy monitoring systems capable of establishing baselines for normal agent behavior—what tools agents access, at what frequency, in what sequence—and alerting when deviations occur. This is the detection mechanism for prompt injection attacks, credential misuse by compromised agents, and authorization scope creep.

Engage with emerging standards. Organizations with significant agent deployments should track the development of Agentic JWT, SPIFFE-OAuth integration specifications, and NIST’s AI agent identity standards work, and should evaluate early adoption where their infrastructure allows. The organizations that engage with these standards during development are better positioned to influence their design toward enterprise applicability and to build implementation experience before compliance obligations crystallize.

CSA Resource Alignment

The authorization gap analyzed in this paper is directly addressed by several elements of CSA’s AI security framework portfolio.

MAESTRO (Multi-Agent Environment, Security, Threat, Risk, and Outcome) provides a seven-layer threat modeling framework for agentic AI systems, introduced by CSA in February 2025 [14]. Its layered architecture—Foundation Models, Data Operations, Agent Frameworks, Deployment and Infrastructure, Evaluation and Observability, Security and Compliance, and Agent Ecosystem—provides a structured approach to identifying where in an agentic system authorization controls should be applied. The agent frameworks and deployment infrastructure layers are particularly relevant to the credential governance controls described in this paper’s recommendations.

AI Controls Matrix (AICM) v1.0.3 provides control domain coverage across 18 domains relevant to AI system security, with control mappings for Application Providers, Orchestrated Service Providers, Model Providers, Cloud Service Providers, and AI Customers [15]. The AICM’s access control and identity management domains address AI-specific requirements that supplement the traditional identity controls in CCM v4, and its shared security responsibility model clarifies which layers of control are owned by which organizational role in multi-party AI deployments.

CSA’s AI Organizational Responsibilities series provides role-specific guidance for CISOs, CAIOs, AI researchers, and security architects on fulfilling core security responsibilities in AI system development and deployment [16]. Its treatment of access controls and MLOps pipeline security is directly relevant to the agent credential management controls recommended in this paper.

Zero Trust guidance: CSA’s extensive Zero Trust publication portfolio, including the Zero Trust Protect Surface definitions and context-based access control guidance, provides the foundational architecture principles from which agent-specific identity controls should be derived. The principle that no principal—human or agent—should be trusted by default, that access should be verified continuously rather than assumed from initial authentication, and that the scope of access should be the minimum required for the current task, is the architectural foundation for the per-task credential issuance and behavioral monitoring controls recommended above.

STAR for AI provides an assessment and registry mechanism through which organizations can publicly demonstrate the maturity of their AI security controls, including identity and access management for AI systems. As regulatory accountability requirements mature, STAR for AI attestation provides a structured basis for demonstrating governance posture to customers, regulators, and auditors.

Conclusion

The authorization gap is not a future risk to be planned for; it is a present condition to be managed. Eighty-eight percent of organizations have already experienced AI agent security incidents [2]. The majority of deployed agents operate without discrete identities, without per-task credential scoping, without behavioral monitoring, and without clear organizational ownership. The standards and regulatory frameworks that will eventually provide a clear compliance floor are still maturing.

In this environment, the organizations best positioned are those that treat agent authorization not as a compliance checkbox but as an extension of identity-centric security architecture. The core disciplines—knowing what you have, governing what it can do, monitoring what it actually does, and holding someone accountable for each—are not new. What is new is the need to apply them to a class of principal that is autonomous, capable of chaining actions across systems, and expanding in population and authority faster than governance processes can track.

The recommendations in this paper are practical and achievable with existing infrastructure, existing standards, and existing security functions. They do not require waiting for final regulatory guidance or for mature agentic-specific identity platforms to emerge. They require extending established IAM and zero trust disciplines to a new type of actor—one that is already inside the enterprise, already holding credentials, and already taking actions.

The authorization gap can be closed. The prerequisite is recognition—but recognition must be followed by deliberate investment in the controls, governance structures, and tooling that identity-centric security requires.

References

[1] Hillary Baron, Marina Bregkou, Josh Buker, Ryan Gifford. “Identity and Access Gaps in the Age of Autonomous AI.” Cloud Security Alliance / Aembit, January 2026.

[2] Gravitee. “State of AI Agent Security 2026: When Adoption Outpaces Control.” Gravitee, 2026.

[3] Protego. “Non-Human Identities (NHI): The Hidden Security Crisis Powering AI Agent Attacks in 2026.” Protego, 2026.

[4] OWASP. “The OWASP Non-Human Identity Top 10.” OWASP NHI Management Group, 2025.

[5] AGAT Software. “AI Agent Security in 2026: What Enterprises Are Getting Wrong.” AGAT Software, 2026.

[6] Ken Huang et al. “Agentic AI Red Teaming Guide.” Cloud Security Alliance, 2025.

[7] OWASP. “OWASP Top 10 for Agentic Applications for 2026.” OWASP Gen AI Security Project, 2025.

[8] OWASP. “MCP02:2025 — Privilege Escalation via Scope Creep.” OWASP MCP Top 10, 2025.

[9] SPIFFE. “SPIFFE — Secure Production Identity Framework for Everyone.” SPIFFE Project, accessed May 2026.

[10] CyberArk. “Authenticate AI Agents with JWT SVIDs (SPIFFE).” CyberArk Documentation, 2025.

[11] IETF. “Secure Intent Protocol: JWT Compatible Agentic Identity and Workflow Management.” IETF Internet-Draft, expires July 2026.

[12] Microsoft. “What is Microsoft Entra Agent ID?” Microsoft Learn, 2025.

[13] Jones Walker LLP. “NIST’s AI Agent Standards Initiative: Why Autonomous AI Just Became Washington’s Problem.” Jones Walker, 2026.

[14] Cloud Security Alliance. “Agentic AI Threat Modeling Framework: MAESTRO.” CSA Blog, February 2025.

[15] Cloud Security Alliance. “AI Controls Matrix (AICM) v1.0.3.” CSA, 2025.

[16] Cloud Security Alliance. “AI Organizational Responsibilities: Core Security Responsibilities.” CSA, 2024.

[17] Cloud Security Alliance. “NIST AI RMF Agentic Profile.” CSA Labs, March 2026.

[18] European Parliament and Council. “Regulation (EU) 2024/1689 — Artificial Intelligence Act.” Official Journal of the European Union, July 2024.

[19] IBM Security / Ponemon Institute. “Cost of a Data Breach Report 2025.” IBM Security, 2025.

Further Reading

The following sources provided useful background context and are recommended for readers seeking broader coverage of the NHI and agentic identity landscape:

• Strata Identity. “The AI Agent Identity Crisis: A 2026 Guide.” Strata Identity, 2026.
• C1. “Survey Finds 95% of Enterprises Now Run AI Agents Autonomously as Identity Risks Escalate.” C1, 2026.