Agent identity & access

An agent is a non-human identity (NHI) that acts with real authority - it holds tokens, calls APIs, touches data, triggers actions. OWASP puts it bluntly: an AI agent is an execution principal, closer to a privileged workload than a conversational interface. NHIs already vastly outnumber human identities and are the least-governed credentials in most estates; agents make it acute because they are numerous, dynamic, and act autonomously on untrusted input. The OWASP Agentic Top 10 (II.8) cross-maps directly to the OWASP Top 10 for Non-Human Identities - over-privileged NHIs, secret exposure, long-lived credentials, and reused identities are the root causes that turn agent risks into incidents.

Agent as a managed non-human identity (NHI)

# treat each agent/tool credential as a first-class identity with least privilege
token: { aud: "tool://crm.read", scope: ["records:read"], ttl: 300s }   # audience-bound (RFC 8707), short-lived
mTLS + OIDC between agents; no token passthrough upstream (confused-deputy fix)
tool_allowlist: ["crm.read","calendar.read"];  egress_allowlist: ["api.internal"]
rotate + revoke on anomaly; log every tool call to the action ledger (III.3)

The hard problem - the “any-identity crisis”

Who is this agent, what may it do, on whose behalf, and how do you revoke it - at machine speed and scale? Most of the scattered controls elsewhere in this playbook (audience-bound tokens, mTLS+OIDC, JIT scoping) are answers to that one question, gathered here.

flowchart LR
  PROV["Provision: per-agent NHI<br/>not a shared / static key"] --> AUTH["Authenticate<br/>mTLS + OIDC / workload identity"]
  AUTH --> AUTHZ["Authorize: least-privilege,<br/>task-scoped + on-behalf-of user"]
  AUTHZ --> ACT["Act + audit every action"]
  ACT --> DEPROV["Rotate &amp; de-provision<br/>kill orphaned identities"]
  DEPROV -.->|"no standing super-credentials"| PROV
  classDef d fill:#0f1a18,stroke:#5bd1c5,color:#bdeee2;
  class PROV,AUTH,AUTHZ,ACT,DEPROV d;

The control that matters most is on-behalf-of: when an agent acts for a user it should borrow the user’s scoped authority, not wield its own standing super-credentials - so an injection can’t reach everything the agent could ever touch.

• One identity per agent. Never a shared human’s credentials or a static, broadly-scoped API key. Isolate agent identities from user identities.
• Authenticate strongly. mTLS + OIDC / workload identity; for A2A, signed and verified Agent Cards (II.7).
• Authorize least-privilege, task-scoped. The agent’s permissions are its blast radius (ASI03); deny dangerous tool combinations (II.6 capability chaining).
• On-behalf-of, not super-creds. When acting for a user, use the user’s delegated, scoped authority - the single most effective limit on injection impact.
• Short-lived, JIT credentials. No long-lived static keys; audience-bound tokens (RFC 8707); secrets in a manager, never in prompts or memory (secrets + memory poisoning = ASI06).
• Non-transitive delegation. Authority must not accumulate across A2A hops (II.7); re-scope at each boundary.
• Lifecycle & de-provisioning. Orphaned NHIs and identity sprawl are where breach-by-exhaust lives (II.13) - decommission aggressively.

▸ For the organization

• Inventory every agent/NHI and its entitlements; treat agents as managed identities, not config.
• Per-agent identity, JIT task-scoped tokens, on-behalf-of for user actions; never shared static keys.
• Rotate and de-provision aggressively; audit the delegation chain; map to OWASP NHI Top 10 + ASI03.