Governing Non-Human Identity at Machine Pace

NHI sprawl is not an inventory problem. It is a rate problem. The governance controls built for human identities operate at human pace: periodic access reviews, manual revocation, quarterly certifications. Under the Identity Inheritance Model, the default across every major orchestration platform, each Agentlet spawned in a pipeline inherits its principal’s credentials without any explicit provisioning decision; multiply that across a workflow run and those controls fall behind immediately. Three architectural requirements close the gap. Zero standing privilege eliminates the persistent credential as an attack surface. Dual-identity credential binding makes every access decision traceable to a named human owner. The human sponsorship model ensures that traceability is structural, not administrative. DORA Articles 9 and 10 and EU AI Act Article 14 already require these outcomes of any organization deploying AI agents in regulated environments.

---

NHI sprawl: The condition in which non-human identities multiply faster than any inventory process can track, leaving no one able to answer which agents hold which credentials, what those credentials access, or which are still active.

Zero standing privilege (ZSP): An architectural requirement that an AIgentic Actor holds no persistent credentials between tasks. Each operation requests exactly the access it needs for exactly the duration required; the credential expires at task completion.

Dual-identity credential binding: A credential design in which each agent’s access token cryptographically encodes both the agent’s identity and the identity of its human sponsor, making the authorization chain auditable regardless of how many Agentlets a pipeline spawns.

Human sponsorship model: A governance requirement that every non-human identity has a named human owner accountable for its scope, its authorized use, and its revocation when the agent is decommissioned.

These four components compose as a lifecycle: sponsorship establishes the authorization chain, ZSP limits credential lifetime, dual-identity binding carries the sponsor’s identity in every access request, and the result is an audit trail that survives regulatory scrutiny.

---

NHI sprawl in agentic pipelines is a rate problem that human-pace governance cannot solve

The CSA and Oasis Security survey of 383 IT and security professionals, published January 2026, found that 78% of organizations lack documented policies for creating or removing AI identities, and 92% lack confidence their legacy IAM solutions can manage the associated risks.¹ Those numbers describe the governance gap before AIgentic deployments reach operational scale. The Palo Alto Networks Unit 42 research on Vertex AI’s credential architecture describes what the gap produces in practice.

In March 2026, Unit 42 disclosed that the Per-Project, Per-Product Service Agent associated with deployed Vertex AI agents received excessive default permissions at the platform level: broad read access to Cloud Storage buckets across the project, access to restricted Artifact Registry repositories containing proprietary Google container images, and access to sensitive deployment files.² The vulnerability was not an authentication bypass. It was a design-time decision about default permission scope, applied automatically to every deployed agent without explicit configuration. The exposure accumulated silently across every deployment until one credential was compromised.

What makes credential generation in agentic pipelines structurally different from static service accounts?

A static service account is created once and revoked when the service is decommissioned. An orchestrator that spawns Agentlets is not static. Each Agentlet calls external APIs; under the Identity Inheritance Model, each inherits its principal’s credentials without any explicit provisioning decision. Non-human identities already outnumber human identities in enterprise environments by at least 45 to 1.³ AIgentic pipelines do not change the ratio. They change the rate, and that is what defeats governance controls built for human-pace credential lifecycle management.

Zero standing privilege removes the persistent credential as an architectural attack surface

An AIgentic Actor that holds no persistent credentials between tasks cannot be compromised through credential theft between operations. There is nothing to steal. Zero standing privilege is the non-human identity equivalent of requiring employees to check out access cards specific to each task rather than carrying permanent badges that open every door. Each operation requests the minimum access required for that function, for exactly the duration the function requires, and the credential expires at completion. The OWASP Non-Human Identities Top 10 (2025) identifies overprivileged NHIs and long-lived secrets among its risk categories.⁴ ZSP addresses both in a single architectural decision: credentials that expire at task completion cannot become long-lived secrets, and credentials scoped to a single function cannot be overprivileged across a broader environment.

What does zero standing privilege look like in an agentic pipeline at runtime?

At provisioning time, the human sponsor assigns the agent an identity and declares its authorized scope. At runtime, before each task, the agent requests a short-lived credential scoped to that specific access. The credential expires when the task completes. No credential persists between operations. An attacker who compromises the agent mid-task gains access only to what that single credential authorizes for as long as the task runs. Tooling is a prerequisite, however. ZSP requires that tooling: a credential cannot be scoped and expired at pipeline pace without it.

Dual-identity credential binding makes the authorization chain cryptographically enforced rather than administratively optional

The human sponsorship model requires that every NHI has a named human owner accountable for its scope, its use, and its revocation. That requirement is straightforward to state and difficult to enforce administratively. A sponsor can leave the organization next quarter, leaving the agent’s credentials without an active authorization chain. Dual-identity credential binding addresses this structurally. The IETF WIMSE working group draft (draft-ni-wimse-ai-agent-identity-02) proposes credentials in which both the agent’s identity and the human sponsor’s identity are cryptographically encoded in the access token itself.⁵ A verifying service that receives the credential can confirm both identities from the token directly, without querying a separate directory that may have drifted from the operational state.

How does IETF WIMSE make the human sponsor visible to every access decision?

Under a conventional IAM model, an agent presents a service account token and a separate policy engine resolves who authorized it. The policy record can lag the operational state. Under the WIMSE dual-identity model, the token carries both identities as cryptographically verified claims. A verifying service does not need to look up who authorized the agent’s access. The credential answers the question directly. The authorization chain is in the artifact, not in a system that must be queried. For the security architect, the practical implication is that anomaly detection becomes tractable: every access request names the agent and its sponsor, providing the behavioral baseline that makes deviation detectable. This satisfies what DORA Article 10 requires: monitoring capable of detecting anomalous ICT activity, applied to a credential architecture that makes NHI behavior attributable.⁶

For a full treatment of how credential binding fits within the Actor Identity Lifecycle, see Governing AIgentic Actors: Identity, Trust and Control. The Identity Inheritance Model is examined in full in The Identity Crisis at the Heart of AIgentic Systems.

DORA and EU AI Act obligations map to specific architectural controls, not general governance postures

DORA Article 9 requires financial entities to implement physical and logical access controls on ICT systems and limit access to what legitimate and approved functions require, effective January 17, 2025.⁷ Every credential an AI agent carries to access a storage bucket, an API endpoint, or an internal system is ICT access. ZSP is the architectural implementation of that least-privilege requirement for NHIs at runtime. DORA Article 10 requires mechanisms to promptly detect anomalous ICT activities and incidents, including monitoring of ICT anomalies across the operational environment.⁶ Dual-identity credential binding makes that monitoring possible: without it, a monitoring tool sees a service account token; with it, the tool sees an agent identity bound to a named sponsor, giving it the behavioral attribution baseline that anomaly detection requires.

How does DORA Article 9 apply to credentials an agent generates at runtime, not at provisioning time?

Applied to NHIs, the Article 9 access control obligation covers runtime-generated credentials as it covers provisioned ones: the relevant question is whether the access is scoped to what legitimate functions require. An agent that requests a credential at runtime has either scoped it to the approved function, or it has not. ZSP makes the Article 9 obligation satisfiable: the credential is scoped before it is requested, for that specific operation only. The Vertex AI Double Agent disclosure illustrates the alternative: default permissions across Cloud Storage and Artifact Registry are not the minimum required for any specific legitimate function.

What does EU AI Act Article 14 require of a multi-agent pipeline architecture?

EU AI Act Article 14 requires that high-risk AI systems be designed to allow natural persons to effectively oversee them, including the ability to interpret outputs, override decisions, and halt operations, with Annex III obligations applying from August 2026.⁸ The architectural implication is not only that a stop button exists. Every action must be attributable to a specific agent whose authorization chain is auditable back to a named human sponsor. A pipeline in which credentials are inherited from an over-scoped parent service account does not satisfy that requirement. Human oversight of a system whose AIgentic Actors carry untraceable credentials is not oversight.

The NIST NCCoE published a concept paper in February 2026 acknowledging that no current NIST identity guidance addresses agentic pipeline identity as a defined problem space.⁹ That gap exists in NIST guidance. DORA and the EU AI Act do not wait for it to close. The architectural question is whether the credential design for each AIgentic Actor satisfies ZSP, encodes dual-identity binding, and traces to a named human sponsor. The topology-first enforcement substrate that constrains an Actor’s reachable action space before any credential evaluation occurs is examined in The Semantic Proxy Pattern.

Frequently asked questions

What is the difference between zero standing privilege and conventional least-privilege access control?

Conventional least-privilege scopes a credential to the minimum access its role requires. The credential persists until it is revoked, rotated, or expires on a schedule. Zero standing privilege applies a stricter constraint: no credential exists between tasks. Each task requests exactly the access it needs for exactly the duration it needs it. The distinction matters for agentic pipelines because a least-privilege credential scoped to a role that spans multiple functions is still a persistent credential. An attacker with access to a least-privilege agent credential retains lateral movement capability within its scoped access for as long as the credential lives. ZSP removes the persistent credential entirely: there is nothing to steal between operations.

How does the human sponsorship model work when an orchestrator spawns dozens of Agentlets in a single workflow?

Each Agentlet requires a credential, and each credential requires a sponsor. Under the human sponsorship model, the orchestrator is itself a sponsored AIgentic Actor. When it spawns an Agentlet, the derived credential encodes both the Agentlet’s identity and the sponsorship chain back to the named human owner. No Agentlet carries a credential without a traceable authorization chain. The governance discipline does not degrade at scale. It is encoded in the credential structure at every level of the delegation hierarchy.

What does the Vertex AI Double Agent incident tell us about the architecture we need?

The Unit 42 research disclosed that the default Vertex AI P4SA service account configuration gave deployed agents access well beyond what any specific task required.² The credential that caused the exposure was the platform’s default, not the result of misconfiguration by an engineer. Every organization that deployed Vertex AI agents under the default configuration inherited that exposure without a visible decision point. ZSP would have prevented it: a credential scoped to a specific task cannot be used to pivot to unrelated Cloud Storage buckets. Dual-identity binding would have surfaced it: a credential encoding the deploying engineer as sponsor would have made the over-scoped access attributable the moment it occurred. The incident is a production demonstration of what the architecture prevents.

Footnotes

1. Cloud Security Alliance and Oasis Security. “The State of Non-Human Identity and AI Security.” January 2026. https://cloudsecurityalliance.org/artifacts/state-of-nhi-and-ai-security-survey-report ↩

2. Ofir Shaty, Palo Alto Networks Unit 42. “Double Agents: Exposing Security Blind Spots in GCP Vertex AI.” March 31, 2026. https://unit42.paloaltonetworks.com/double-agents-vertex-ai/ ↩ ↩²

3. Cloud Security Alliance, “Securing Non-Human Identities in the Age of AI Agents,” RSAC 2025. https://cloudsecurityalliance.org/artifacts/securing-non-human-identities-in-the-age-of-ai-agents-rsac-2025 (45:1 lower bound). Entro Labs, “NHI & Secrets Risk Report H1 2025,” enterprise data collected January–June 2025. https://23579664.fs1.hubspotusercontent-na1.net/hubfs/23579664/Assets/EL-The-NHI-Secrets-Risk-Report-H1-2025.pdf (144:1 upper bound, up from 92:1 in H1 2024). ↩

4. OWASP Non-Human Identities Top 10, 2025. https://owasp.org/www-project-non-human-identities-top-10/2025/ ↩

5. IETF WIMSE Working Group. draft-ni-wimse-ai-agent-identity-02. Individual Internet-Draft, not IETF-endorsed standard, expires September 1, 2026. https://www.ietf.org/archive/id/draft-ni-wimse-ai-agent-identity-02.html ↩

6. Digital Operational Resilience Act (DORA), Article 10 (Detection). EU Regulation 2022/2554, effective January 17, 2025. https://www.digital-operational-resilience-act.com/Article_10.html ↩ ↩²

7. Digital Operational Resilience Act (DORA), Article 9 (Protection and Prevention). EU Regulation 2022/2554, effective January 17, 2025. https://www.digital-operational-resilience-act.com/Article_9.html ↩

8. EU Artificial Intelligence Act, Article 14 (Human Oversight). Regulation (EU) 2024/1689. https://artificialintelligenceact.eu/article/14/ ↩

9. NIST NCCoE. “Accelerating the Adoption of Software and Artificial Intelligence Agent Identity and Authorization.” February 2026. https://csrc.nist.gov/pubs/other/2026/02/05/accelerating-the-adoption-of-software-and-ai-agent/ipd ↩