DocumentationRequest a Demo
Request a Demo
Request a Demo
Platform
Documentation
← All glossary terms
AI Identity4 min read

Common AI Agent Identity Security Risks

From shared identities to prompt injection to over-permissioning, learn the most common AI agent identity security risks and how to remediate them.

Common AI Agent Identity Security Risks

A practical list of the most common AI agent identity security risks observed in real environments, with detection guidance and remediation.

1. Shared Identities Across Agents

Pattern: Multiple agents using the same service account / connected app.

Risk: No attribution; aggregated permissions; cross-agent compromise.

Detection:

  • Identity inventory; map agents → identities.

Remediation:

  • Per-agent identity.
  • Migrate one agent at a time.

2. Hardcoded API Keys

Pattern: OpenAI / Anthropic / vendor API keys in code, configs, CI secrets.

Risk: Leak via repo / log / dev machine; impersonation; cost abuse.

Detection:

  • Secret scanning in CI; GitGuardian / GitHub secret scanning.

Remediation:

  • Move to secret manager.
  • Use Workload Identity Federation where possible.
  • Rotate / revoke leaked keys.

3. Long-Lived Service Account Keys

Pattern: Service account JSON keys distributed and never rotated.

Risk: Credential leak surface; primary GCP attack vector.

Detection:

  • Inventory keys per SA; check age.
  • Org Policy enforcement.

Remediation:

4. Over-Permissioned Agents

Pattern: Agent has tools / data scopes far beyond use case need.

Risk: Compromise impact = sum of all permissions.

Detection:

  • Compare granted vs used permissions over 30–90 days.
  • IAM Recommender / Forestall.

Remediation:

  • Right-size to least privilege.
  • HITL on residual sensitive permissions.

5. Unbounded Delegation (OBO)

Pattern: Agent inherits user permissions broadly (no scoping).

Risk: Ambient authority; prompt-injection-driven abuse.

Detection:

  • OBO grants per agent; check scopes.

Remediation:

  • Bound OBO scopes per use case.
  • Per-resource scoping where possible.

6. Domain-Wide Delegation Misuse

Pattern: Workspace SA with domain-wide delegation used for routine agents.

Risk: Agent acts as any user; one prompt injection = enterprise-wide access.

Detection:

  • List domain-wide delegated SAs and their consumers.

Remediation:

  • Replace with per-user OBO; remove domain-wide where unnecessary.

7. Shadow Agents

Pattern: Agents deployed without inventory, owner, or governance.

Risk: Unmonitored; uncontrolled; compliance gaps.

Detection:

  • Continuous discovery (OAuth grants, network egress, cost monitoring).

Remediation:

  • Bring into governance: assign owner, scope, audit.
  • Or retire if not justified.

8. Prompt Injection Susceptibility

Pattern: Agent treats all input (user prompts, RAG, tool outputs, emails) equally; no trusted/untrusted boundary.

Risk: Hijacked behavior; data exfiltration; HITL bypass.

Detection:

  • Threat model per agent; tabletop exercises.

Remediation:

  • Trusted vs untrusted text separation.
  • Output validation.
  • HITL on sensitive actions.
  • Treat all external content as untrusted.

9. Tool Composition Risk

Pattern: Each tool benign; combinations enable exfiltration / harm.

Risk: Indirect privilege escalation; difficult to detect.

Detection:

  • Tool composition analysis per agent.

Remediation:

  • Split agents.
  • HITL on sensitive combinations.
  • Reduce agent's tool set.

10. Weak A2A Authentication

Pattern: Agents call each other without authentication / authorization.

Risk: Cascading compromise; impersonation.

Detection:

  • Multi-agent topology audit.

Remediation:

  • mTLS / signed JWT / OAuth between agents.
  • Audience binding.
  • Output validation.

11. HITL Bypass via Prompt

Pattern: HITL gate enforced in prompt; bypassable via injection.

Risk: Sensitive actions execute without approval.

Detection:

  • Test bypass scenarios.

Remediation:

  • Enforce HITL at action gateway, not prompt.
  • Per-action approval IDs (no replay).

12. Memory / Cross-Tenant Bleed

Pattern: Persistent memory shared across sessions / tenants.

Risk: Data leak across users / customers.

Detection:

  • Memory architecture audit.

Remediation:

  • Per-session, per-tenant memory.
  • Tested isolation in CI.

13. No Audit / Anomaly Detection

Pattern: Agent actions not logged or monitored.

Risk: Misuse goes undetected.

Detection:

  • Audit pipeline review per agent.

Remediation:

  • Log prompts, plans, tool calls, results.
  • Centralize to SIEM.
  • Anomaly detection on volume, scope, cost.

14. No Owner / Lifecycle

Pattern: Agents deployed; no owner assigned; never reviewed.

Risk: Stale agents; permission creep; orphaned identities.

Detection:

  • Inventory; check owner field.

Remediation:

  • Assign owners.
  • Quarterly review.
  • Decommissioning playbook.

15. Federation Misconfiguration

Pattern: Workload Identity Federation pool with weak attribute conditions.

Risk: External workloads (any GitHub repo, any branch) impersonate agent identity.

Detection:

  • Audit WIF providers.

Remediation:

  • Strict attribute conditions per repo / branch / environment.

16. Cost / DoS Vulnerability

Pattern: No rate limit, budget cap, chain depth limit.

Risk: Adversary exhausts budget; agents cost-spike.

Detection:

  • Cost monitoring; usage spikes.

Remediation:

  • Per-agent budgets; rate limits; chain depth limits.

17. Output Sensitive Data Echo

Pattern: Agent echoes secrets / PII into responses.

Risk: Data exfiltration via output channel.

Detection:

  • Output content inspection.

Remediation:

  • Output validation; redaction.
  • Test scenarios.

18. Compliance Gap

Pattern: Agents deployed without alignment to NIST AI RMF, EU AI Act, ISO 42001, or sector regs.

Risk: Regulatory exposure; audit findings.

Detection:

  • Compliance assessment per agent.

Remediation:

  • Risk classification mapped to framework controls.
  • Documentation; evidence collection.

19. Vendor SaaS Agent Risk

Pattern: Third-party SaaS adds AI features consuming your data; no review.

Risk: Vendor agent has access; uncontrolled scope; supply-chain risk.

Detection:

  • Vendor risk assessments; OAuth grant review.

Remediation:

  • Contractual data scoping; SSO + audit; periodic review.

20. No Incident Playbook

Pattern: No runbook for compromised agent / prompt injection / runaway loop.

Risk: Slow / chaotic response.

Detection:

  • IR playbook audit.

Remediation:

  • Per-agent IR playbook; tabletop annually; containment runbook.

How Forestall Helps

Forestall continuously detects these risk patterns across your AI agents — discovery, inventory, permission analysis, anomaly detection, and remediation prioritization in one place.

Conclusion

AI agent identity security risks cluster into a finite set of patterns. Catalog them, detect them continuously, prioritize by impact, and remediate systematically. Most risks have well-understood mitigations — the discipline is in the continuous discovery and consistent application. With these patterns under control, your agentic AI program scales safely.

AI Agent IdentityAI SecurityIdentity SecurityBest Practices

Detect and remediate common AI agent identity risks.

Forestall continuously checks AI agent identities for risk patterns and prioritizes remediation.

Request a Demo

We respect your privacy

We use cookies to keep this site secure and working properly. With your permission, we also use optional cookies to understand usage and improve the experience. Cookie Policy

You can change your choice at any time.

Common AI Agent Identity Security Risks | Forestall