Security leaders no longer need to be persuaded that AI agents pose a risk. What’s missing is a way to manage them once they go into production and start operating autonomously across the enterprise environment.
AI agents are already reading sensitive documents, calling internal APIs, triggering workflows, and making decisions that still require human judgment. From a security perspective, the most important change is not their intelligence, but their actions and intentions. Because they have delegated authority, operate autonomously, and often hold more access than the humans they support.
Fortunately, security teams don’t have to reinvent the wheel. The NIST AI Risk Management Framework (AI RMF) and ISO/IEC 42001 already provide the structure needed to manage AI agents. The challenge is enforcing them through an effective control plane such as identity.
Treat AI agents as entities with an identity
The first steps are fundamental, but they immediately impact operations. AI agents must be treated as machine-scale identities with human-like characteristics, rather than as software components embedded within applications. Both NIST AI RMF and ISO 42001 emphasize accountability, ownership, and lifecycle governance. Applied to AI agents, this means that each agent requires a defined owner, clear intent, limited scope of access, and an explicit lifecycle.
If your security team can’t answer what agents you have, who owns them, what purpose they were created for, what systems they have access to, and when they should be retired, you already have an unmanaged entity in your environment. This mirrors the lessons learned with service accounts, except that AI agents reason, adapt, and operate at machine speeds, significantly increasing their potential impact.
Applying NIST AI RMF to identity risk
The NIST AI RMF is particularly useful because it treats AI risks as continuous rather than static. This is consistent with the principle of identity security, where access and behavior evolve over time.
In practice, this starts with observability and governance. Organizations need policies that explicitly categorize how identities are used by AI agents and how they are subject to IAM control, monitoring, and accountability. As such, agents must be approved with the same scrutiny that applies to privileged users.
Next, do the mapping. Security teams need to be able to observe the inventory of agents and what they actually do, not just what they are designed to do. This includes which systems users access, what actions they initiate, how decisions are chained together, and the downstream effects those actions cause. This is an identity mapping, not a model documentation.
Measurements are non-negotiable. Risk must be assessed based on autonomy, scope of authority, and data sensitivity. Agents that can initiate transactions or make changes to your infrastructure should be treated like highly privileged identities, rather than invisible background processes.
Management must be adaptive. Permissions should be able to be revoked in real time rather than being checked quarterly. Behavioral drift should begin to be investigated, similar to abnormal human behavior, when an agent begins to act beyond its intended range. NIST’s emphasis on continuous risk management is a reminder that AI identity security is not a one-time control.
Operate governance using ISO/IEC 42001
While NIST provides structure, ISO/IEC 42001 provides operational discipline. Extend the rigor of management systems like ISO 27001 to the deployment of AI, including agent systems.
ISO 42001 applies to AI identities to enhance lifecycle management. Agents must be formally onboarded and enrolled, regularly reviewed, and retired when no longer needed. Temporary agents should expire automatically, while long-lived agents should periodically justify continued access.
Logging and traceability are equally important. Every meaningful action taken by an agent must be attributed to a specific identity and auditable after the fact. If your organization can’t explain why an agent accessed a system or performed a workflow, you should revoke that access or terminate the agent.
ISO 42001 also emphasizes continuous monitoring and iterative risk assessment. For AI agents, this means monitoring for identity errors such as permission creep, unexpected tool usage, and actions that exceed the agent’s defined scope.
Align IAM with agent-first realities
Most IAM programs are built around humans, with applications and automation added as an afterthought. AI agents flip that model on its head. They are autonomous, temporary, and often created outside of traditional IAM workflows.
Security teams should not allow agents to inherit human access by default. Delegated authority must always be narrower in scope than the person it supports. On the other hand, credentials should be short-lived and dynamically issued, rather than being embedded as static secrets. Monitoring should move from periodic access reviews to behavioral baselines that reflect how agents actually perform.
These are not new IAM principles. These are familiar controls that need to be applied to a new class of identities operating at machine speed and scale.
Continue AI identity governance
One common mistake is treating AI governance as a project. Both NIST AI RMF and ISO/IEC 42001 explicitly recommend continuous management. This means iterating to assign ownership, define metrics, conduct regular access reviews, and improve controls as your agents evolve.
Identity has always been the control plane of the enterprise. With AI agents becoming digital employees, organizations that bring their identities under the same disciplined governance that applies to privileged human users will be able to innovate without losing control.
