Executive Introduction

Artificial Intelligence is forcing security leaders to revisit fundamental assumptions behind identity governance. For decades, identity programs have operated around two categories: human identities and non-human identities. But as autonomous AI agents begin to reason, act, and interact across enterprise environments, a critical question emerges: "Do existing governance models adequately address a new class of digital actors?"

As Loom Security continues innovating with CINQUE, their AI-native unified xSPM observability platform, they are exploring what agentic AI means for identity security, governance, and risk management. While many concepts are still evolving across the industry, organizations must begin preparing now for a future where identity is no longer limited to people and static machine accounts.

The perspectives explore why AI agents may represent an entirely new identity category, how that challenges traditional governance models, and why behavioral intent observability may become the defining security control for the next generation of enterprise AI, IGA/IAM, GRC, DFIR, and the emergence of the Agentic SOC.

What Building CINQUE Is Teaching Us About the Evolution of AI-Era Identity Security

AI agents do not fit cleanly into the non-human identity category. As the company builds and operates CINQUE, they are developing a working model for why that distinction matters and what it implies for enterprise AI security governance.

"AI agents are the first identity type that can reason, act, and expand scope at runtime. That breaks the assumptions underpinning identity governance today."

These observations come from early design partnerships, customer discovery, and internal modeling rather than production-scale agentic detection data. They're publishing current thinking because waiting for complete evidence means the industry starts conversations too late.

What We Observe

When beginning to build CINQUE, the foundational design assumption was largely the same one the identity industry has operated on for years: the realm of identities splits cleanly into two populations.

  1. Human Identities: The people whose access you provision, govern, and revoke through your IGA platform.
  2. Non-Human Identities: The service accounts, API keys, OAuth tokens, certificates, and automation scripts that power infrastructure without a person directly behind them.

"That assumption held long enough to shape our initial data model. It did not survive first contact with the AI-era enterprise environment."

As they modeled and explored cross domain identity correlation across the Five Pillars (Identity, Device, Network, Application, and Data), they observed entity patterns that appeared to strain both governance buckets simultaneously. These entities held enterprise credentials, rapidly performed multi-step actions across multiple domains in a single invocation, and their behavior was not fixed at provisioning time. The cross domain telemetry patterns they generated looked unlike anything produced by either a human user or a traditional NHI.

CINQUE

The patterns map most clearly to emerging AI agents. Governing them with frameworks designed for service accounts leaves much to question and introduces much concern.

"The governance tools available today treat agentic AI as a subcategory of a problem they were built to solve."

This post documents what they are seeing, why they believe the existing NHI classification is an imprecise fit for agents, why that matters, and how those observations are shaping what they build.

Why the NHI Bucket Is an Imprecise Fit

Non-human identity governance is built on three assumptions that, taken together, make the problem workable.

First, an NHI has a fixed operational scope. It does what its configuration says, and nothing else.

Second, the security posture of an NHI is primarily a credential hygiene problem: rotate secrets, enforce least privilege, audit for stale accounts.

Third, blast radius is bounded by permission scope—if the credential is compromised, the attacker gets exactly what that account was permitted to access.

Those assumptions hold for service accounts, API integrations, and automation scripts, exactly the entities NHI governance was designed around.

The question they are working through is how well they extend to AI agents, and their current view is that the extension is structurally strained in ways that matter operationally.

CINQUE

"We want to be precise here; we can't soften distinctions that need to stay sharp."

The argument is not that agents are a more complex form of NHI where the same controls apply with more parameters. The argument is that at least three architectural characteristics of AI agents create governance requirements that the NHI model was not designed to meet.

CINQUE

1. The Behavioral Characteristic

A service account does not decide what to do next. An AI agent does.

When an agent is invoked, it receives a goal or instruction set, then reasons through how to accomplish it. That reasoning process determines which tools it calls, which data it accesses, and which downstream systems it touches. That determination happens dynamically, at runtime, based on what the agent encounters as it works.

This means the agent's action path is not fully derivable from its initial instruction.

The security model for a static NHI asks: what is this credential permitted to access?

The security model for an agentic AI identity requires a different question: is this agent's decision-making within the intended scope of its purpose?

"Those are not equivalent questions, and a governance framework built around the former cannot reliably answer the latter."

2. The Blast Radius Characteristic

Traditional NHI produces a single action per invocation, or a predictable sequence defined at configuration time. One credential, one action, one log entry, blast radius bounded by permission scope.

An AI agent operating in a multi-step workflow can interact with dozens of systems across an environment in a single invocation, with each action producing context that may shape the next.

"If the permission scope of a well-credentialed agent is broad and its task scope is narrow, the gap between the two represents potential exposure that a permissions model alone does not capture."

Whether and how frequently that gap is exploited in practice is a question the industry is still developing evidence on. What is architecturally clear is that the blast radius calculation for an agent-mediated event is more complex than for a static NHI.

3. The Permission-Versus-Purpose Characteristic

This is the distinction the company finds most consequential for how CINQUE is designed, and the one they think is most under-appreciated in current identity governance discussions.

Service accounts are bound by what they are permitted to do.

Agents are bound by what they are instructed to do.

"Under normal operation, those two things may substantially overlap. Under adversarial conditions, misconfiguration (statistically common), or reasoning drift, they may not."

An agent holding credentials with a broad access scope, but a narrow task instruction is, in a sense, carrying a larger credential footprint than its purpose requires. That is not unique to agents. Over-provisioning is a classic NHI problem.

What is different is that the agent's actual access behavior is determined dynamically by its reasoning, not statically by its task definition, which means the over-provisioning risk is harder to surface through standard access review processes.

Risk Patterns We Are Tracking

The following risk categories represent the current working model of where agentic identity governance gaps are most likely to concentrate in enterprise environments.

1. Prompt Injection as a Potential Identity-Layer Attack Vector

Embedding adversarial instructions into content an agent processes (a document it reads, an email it summarizes, a database record it queries) could redirect agent behavior in ways that bypass traditional identity controls while the agent continues to operate under valid credentials.

Service accounts are not susceptible to social engineering.

AI agents may be susceptible through prompt injection.

"We pay close attention to this vector in our architecture because, if it operates as described, it will not produce the signals that identity security tooling is built to detect."

The authentication event is clean. The credential is valid. The anomaly, if present, would appear in the cross-domain behavioral pattern of an agent that has been redirected mid-execution.

That is a categorically unique observation type that only becomes visible when you are correlating behavior across domains, which is precisely what CINQUE is designed to do.

The practical prevalence and exploitability of this vector in enterprise environments is still being characterized by the security research community.

2. AI Agent Inventory as an Emerging Governance Gap

The NHI sprawl problem (thousands of stale service accounts, forgotten API keys, OAuth tokens with overly broad scope) is a problem identity teams have been working on for years.

Modern agentic architectures introduce a version of that problem with some new characteristics:

  • Agents that spawn sub-agents
  • Pass credentials between execution contexts
  • Create ephemeral identities that may not be captured by existing CMDB or identity store processes

This is expected to be an area of active development across the identity governance community.

3. Behavioral Drift in Long-Running Agent Workflows

Long-running agents operating in multi-step workflows may exhibit behavior that evolves from their original instruction as their reasoning chain accumulates context.

"The governance implication is that controls built solely on initial-state authorization may be insufficient for entities whose effective scope of action can evolve during execution."

Continuous behavioral monitoring across the execution chain, rather than point-in-time access review, is the architectural response they are building toward.

4. Execution Accountability and DFIR

When a service account takes an unauthorized action, the forensic trail is relatively clean.

"When an AI agent takes an action as part of a multi-step execution chain that produces an adverse outcome, reconstructing what the agent decided, why it decided it, and what it touched as a result is a harder problem."

The industry has not yet settled on a standard for agent-mediated incident forensics.

What they are designing for is the ability to produce a complete, time-ordered execution journal across all five security domains for any agent operating within CINQUE's visibility scope.

What We Are Building in Response

Each of these patterns is informing specific architectural decisions in CINQUE.

1. Persona-Based Behavioral Baselines Designed to Extend to AI Agents

CINQUE is built to map behavior across the Five Pillars into business personas. That mapping is designed to apply to agentic identities alongside human users and other NHIs.

"The intent is that an agent has a persona in the same operational sense that a privileged human user does: an expected functional scope, a set of systems it should interact with, and a normal cross-domain footprint during execution."

CINQUE is built to surface deviations from that persona as correlated cross-domain findings rather than isolated single-pillar events.

2. Cross-Domain xSPM Correlation Designed to Reconstruct Execution Chains

CINQUE is architected to aggregate and correlate signals across CSPM, DSPM, ISPM, SSPM, and AISPM into a unified correlation engine.

The design intent is that an operator should be able to see the cross-domain action chain of an agent's execution as a single correlated finding, not as a collection of low-severity events distributed across multiple systems.

3. The Activity Map as an Intended DFIR Execution Journal

CINQUE's Activity Map is designed to function as a time-ordered, cross-domain view of persona behavior, including agentic identities.

"The intent is that it serves as the execution journal that supports incident forensics."

When an agent-mediated event occurs, the Activity Map is designed to show what the agent touched, across which domains, in what sequence, and where its behavior departed from its established baseline.

4. Intent-Scoped Anomaly Detection

CINQUE's anomaly detection is designed to evaluate agent behavior against purpose, not just against credential history.

"The design intent is that an agent performing actions outside its functional scope should surface as an anomaly regardless of whether it has a meaningful behavioral history."

The baseline is what the agent should be doing given its defined purpose—not only what it has done before.

What This Means Practically (Right Now)

Before governing Agentic AI Identities, three things are needed:

  1. Establish clean, categorical identity baselines
  2. Reduce NHI sprawl (just because it isn't human doesn't mean it's "NHI")
  3. Correlate cross-domain identity-specific activity

"CINQUE delivers these three capabilities today."

This provides clients a clean, correlated, cross-domain, critical comprehension of identity behavior. With that, enterprise organizations can support advanced and evolving GRC, IGA/IAM, DFIR, and Agentic SOC models.

The Governance Model We Are Working Toward

Human identity governance is built around the person.

NHI governance is built around the credential.

"Neither model is built for an entity that reasons autonomously, executes multi-step action chains, and produces behavior shaped by runtime context rather than fixed configuration."

The working model is that the industry will need a third governance framework, one built around behavioral intent:

  1. What the agent is supposed to do
  2. Whether it is doing it
  3. Whether its action chain stays within the boundaries of its purpose across a full execution

"We are building CINQUE around that model because the two-category identity framework, however useful it has been, does not appear to be the right fit for what AI agents actually are, and are doing, in enterprise environments."

These views are held with appropriate humility. The evidence base for agentic identity risk in enterprise environments is still developing industry-wide.

Some patterns being tracked will prove more consequential than currently expected. Some will prove less.

What the company is confident in is that collapsing the governance question for AI agents into existing NHI frameworks is not the right answer and that building for the more demanding model now is the correct posture for a security company operating in this environment.

They will continue pushing and publishing what they learn.

Tagged: AI Security Identity Governance Non-Human Identity Agentic AI Thought Leadership
CR
Casey Rash
VP of Solutions Architects

Casey Rash is the VVP of Solutions Architects at Loom Security. As the company builds CINQUE, Casey's work explores the governance gaps created by AI agents and the behavioral intent frameworks needed to address them.