Identity & Policy / Agent Identity & Governance
FR EN

Identity & Policy

Agent Identity & Governance

Per-agent non-human identity (NHI) and its governance: issuance, rotation, revocation, least agency.

Plane
Identity & Policy
Flow steps
3 · 6
Frameworks
NIST 800-53 · OWASP LLM06 · NIST AI 600-1 · MITRE ATLAS

Technology

Why use it

Give each agent its own identity and govern it across its full lifecycle, instead of reusing a shared human or service identity.

Why it matters to security

Makes every agent action attributable, enforces least privilege and least agency, and enables targeted revocation.

Implementations SPIFFE / SPIREEntra Workload IdentityAWS IAM Roles AnywhereHashiCorp Vault

An agent is not a user: it needs its own identity, its own scope, its own leash.

Recommendations by maturity tier

Hover a recommendation for its explanation · each one carries its control number

Foundation

Minimum viable baseline
  • Distinct, unique identity per agent (no shared identity).
    NIST 800-53 IA-9 · AC-2
    A shared identity makes action attribution and targeted revocation impossible.
  • Inventory of agents and their privileges.
    NIST 800-53 CM-8NIST AI 600-1 GV-1.6-001
    You cannot secure what you have not inventoried; the inventory precedes any governance.
  • Secure issuance and storage of credentials.
    NIST 800-53 IA-5
    Agent credentials, often forgotten, are a prime target.

Enterprise

Enterprise standard
  • Full lifecycle: creation → rotation → revocation.
    NIST 800-53 AC-2 · IA-5
    A stale but still-entitled agent is an unnoticed backdoor.
  • Centralized key management (KMS) with scheduled rotation.
    NIST 800-53 SC-12 · SC-28
    Regular rotation limits the value of a compromised key.
  • Documented agency scope per agent (least agency).
    NIST 800-53 AC-6OWASP LLM06:2025
    Constraining what an agent can do, where and how often is the direct counter to excessive agency.

Advanced

High-assurance / regulated
  • Ephemeral identities provisioned just-in-time per task.
    NIST 800-53 AC-6 · IA-5
    The agent only holds privileges for the exact duration of its task.
  • Automated revocation on anomalous behavior (SOAR link).
    NIST 800-53 SI-4 · AC-12
    An agent that drifts is cut off automatically, before escalation.
  • Governance wired to the PDP: agency becomes a policy decision.
    NIST 800-53 AC-24OWASP LLM06:2025
    What an agent may do is evaluated dynamically, not frozen at design time.

Architecture notes

  • Design to make the dangerous action impossible, not merely tedious.details ▸
    A rate limit alone is not enough.
    Prefer removing the capability (no mass-delete tool) over adding bypassable friction (confirmation, quota).

References

OWASP LLM06:2025
Excessive Agency — identity governance and least privilege are its countermeasure.
NIST AI 600-1
GV-1.6 — inventory of AI systems and their components.
NIST SP 800-53 Rev5
IA-9 (Service Auth), AC-2 (Accounts), AC-6 (Least Privilege), CM-8 (Inventory), SC-12/28 (keys).
MITRE ATLAS — AML.T0051
Prompt injection → abuse of agent privileges; a governed identity limits blast radius.

Abbreviations

PDP
Policy Decision Point
PEP
Policy Enforcement Point
PIP
Policy Information Point
PAP
Policy Administration Point
IdP
Identity Provider
TSS
Token Service
NHI
Non-Human Identity
RBAC
Role-Based Access Control
ABAC
Attribute-Based Access Control
MFA
Multi-Factor Authentication
HITL
Human-in-the-loop
JIT
Just-In-Time
CAE
Continuous Access Evaluation
CAEP
Continuous Access Evaluation Profile
DPoP
Demonstrating Proof-of-Possession
mTLS
mutual TLS
PII
Personally Identifiable Information
KMS
Key Management Service
CI/CD
Continuous Integration / Continuous Delivery
SIEM
Security Information and Event Management
SOAR
Security Orchestration, Automation and Response
SCIM
System for Cross-domain Identity Management
XACML
eXtensible Access Control Markup Language
OPA
Open Policy Agent
OWASP
Open Worldwide Application Security Project
NIST
National Institute of Standards and Technology
ATLAS
Adversarial Threat Landscape for Artificial-Intelligence Systems
LLM
Large Language Model
WAF
Web Application Firewall
CDN
Content Delivery Network
DDoS
Distributed Denial of Service
DLP
Data Loss Prevention
JWT
JSON Web Token
API
Application Programming Interface
CRS
Core Rule Set (OWASP)
RAG
Retrieval-Augmented Generation
MCP
Model Context Protocol
PBAC
Permission-Based Access Control
HSM
Hardware Security Module
UEBA
User and Entity Behavior Analytics
SBOM
Software Bill of Materials
SLSA
Supply-chain Levels for Software Artifacts
WORM
Write Once, Read Many
SPIFFE
Secure Production Identity Framework For Everyone