The Non-Human Identity Governance Vacuum
Read the original on Cloud Security Alliance ↗The Summary
A CSA whitepaper argues that agentic AI introduces a qualitatively new identity-governance problem: unlike static service accounts, agents act autonomously, call external APIs, spawn sub-agents, and acquire permissions at runtime. Existing NHI tooling assumes static credentials and can't see or constrain this dynamic, delegated behavior.
Why It Matters for AI Harness
Spawning sub-agents and acquiring permissions at runtime is exactly the scenario the doctrine's fifth architectural plane — Multi-Agent Trust & Delegation — exists to govern. When an agent delegates to another agent, Trust Does Not Travel: the receiver inherits the task, not the authority, and every handoff is an independent trust boundary. Static-credential governance was never designed for actors that re-negotiate their own privileges mid-mission.
Maps to the doctrine
This story illustrates the following principles of the independent AI Harness Doctrine:
MissionHarness.ai curates third-party reporting and adds original doctrine analysis. The summary and commentary above are our own; the original article is the property of Cloud Security Alliance and is linked, not reproduced. Doctrine terms link to the independent standard at aiharnessdoctrine.org.