What companies should look out for when managing AI agents

The rapid development of artificial intelligence (AI) is presenting organisations with new security challenges: alongside humans, non-human identities (NHIs) are increasingly appearing as users – digital identities of AI agents, bots, scripts or modules that interact with systems autonomously. In many organisations, their number already significantly exceeds that of human user accounts and continues to grow exponentially due to the massive increase in the use of AI services.

As a result, NHIs are fundamentally changing the requirements for Identity and Access Management (IAM). Traditional authorisation concepts and processes are no longer sufficient for these dynamic, context-sensitive identities. Governance, transparency and control need to be rethought to prevent security incidents, data leaks or regulatory breaches.

In the white paper “Managing and Controlling Non-Human Identities”, which we have produced in collaboration with the IAM and GRC technology provider Nexis, our experts demonstrate how organisations can adapt their security architectures to the reality of NHIs – using modern concepts for permissions, identities, and access and authorisation management.

Ready to talk? Contact us

auto_stories

Background information, analysis and practical tips: Find out now what companies need to do to ensure that AI agents and NHIs are deployed in a technologically secure, responsible and transparent manner. Publication in German.

Download now

Key topics covered in the white paper

AI agents are acting with increasing autonomy and can therefore – if configured incorrectly – extend their own privileges. This increases risks because traditional security controls are not designed to deal with such autonomous entities. At the same time, MCP servers allow for extensive access that is often underestimated, and the integration of Large Language Models (LLMs) increases the risk of unintended data leaks, particularly with externally hosted services.

In future, organisations will need a central register that comprehensively records all new types of identity, such as agents, bots and MCP servers. Static role models must be supplemented by dynamic, context-based permissions in order to reflect the high degree of flexibility offered by NHIs. At the same time, comprehensive documentation of all rights, actions and usage contexts will be essential. This is the only way to ensure security, transparency and governance in the long term.

Like human users, AI agents must go through a clearly defined lifecycle that governs their creation, customisation and decommissioning. Key attributes such as intended use, model type and training data form the basis for secure rights assignment. At the same time, modern identity and access management solutions enable the automated and context-sensitive management of these identities.

In future, segregation of duties (SoD) rules must also be consistently applied to autonomous agents operating in highly dynamic environments. Such agents’ access to end devices, local applications and privileged contexts must be strictly limited to prevent misuse. In addition, DLP (Data Loss Prevention) strategies and sensitivity labels ensure that sensitive data remains protected. This creates a dynamic control system that encompasses all types of identities.

Interested in our services? Contact us

More KPMG Insights

Digital Identity Management

How you can protect digital identities and the core components of a modern DIM

Download now

Cyber Security & Tech Regulation

Secure, compliant, future-orientated: End-to-end cyber protection and modern technologies for a robust digital transformation

Learn more

Cyber Security

KPMG entwickelt Sicherheitsmodelle für den vollständigen IT-Lebenszyklus einschließlich Analyse, Planung, Konzeption, Implementierung und Überwachung.

Learn more