When an agentic AI agent acts on a user’s behalf, most current deployments run it with that user’s privileges and record its activity under the user’s identity. The agentic AI agent itself disappears into the session. That design choice creates the core challenge of governing agentic AI.

Two distinct principals, the human and the agentic AI agent, are flattened into a single actor. Access records cannot distinguish who requested an action, and security controls cannot restrict the agentic AI agent beyond the privileges of the person whose authority it borrowed.

The solution is to give every agentic AI agent its own identity while keeping that identity linked to a human sponsor. Every agentic AI agent should be traceable to a named, accountable individual rather than operating as an anonymous proxy for whoever invoked it. Every action should be attributable to both the specific agentic AI agent and the responsible person.

The OpenID Foundation’s October 2025 white paper, Identity Management for Agentic AI, describes this model as delegated authority, where an agentic AI agent holds an identity that remains tied to the human who delegated its authority. Both identities remain distinct while preserving the relationship needed for accountability.

Why an Agentic AI Agent Identity Is a Security Problem

Palo Alto Networks’ Unit 42 found that identity weaknesses played a material role in nearly 90% of the incidents examined in its 2026 Global Incident Response Report. The report also found that 65% of initial access resulted from identity-based techniques rather than software exploits, while non-human identities were frequently overprivileged and inconsistently monitored.

An agentic AI agent that holds an authentication token is another identity. Once it can authenticate to business systems, it has the same potential blast radius as a human service account. The difference is that this non-human identity can reason faster than a person and can accept instructions from untrusted content. That characteristic turns agentic AI agents into a new attack surface.

Agentic AI agents consume data to perform their work. They read webpages, emails, documents, support tickets, calendar invitations, and source code. A large language model processes both its instructions and external data through the same context window, without a reliable structural separation between them. As a result, instructions hidden within the data may be interpreted as legitimate user commands.

When those malicious instructions originate from content the agentic AI agent retrieves rather than from the user, the attack is known as indirect prompt injection. When the injected instructions cause the agentic AI agent to perform unauthorized actions, the attack becomes agentic AI agent hijacking.

The severity of this risk deserves a measured assessment because most published evidence comes from controlled testing rather than widespread real-world compromise. The National Institute of Standards and Technology’s Center for AI Standards and Innovation (CAISI) analyzed a large red-teaming competition in which more than 400 participants executed over 250,000 attack attempts against 13 frontier models across tool-use, coding, and computer-use scenarios.

Researchers successfully hijacked at least one instance of every model tested, although resistance varied considerably and did not correlate directly with overall model capability. Earlier CAISI evaluations demonstrated hijacked agentic AI agents sending phishing emails, deploying malware, and exfiltrating login credentials. Unit 42 has also documented web-based indirect prompt injections occurring in real-world environments, suggesting that the technique is moving beyond research into opportunistic attacks.

Agentic AI agent hijacking does not bypass authentication or crack passwords. Instead, it abuses authority the agentic AI agent already possesses. A compromised agentic AI agent operates with its own permissions and whatever authority the user delegated to it. Consequently, the potential damage scales directly with the agentic AI agent’s privileges. The more tools, permissions, or autonomy an organization grants an agentic AI agent beyond what its task requires, the greater the impact of a successful compromise.

Identity controls therefore become essential for mitigating the risks associated with agentic AI agents. Organizations should implement least-privilege authorization, delegated access that keeps user and agentic AI agent identities separate, rapid credential revocation, and comprehensive audit logs that clearly record every agentic AI agent action.

A Framework for Governing Agentic AI Identities

In February 2026, NIST launched its AI Agent Standards Initiative alongside a National Cybersecurity Center of Excellence (NCCoE) concept paper on software and AI agent identity and authorization. The paper treats agentic AI agents as first-class entities within enterprise identity systems rather than anonymous automation operating under shared credentials. It also highlights important unresolved questions, including what metadata an agentic AI agent identity should contain and whether those identities should be permanent or ephemeral.

Most organizations now use AI somewhere within the business, while only a minority have deployed agentic systems at scale. Adoption is uneven, making this the ideal time to design governance rather than retrofit it later.

Identity teams can begin by focusing on four control planes: authentication, authorization, policy, and auditability.

Everything starts by assigning every agentic AI agent its own identity instead of allowing it to disappear within a user’s session. A practical identity record should include:

  • a human sponsor who owns the agentic AI agent
  • the agentic AI agent’s stated purpose
  • a risk classification
  • its execution environment
  • the tools it is authorized to access
  • a maximum authority level that it cannot exceed
  • an expiration or retirement condition

The sponsor establishes accountability, while the risk classification determines how much oversight the agentic AI agent requires. A read-only research assistant should not be governed the same way as an agentic AI agent authorized to approve payments.

Once that identity exists, the four control planes provide the governance framework. Authentication verifies which agentic AI agent is acting. Authorization defines what the agentic AI agent may do and on whose behalf. Policy ensures those permissions evolve appropriately as autonomy increases. Auditability reconstructs what occurred during every action.

Authorization ultimately determines the blast radius if an agentic AI agent is compromised, making it the strongest technical control against agentic AI agent hijacking. However, each control plane depends on the others to provide effective governance.

Identity Governance Best Practices for Agentic AI Agents

Make every agentic AI agent prove its identity with credentials that cannot be reused.

Replace static API keys and shared secrets, which remain popular targets for attackers, with automatically issued, short-lived credentials that are cryptographically bound to the specific agentic AI agent. Doing so significantly reduces the value of stolen credentials and makes impersonation much harder.

Allow agentic AI agents to act on behalf of users, never as users.

When an agentic AI agent performs work for someone else, maintain separate identities for both the human and the agentic AI agent by using standard on-behalf-of token flows. Preserving both identities improves accountability and prevents the agentic AI agent from silently inheriting the user’s full set of privileges.

Limit every agentic AI agent to the smallest set of permissions required.

A travel-booking agentic AI agent should only be able to book travel. It should not have persistent write access to calendars, file shares, or unrelated business systems. Tight, task-specific permissions ensure that even if an attacker successfully manipulates an agentic AI agent through prompt injection, the compromise remains contained.

Be able to revoke an agentic AI agent’s access immediately.

If an agentic AI agent is compromised or retired, organizations should revoke its credentials within seconds across every connected system rather than waiting for tokens to expire naturally.

Govern agentic AI agents throughout their entire lifecycle, especially during deprovisioning.

Provision agentic AI agents with the same discipline applied to employees and deprovision them just as rigorously. Agentic AI agents that outlive their purpose or retain access after their sponsor leaves the organization become forgotten, overprivileged accounts that attackers actively seek.

Log every agentic AI agent action with enough context to reconstruct events.

For every sensitive operation, record a complete chain of evidence showing who owns the agentic AI agent, which AI agent acted, what permissions it possessed, which resources it accessed, and what actions it performed. Most deployments still fall short because they record the activity only under the user’s identity. Without a complete audit trail, investigators cannot determine whether an agentic AI agent stayed within its authorized boundaries or measure the impact of a compromised AI agent.

Conclusion

Many questions about governing AI identities remain unanswered. Can enterprise systems preserve separate identities for both the human sponsor and the agentic AI agent from end to end? How should delegated tokens be revoked while an agentic AI agent is executing a workflow if the user withdraws authorization? What credentials should an agentic AI agent present, and should they always be short-lived and cryptographically bound to the workload? When an agentic AI agent encounters malicious instructions embedded in the content it consumes, what mechanisms ultimately limit how far it can act? Agentic AI is advancing faster than the standards designed to govern it. That is not a reason to wait. The fundamental building blocks already exist. Organizations understand how to implement authentication, authorization, policy enforcement, and auditing for identities. The remaining challenge is recognizing agentic AI agents as identities and applying the same governance, accountability, and least-privilege principles that have long been expected for human users.