Least Privilege isn't enough for AI agents. OWASP just invented a better term

THE WIRE — ISSUE N°123 THIS WEEK IN IDENTITY

N°01

The 2026 Infrastructure Identity Survey found that 70% of organizations grant AI systems broader permissions than a human employee performing the exact same task. At the same time, only 13% of organizations say they feel extremely prepared for agentic AI. The governance model hasn't kept pace with the deployment model. Static trust, periodic reviews, and durable secrets were built for human-scale identity programs. They do not work when NHIs outnumber human identities by 45 to 1 — and AI agents are accelerating that ratio by the quarter
Full Analysis →

N°02

Adversa AI scanned 500-plus MCP servers in April and found that nearly four in ten had zero authentication controls. Knostic identified 1,862 internet-accessible MCP servers with no identity governance in place. These are the connectors your agents are using to access email, calendar, databases, and cloud infrastructure. No authentication means no identity. No identity means no governance. No governance means no blast radius control when something goes wrong
Read More →

Hey {{first_name|Jedi}},

In December 2025, OWASP published the Top 10 for Agentic Applications 2026 — the first formal taxonomy of risks specific to autonomous AI agents. It covers goal hijacking, tool misuse, memory poisoning, supply chain attacks, and rogue agents. The whole list is worth your time.

The principle that matters most for identity practitioners is buried in the mitigation guidance. OWASP calls it Least Agency: only grant agents the minimum autonomy required to perform safe, bounded tasks.

Least Privilege asks: what is the minimum access this identity needs? It's a question about credentials. You scope the permissions, issue the token, and the identity operates within those bounds.

Least Agency asks something harder: what is the minimum autonomy this agent needs? It's a question about behavior. Not just what the agent can access — but how often, from where, to do what, with what decision authority, and with what blast radius if something goes wrong.

The distinction matters because agents don't behave like the identities we built governance models to manage. A service account has a defined function. An AI agent interprets goals. It decides its own path to completion. It calls tools in sequences its operators didn't anticipate. It can acquire permissions it wasn't explicitly granted if the orchestration layer allows it.

You can scope an agent's credentials perfectly and still have zero control over what it does with them.

Most organizations are approaching agentic AI governance the same way they approached service account governance five years ago: inventory the credentials, assign an owner, set a rotation schedule. Necessary. Not sufficient.

The 2026 Infrastructure Identity Survey puts a number on the gap. Only 13% of organizations feel extremely prepared for agentic AI governance. 70% grant AI agents broader access than a human doing the same job. 47% of NHIs haven't had a credential rotation in over a year.

The Orchid Security Identity Gap report added another layer last month: 67% of non-human accounts are created directly within the application — outside the view of your IAM program entirely. You can't govern what you can't see.

Least Privilege governs the credential. Least Agency governs the actor. Your current NHI program is doing one of those things.

Call NHI a risk problem, and you get a risk management program, more scanning, more reports, more dashboards. Call it an autonomy governance problem, and you start asking different questions. What is this agent allowed to decide on its own? What requires a human checkpoint? What's the maximum blast radius if it acts outside intent?

Those are the questions your program should be built around. OWASP gave us the term. The work is still ours to do.

Next issue: Drops Wednesday-ish. Don't miss it.