Agent Identity Sprawl

also known as Non-Human Identity Sprawl, NHI Sprawl

Anti-pattern: an agent fleet mints non-human identities at machine speed while scoping, rotation, ownership, and revocation stay human-speed, so over-privileged long-lived credentials accumulate, outlive their agents, and widen an ungovernable attack surface.

Context

An organisation scales from a few agents to a fleet. Each agent, sub-agent, and tool integration needs an identity and credentials to act — a service account, an API key, an OAuth token. Provisioning these is automated and instant; governing them — scoping least privilege, rotating secrets, tracking ownership, revoking on retirement — still runs through human-speed review.

Problem

Identity creation happens at machine speed and identity governance happens at human speed, and the gap compounds. Over-broad, long-lived credentials are minted faster than anyone scopes, rotates, or retires them; tokens outlive the agents they were issued for; ownership of a given credential becomes unknown. The attack surface grows week over week because nothing reconciles created identities against active, owned, and least-privileged ones, and no human-speed approval process can keep pace with the rate of creation. The result is a population of orphaned, over-privileged non-human identities that no one is tracking and no one can confidently revoke.

Forces

Agents need identities to act, and provisioning is automated, so creation is effectively unbounded.
Scoping, rotation, ownership, and revocation are governance work that stays human-speed.
Least-privilege scoping per agent is slower than issuing a broad credential that just works.
The creation-versus-revocation rate mismatch means the orphaned-credential population only grows.

Example

A platform team scales from a handful of agents to hundreds, each spinning up service accounts and API keys on demand. Provisioning is instant; nobody is scoping or retiring the credentials, which are broad and long-lived. A quarterly audit finds thousands of tokens, many tied to agents that no longer exist and owned by no one, any of which would grant an attacker standing access. The team moves identity issuance to short-lived least-privilege credentials bound to an owning agent and revoked on retirement, and adds continuous reconciliation — so governance finally runs at the speed identities are created.

Diagram

flowchart TD F[Agent fleet] -->|machine speed| C[Mint identities: accounts, keys, tokens] C --> Pool[Credential population] G[Scope / rotate / own / revoke] -.human speed.-> Pool Pool --> O[Orphaned, over-privileged, long-lived credentials] O --> S[Ungovernable attack surface grows] classDef bad fill:#fee,stroke:#c33; class O,S bad;

Solution

Therefore:

Make identity lifecycle keep pace with identity creation. Issue short-lived, least-privilege credentials by default rather than broad long-lived ones; bind every identity to an owning agent and a retirement trigger so it is revoked when the agent is decommissioned; continuously reconcile created identities against active, owned, scoped ones and flag orphans. The mechanism to fix is the creation-versus-revocation rate mismatch, so the controls must themselves run at machine speed. Mitigation patterns: agent-credential-vault for scoped, rotated, brokered secrets per agent; delegated-agent-authorization for narrowly scoped, time-bound grants. This is the fleet-scale lifecycle failure those per-agent patterns do not by themselves prevent.

What this pattern forbids. No useful constraint; the missing constraint is machine-speed identity governance — least-privilege scoping, rotation, ownership, and revocation that keep pace with the rate at which agents mint identities.

The patterns that counter or replace it —

alternative-toAgent Credential Vault★— Broker the agent's credentials at action time through a managed vault of passwords, MFA secrets, and digital personas, so secrets never enter the prompt or context and the agent authenticates as a governed identity.
complementsAgent Privilege Escalation✕— Anti-pattern: let an agent's effective permissions be the union of its own identity, the identities of its tools, and the identities of the services those tools call.
complementsShadow AI✕— Anti-pattern: leave the corporate LLM offering so restrictive, slow, or narrow that employees bypass it with personal accounts and unapproved agent tools, creating data leakage and ungoverned tool calls that security cannot see.

Neighbourhood

Click any neighbour to follow the language. Scroll to zoom, drag to pan.

References

Provenance

Source: patterns/agent-identity-sprawl.md on GitHub · commit e2386c5 · view history
Added to catalog: 2026-06-05
Last updated: 2026-06-05
Contribute: open an issue or PR at github.com/agentpatternscatalog/patterns.