Agentic AI risk is identity risk. The model is the brain, but the non-human identity behind it is the hand on the keyboard, and that hand is the part that touches your prod database at 2am.
If your dev team just shipped a Claude Code or LangChain pilot into staging, the question your CISO is asking is not “can the model be jailbroken?” It is “what can the credential do once it is?” Those are very different threat models, and most agentic risk inventories still confuse the two.
Enterprise Security for AI Agents & Non-Human Identities
TL;DR
- Agentic AI risk is identity risk. The model is the brain, the NHI is the hand on the keyboard.
- Prompt injection gets the headlines. Over-permissioned credentials and unmonitored MCP servers cause the breaches.
- Most agent activity happens out-of-band of your SIEM. If you cannot see the NHI behind the agent, you cannot see the action.
- Treat every agent as a workload with a blast radius. Map it, scope it, monitor it at runtime.
Why agentic AI risks are different from LLM risks
The OWASP LLM Top 10 is a solid starting point for chat applications. It is half-relevant once you add tools and credentials. An LLM that drafts an email and an agent that sends the email through your Gmail API are not the same workload, even if the model weights are identical. One is a text generator. The other is an authenticated actor inside your environment.
That shift is what the NIST AI Risk Management Framework Generative AI Profile starts to gesture at when it talks about action-taking systems, and what MITRE ATLAS is documenting at the technique level under tool abuse and credential access. The category we are walking into is not “what does the model say.” It is “what does the model do, on whose authority, with which secret.” Once you internalize that, the whole risk picture rearranges. Prompt injection stops being the headline threat and becomes a delivery mechanism for the threats that actually matter.
The 5 risks worth planning for this quarter
Shadow agents. Your dev team can stand up a LangChain agent or a Claude Code session in an afternoon. No procurement, no security review, no ticket. We routinely see Fortune 500 environments with dozens of agents that nobody on the security team has heard of, each one wired to a real credential. That is your first risk, and you cannot mitigate what you cannot find. Shadow AI discovery is the capability that closes this gap.
Over-permissioned NHIs. Most agent credentials start as a long-lived AWS access key with broad IAM policies, copied from a wiki page that predates the agent. The model behaves well. The credential does not need to.
Prompt injection as a pivot. The injection itself is rarely the breach. What it does is hijack a tool call, and if that tool call runs under a credential with write access to your Snowflake warehouse or your GitHub org, you have an exfiltration path. ATLAS catalogs the techniques. The payload is your IAM.
Rogue or spoofed MCP servers. Model Context Protocol servers are showing up in dev workflows fast, often pointing at endpoints nobody vetted. A Claude Code session talking to a malicious MCP server can quietly leak repo contents or inject instructions back into the agent. The MCP Audit plugin captures these contacts.
No audit trail. When an agent acts on behalf of a human, your logs see a service account, not a person. Forensics gets very hard, very fast.
What a defensible agentic AI risk posture looks like
Three moves, in this order.
Discover every agent and the non-human identity security profile behind it. Map agent to NHI to resource to accountable owner. If you cannot draw that line on a whiteboard for every agent in your environment, you are not ready to defend it. This is the prerequisite, not the polish.
Scope credentials hard. Replace long-lived keys with Just In Time access for agents, session-scoped, with a clear expiration. The principle is old. The application to agents is new. An agent that needs read access to one S3 bucket for ten minutes should not be holding a credential that can drop tables for the next six months.
Monitor intent at runtime. This is where AI Detection and Response lives. Watch the tool calls, watch the MCP contacts, watch for the moment an agent starts doing something its identity profile says it should not. Logs after the fact are not enough when the actor can complete a breach in 90 seconds.
You can socialize this as a maturity model. Discovery, then scoping, then runtime. Most teams we work with are honest that they are at step one.
The framing that will hold up over the next two years is not “is the model safe.” It is “what is the identity reachable from this agent, and who is watching it act.” The model is the brain, but the NHI is the hand on the keyboard. Plan the risk inventory accordingly, and the rest of the controls start to make sense.
