Full Report
AI agent risk isn't equal, it scales with access to systems and level of autonomy. Token Security explains how CISOs should categorize agents and prioritize what to secure first. [...]
Analysis Summary
# Best Practices: Categorizing and Securing AI Agents
## Overview
These practices address the emerging security risks associated with AI agents—autonomous entities that move beyond simple chat to reasoning, planning, and executing actions across enterprise systems. The primary goal is to manage the "Agentic Risk Surface" by balancing an agent's level of system access with its degree of autonomy.
## Key Recommendations
### Immediate Actions
1. **Map the Agent Landscape:** Identify which of the three categories agents fall into: Agentic Chatbots (SaaS-based), Local Agents (developer/employee tools), or Production Agents (backend/operational).
2. **Audit Chatbot Connections:** Review API connectors and static credentials used by platforms like Slack or Microsoft 365 to ensure they are not using overly permissive admin tokens.
3. **Implement "Human-in-the-Loop" (HITL):** Require manual approval for any AI agent action that involves data deletion, financial transactions, or infrastructure changes.
### Short-term Improvements (1-3 months)
1. **Endpoint Visibility:** Deploy monitoring to detect local AI agents running on employee workstations that inherit user permissions and interact with internal APIs.
2. **Principle of Least Privilege (PoLP):** Transition agents from using broad "User-Inherited" permissions to dedicated service identities with scoped access.
3. **Identity Governance for Machines:** Establish a registry for AI-generated identities to track their creation, rotation, and usage at "machine speed."
### Long-term Strategy (3+ months)
1. **Automated Identity Lifecycle Management:** Integrate AI agent identities into existing IAM (Identity and Access Management) workflows to ensure they can be revoked as quickly as they are created.
2. **Dynamic Risk Scoring:** Implement a system to continuously evaluate agent risk based on changes in their access (what systems they touch) and autonomy (their ability to act without oversight).
3. **Centralized Agent Governance:** Shift from shadow AI usage to a centralized framework where any agentic deployment must be vetted against internal security standards.
## Implementation Guidance
### For Small Organizations
- Focus on **Agentic Chatbots.** Secure the SaaS accounts hosting these bots with MFA and audit the specific "Integrations" or "Apps" authorized within your primary productivity suite (e.g., Google Workspace/O365).
### For Medium Organizations
- Address the **Local Agent gap.** Create clear policies for developers using AI coding assistants. Ensure that internal API keys used by these agents are restricted to specific IP ranges or hardware-bound identities.
### For Large Enterprises
- Focus on **Production Agents.** Treat these as high-risk service accounts. Implement a unified control plane for agentic identities and ensure every autonomous action is logged in a centralized, tamper-proof audit trail for GRC (Governance, Risk, and Compliance) readiness.
## Configuration Examples
* **Scoped API Access:** Instead of `Scope: All_Read/Write`, configure AI agent tokens with granular permissions: `Scope: Read_Documentation_Only`.
* **Network Isolation:** Configure local AI agents to operate within a containerized environment (e.g., Docker) where network access to production databases is blocked by default.
## Compliance Alignment
- **NIST AI Risk Management Framework (AI RMF):** Aligning oversight with access levels.
- **ISO/IEC 42001:** Establishing governance for AI-driven processes.
- **CIS Controls:** Specifically Control 5 (Account Management) and Control 6 (Access Control Management) as applied to non-human identities.
## Common Pitfalls to Avoid
- **Permission Inheritance:** Assuming an agent is safe because it uses an employee's credentials; this bypasses standard administrative controls and creates a "blind spot."
- **Static Token Proliferation:** Using long-lived API keys for AI agents rather than short-lived, rotated credentials.
- **Over-Autonomy:** Granting "Write" or "Delete" access to an agent before its reasoning capabilities have been stress-tested in a sandbox.
## Resources
- **Token Security:** IAM for AI agents [hXXps://www.token.security]
- **NIST AI RMF:** Framework for managing AI risks [hXXps://www.nist.gov/itl/ai-risk-management-framework]
- **OWASP Top 10 for LLMs:** Security guidance for Large Language Model applications [hXXps://owasp.org/www-project-top-10-for-large-language-model-applications/]