A lifecycle decision framework for provisioning, scoping, and retiring autonomous AI agents within an enterprise IAM program — anchored to the OWASP Non-Human Identities (NHI) Top 10 (2025) and extending identity governance to a population that has no hire date, no manager, and no offboarding trigger.
Classical IAM was built for the human joiner–mover–leaver cycle. AI agents break that model: they are created through pipelines built for velocity, make autonomous decisions, and are rarely decommissioned. An agent treated as a static service account understates the risk — a compromised or misbehaving agent can take hundreds of unauthorized actions before anyone notices.
An AI agent is governed at the intersection of two domains: it is an AI system (risk, bias, oversight) and a machine identity (credentials, scope, lifecycle). Most AI-governance references address the first and are silent on the second. The OWASP NHI Top 10 addresses the second directly — and the second is where agents actually fail in production.
Where each of the ten ranked OWASP risks is governed in this framework. Honest coverage means naming what is not addressed as much as what is.
| OWASP NHI risk (2025) | Governed at | Primary control |
|---|---|---|
| NHI1 Improper Offboarding#1 | Stage 06 Decommission (+ 01, 05) | Verified kill switch; credential destruction; inactivity flagging |
| NHI2 Secret Leakage | Stage 03 Authenticate | Vault storage; never in config or code |
| NHI3 Vulnerable Third-Party NHI | Stage 01 Provision | Internal/external classification; third-party risk review at HIGH tier |
| NHI4 Insecure Authentication | Stage 03 Authenticate | Dynamic credentials over deprecated/weak methods |
| NHI5 Overprivileged NHI | Stage 02 Scope (+ 05) | Least privilege, JIT; recertified against scope drift |
| NHI6 Insecure Cloud Deployment | Partial — pipeline noted, not gated | Open: CI/CD credential validation, OIDC claim conditions |
| NHI7 Long-Lived Secrets | Stage 03 Authenticate | Short-lived rotating secrets; no non-expiring keys |
| NHI8 Environment Isolation | Gap — out of scope (v1) | Open: dev/test/prod NHI separation |
| NHI9 NHI Reuse | Stage 03 Authenticate | One identity per agent; no shared/human credentials |
| NHI10 Human Use of NHI | Stage 04 Monitor | Individual attributability; human/agent activity kept distinct |
| Tier | Agent profile | Required controls | Approval path |
|---|---|---|---|
| LOW | Read-only, non-sensitive data, no autonomous writes (e.g. internal search, summarization) | JIT scopestandard loggingnamed owneroffboarding path | Owner self-service + auto-registration in inventory |
| MEDIUM | Writes to internal systems, touches business data, bounded autonomy (e.g. ticket filing, drafting changes) | least privilegedynamic credsbehavioural baselinekill switch | Owner + IAM review against policy framework |
| HIGH | Acts on regulated/PII data, external-facing, or high autonomy with large blast radius (e.g. autonomous remediation, customer actions) | all MEDIUM controlsanomaly detectionhuman-in-loop on high-impactthird-party risk review | Governance committee sign-off + documented rationale; PIPEDA / AIA review where personal data is involved |
Before any agent is approved, the sponsor and reviewer must answer three questions. A “no” on any is a stop-and-reassess signal.
If the agent doesn’t save meaningful time or unlock higher-value work, question whether the access it requires is justified at all.
If you couldn’t comfortably explain this agent’s access and actions to an auditor or an affected customer, you don’t have control of the risk — and that’s on the org, not the tool.
If there’s no clean, verified kill switch, the agent should not go live. No reversibility, no production. (Directly answers NHI1.)
Insecure cloud deployment configurations (CI/CD static credentials, unvalidated OIDC claims) are acknowledged at Provision but not yet gated. The pipeline that creates agents is itself an NHI surface this v1 does not control.
Environment isolation — preventing the same agent identity from spanning dev, test, and prod — is out of scope for v1. A mature version would require per-environment NHIs.
Certification by policy class rather than per-agent is the framework’s answer to scale, but no live test exists yet at 50–140 agents/employee. The recertification cadence is an assumption, not validated.
Agent-to-agent delegation — one agent granting or borrowing another’s scope — is unaddressed. CSA’s agentic-identity guidance is the likely reference to extend here.
Two load-bearing anchors, supported by scope-triggered references — so the framework maps to audit and compliance expectations rather than reinventing them: