SAIL 2.0

/

Build - AI Security Posture Management

/

Inherited Identity Sprawl

3.14

.

Inherited Identity Sprawl

sail
3.14
Risk

Inherited Identity Sprawl

Description

Agents operate using a delegating user's identity instead of a dedicated workload identity, causing sprawl of human identities used by non-human actors and breaking least-privilege boundaries.

Example

A coding agent acts under the developer's full SSO identity (with all their access), rather than a scoped workload identity for the agent.

Assets Affected

Agent Identity

AI Agent

AI Provider Access Credentials

Mitigation
  • Issue workload identities for service-side agents
  • use scoped tokens with explicit lifetimes for endpoint agents
  • prohibit shared identities
  • periodically audit human-to-agent identity mappings.
Standards Mapping
  • ISO: A.4.5, A.4.6
  • OWASP agentic: ASI03
  • OWASP LLM: LLM06:2025
  • EU AI Act: Art. 15(5)
  • DASF: Agents-Core 13.3, Agents-MCP Server 13.17
  • AIUC-1: B007