ARC’TERYX Responsible AI · 2026
Responsible AI Capstone · Decision Framework

Governing AI Agents as Non-Human Identities

A lifecycle decision framework for provisioning, scoping, and retiring autonomous AI agents within an enterprise IAM program — anchored to the OWASP Non-Human Identities (NHI) Top 10 (2025) and extending identity governance to a population that has no hire date, no manager, and no offboarding trigger.

DomainIdentity & Access Management
Primary anchorOWASP NHI Top 10 — 2025
RAi LensesAgency · Accountability · Reversibility
OwnerNamed human sponsor (required)
01 The Governance Gap

Classical IAM was built for the human joiner–mover–leaver cycle. AI agents break that model: they are created through pipelines built for velocity, make autonomous decisions, and are rarely decommissioned. An agent treated as a static service account understates the risk — a compromised or misbehaving agent can take hundreds of unauthorized actions before anyone notices.

The failure mode to design against — “persistent blast radius”: credentials that outlive their operational context and remain exploitable indefinitely. This is not a hypothetical — it is NHI1: Improper Offboarding, the single highest-ranked non-human-identity risk in the OWASP 2025 list. The framework below is built backwards from it.
02 Why OWASP NHI Top 10 Is the Anchor

An AI agent is governed at the intersection of two domains: it is an AI system (risk, bias, oversight) and a machine identity (credentials, scope, lifecycle). Most AI-governance references address the first and are silent on the second. The OWASP NHI Top 10 addresses the second directly — and the second is where agents actually fail in production.

Two-anchor design. OWASP NHI Top 10 is the identity-governance backbone — it maps to the concrete failure modes of every lifecycle stage. NIST AI RMF is the AI-risk governance layer — it supplies the govern/measure framing and the bias/oversight lens the NHI list does not cover. The remaining references are scope-triggered supports, not headline anchors.
03 Lifecycle Decision Stages · each mapped to its governing NHI risks
ProvisionSTAGE 01

Establish ownership & justification

Gate: no agent is created without a named human owner and a recorded business case.
  • Who is the accountable human sponsor? (no orphan agents)
  • What business problem does it solve — and is it worth the access?
  • Internal or external? External agents carry third-party risk.
  • Registered in the identity inventory at creation, not after — so it can be offboarded later.
NHI3 · Third-Party NHI NHI1 · Offboarding (enabled)
Lens · Accountability
ScopeSTAGE 02

Bound the access

Gate: least privilege, just-in-time — never standing, broad access.
  • Minimum permissions for the task, nothing inherited “to be safe.”
  • Just-in-time grants over permanent entitlements.
  • Explicit blast-radius assessment: what’s the worst it can do?
  • Hard limits on data classes the agent may ever touch.
NHI5 · Overprivileged NHI
Lens · Risk management
AuthenticateSTAGE 03

Credential the agent

Gate: short-lived dynamic credentials; never shared human tokens.
  • No agent reuses a human’s credentials or another agent’s identity.
  • Dynamic, rotating secrets over long-lived API keys.
  • Each agent is individually attributable in logs.
  • Secrets stored in a vault, never in config or code.
NHI2 · Secret Leakage NHI4 · Insecure Auth NHI7 · Long-Lived Secrets NHI9 · NHI Reuse
Lens · Privacy & integrity
MonitorSTAGE 04

Watch behaviour, not just status

Gate: behavioural baselines, because agents act unpredictably.
  • Baseline normal behaviour; alert on deviation.
  • Logging detailed enough to reconstruct an agent’s decisions.
  • Human and agent activity must stay distinguishable — no agent credential used for manual human tasks.
  • Equity checks on high-impact actions — an agent acting on biased output takes biased action at scale before review.
NHI10 · Human Use of NHI AI RMF · bias/oversight
Lens · Human oversight & bias
RecertifySTAGE 05

Review the policy, not each agent

Gate: certify the governing policy framework — you can’t review 50–140 agents per employee.
  • Recertification campaigns include non-human identities.
  • Certify policies that govern agent classes, not individuals.
  • Re-confirm ownership, scope, and justification on a fixed cadence.
  • Flag agents with no activity for retirement.
NHI1 · Offboarding (detection) NHI5 · scope drift
Lens · Accountability
DecommissionSTAGE 06

Guarantee a clean exit

Gate: an instant kill switch defeats persistent blast radius.
  • Every agent has a revocation path that fully cuts access.
  • Credentials destroyed, not just disabled, at end of life.
  • Offboarding triggered by owner departure or project end.
  • Verify no lingering tokens after retirement.
NHI1 · Improper Offboarding #1 risk
Lens · Reversibility
04 Coverage Map — NHI Top 10 → Lifecycle Stage

Where each of the ten ranked OWASP risks is governed in this framework. Honest coverage means naming what is not addressed as much as what is.

OWASP NHI risk (2025)Governed atPrimary control
NHI1 Improper Offboarding#1Stage 06 Decommission (+ 01, 05)Verified kill switch; credential destruction; inactivity flagging
NHI2 Secret LeakageStage 03 AuthenticateVault storage; never in config or code
NHI3 Vulnerable Third-Party NHIStage 01 ProvisionInternal/external classification; third-party risk review at HIGH tier
NHI4 Insecure AuthenticationStage 03 AuthenticateDynamic credentials over deprecated/weak methods
NHI5 Overprivileged NHIStage 02 Scope (+ 05)Least privilege, JIT; recertified against scope drift
NHI6 Insecure Cloud DeploymentPartial — pipeline noted, not gatedOpen: CI/CD credential validation, OIDC claim conditions
NHI7 Long-Lived SecretsStage 03 AuthenticateShort-lived rotating secrets; no non-expiring keys
NHI8 Environment IsolationGap — out of scope (v1)Open: dev/test/prod NHI separation
NHI9 NHI ReuseStage 03 AuthenticateOne identity per agent; no shared/human credentials
NHI10 Human Use of NHIStage 04 MonitorIndividual attributability; human/agent activity kept distinct
Designed-against = top-ranked. The framework’s core failure mode (“persistent blast radius”) is OWASP’s #1 NHI risk for 2025 (Improper Offboarding). That alignment is the central justification for choosing this anchor: the framework attacks the most prevalent real-world non-human-identity failure first, not an abstract one.
05 Risk-Tier Provisioning Matrix
TierAgent profileRequired controlsApproval path
LOW Read-only, non-sensitive data, no autonomous writes (e.g. internal search, summarization) JIT scopestandard loggingnamed owneroffboarding path Owner self-service + auto-registration in inventory
MEDIUM Writes to internal systems, touches business data, bounded autonomy (e.g. ticket filing, drafting changes) least privilegedynamic credsbehavioural baselinekill switch Owner + IAM review against policy framework
HIGH Acts on regulated/PII data, external-facing, or high autonomy with large blast radius (e.g. autonomous remediation, customer actions) all MEDIUM controlsanomaly detectionhuman-in-loop on high-impactthird-party risk review Governance committee sign-off + documented rationale; PIPEDA / AIA review where personal data is involved
06 The Go / No-Go Decision Gate

Before any agent is approved, the sponsor and reviewer must answer three questions. A “no” on any is a stop-and-reassess signal.

Q1

Does it reduce real workload?

If the agent doesn’t save meaningful time or unlock higher-value work, question whether the access it requires is justified at all.

Q2

Are we managing the risk it creates?

If you couldn’t comfortably explain this agent’s access and actions to an auditor or an affected customer, you don’t have control of the risk — and that’s on the org, not the tool.

Q3

Can we revoke it instantly?

If there’s no clean, verified kill switch, the agent should not go live. No reversibility, no production. (Directly answers NHI1.)

07 Known Gaps & Open Questions
Gap · NHI6

Insecure cloud deployment configurations (CI/CD static credentials, unvalidated OIDC claims) are acknowledged at Provision but not yet gated. The pipeline that creates agents is itself an NHI surface this v1 does not control.

Gap · NHI8

Environment isolation — preventing the same agent identity from spanning dev, test, and prod — is out of scope for v1. A mature version would require per-environment NHIs.

Open · Scale

Certification by policy class rather than per-agent is the framework’s answer to scale, but no live test exists yet at 50–140 agents/employee. The recertification cadence is an assumption, not validated.

Open · Delegation

Agent-to-agent delegation — one agent granting or borrowing another’s scope — is unaddressed. CSA’s agentic-identity guidance is the likely reference to extend here.

08 Framework Anchors

Two load-bearing anchors, supported by scope-triggered references — so the framework maps to audit and compliance expectations rather than reinventing them:

OWASP NHI Top 10 (2025) — primary: identity-governance backbone NIST AI RMF — primary: AI-risk govern/map/measure/manage NIST SP 800-207 — zero trust (Scope & Authenticate) CSA — agentic identity governance (delegation, open) PIPEDA / Law 25 — CA privacy baseline (HIGH tier, personal data) Canada AIA — risk-tier self-assessment template
Private & Confidential · 2026