A local failure becomes a systemic failure when the same identity works in too many places.
A development agent is asked to validate a dataset. The task sounds contained: read test records, run a comparison, report anomalies. The tool call succeeds. The problem is that the backing identity is not a development identity. It is a shared service account that also works against production resources. A low-risk validation task now has a production path.
No new exploit is required. The boundary was already missing.
The previous article in this series looked at secrets that escape into memory and retrieval. This one looks at a neighboring failure: what happens when the identity behind an agent crosses environment and workload boundaries. The credential may be valid. The tool may be approved. The failure is that the same credential is valid in the wrong place.
The OWASP Non-Human Identities Top 10 for 2025 names the two relevant identity failures as NHI8:2025 Environment Isolation and NHI9:2025 NHI Reuse. NHI8 is the failure to isolate identities by environment. NHI9 is the reuse of the same NHI across applications, services, or components.
In the OWASP Top 10 for Agentic Applications 2026, the agent-side risks show up as ASI07 Insecure Inter-Agent Communication, ASI08 Cascading Failures, and, for reused tools and connectors, ASI04 Agentic Supply Chain Vulnerabilities. The agent layer can make the old isolation problem easier to activate: agents call tools, hand work to other agents, and follow context across systems unless the identity layer stops them.
The Cross-Environment Path
The following is a review model, not a claim about a specific incident. It shows how a shared identity can turn a development task into a production action.
| Step | System | What happens | Boundary failure |
|---|---|---|---|
| 1 | Development agent | Agent receives a dataset-validation task. | Task is low trust and should remain in development. |
| 2 | Tool registry | Agent selects validate_dataset. | Tool name does not reveal production reach. |
| 3 | Backing NHI | Tool authenticates as data-platform-service. | Same NHI works in development and production. |
| 4 | Data platform | Request includes a production dataset ID from retrieved context. | Environment is selected by parameter, not identity boundary. |
| 5 | Production resource | Production read or write succeeds. | Production accepts a development-originated workflow. |
| 6 | Follow-on agent | Result is handed to another agent for remediation. | Inter-agent workflow inherits the same confused boundary. |
This is why blast radius belongs in the NHI discussion. The agent did not need production credentials in any meaningful product sense. But the backing NHI had them, and the production system accepted them.
The first bad call is only the beginning. Once a production result enters the agent workflow, a second agent may summarize it, store it, open a ticket, trigger a deployment, or call a remediation tool. The failure spreads because the boundary was not enforced at the identity layer.
Before and After Isolation
Environment isolation is not only a network diagram. It is a property of identities, tools, and traces.
| Design question | Weak isolation | Stronger isolation |
|---|---|---|
| Which identity backs the tool? | One shared NHI across development, staging, and production. | Separate NHIs per environment and per tool purpose. |
| How is the environment selected? | Runtime parameter, prompt context, or default configuration. | Credential and policy constrain the environment before parameters matter. |
| Can development reach production? | Yes, if the shared NHI has production access. | No; development identities are denied by production resources. |
| Can one service identity serve many workloads? | Yes, because reuse is operationally convenient. | No; each workload has a distinct NHI and owner. |
| What happens on compromise? | A single leaked or misused identity crosses workloads. | Compromise remains bounded to one workload and environment. |
| What does the trace show? | Tool call and credential use appear valid, but origin is ambiguous. | Trace records agent, tool, NHI, environment, resource, and policy decision. |
| How is cleanup performed? | Rotate one credential and hunt for all places it was reused. | Revoke the affected NHI and verify neighboring environments still deny access. |
The after column is not more complicated for its own sake. It is more explicit because the system is already complicated. Shared identities hide that complexity until something goes wrong.
How Cascades Start
Cascading failure often looks dramatic after the fact. Before the fact, it looks like convenience.
The same API key works for development and production. The same cloud role is attached to several workloads. The same Kubernetes service account is used by pods with different trust levels. The same connector identity is accepted by multiple agents. The same remediation tool can be called from staging and production. Each decision removes a hard boundary and replaces it with convention.
Agents stress those conventions. They combine context from one place with tools from another. They can read an instruction in a ticket, retrieve a dataset name from memory, call a tool registered for a different purpose, and hand the result to another agent. If the identity behind that path is reused, the system may treat the chain as legitimate all the way down.
That is the NHI shape of blast radius. It is not only how much permission an identity has. It is how many places accept that identity as local.
What to Measure
The useful review question is not “are environments separated?” It is “which identities prove the separation?”
For every agent tool, record the backing NHI, the environment where the tool is allowed to run, the resources it can reach, and the workloads that can assume or use it. Then look for reuse:
- One NHI accepted by both non-production and production resources.
- One NHI shared across multiple agents with different trust levels.
- One NHI shared across unrelated tools because it was the first credential that worked.
- One remediation identity able to act on resources outside the incident boundary.
- One third-party connector identity reused across tenants, teams, or environments.
The test should be practical. From a development-originated agent workflow, attempt a production resource access with the same tool and identity. From a low-trust agent, attempt to invoke a high-trust agent or tool. From a staging connector, attempt to read production metadata. The expected result should be denial by identity policy, not a reminder in documentation.
What Has to Be True
Each environment needs distinct NHIs. Development, staging, and production should not share the same service account, API key, workload identity, or cloud role. If a development identity is compromised, production should not recognize it.
Each workload needs its own NHI. A shared identity across agents, tools, or services makes ownership unclear and containment difficult. The question during response should be “which workload did this identity represent?” not “where else did we reuse this?”
Environment should be enforced before tool parameters are interpreted. A production dataset ID should not be enough to make a development-originated tool call production-capable. The credential and policy should decide the boundary first.
Inter-agent communication needs identity-aware trust checks. If one agent hands work to another, the receiving agent should know the caller, task, environment, and allowed authority. Otherwise delegation becomes a quiet way to move work across boundaries.
Traces should make blast radius visible. Every high-impact tool call should join agent, tool, NHI, environment, resource, caller, and policy result. Without that join, incident response sees valid calls without knowing which boundary failed.
The final test is containment. If an agent in development is compromised, what production action can still succeed? If the answer is anything more than “none,” the system is relying on behavior where it should rely on isolation.
Blast radius is not an abstract property of architecture diagrams. It is determined by which identities are accepted where. Reused NHIs and weak environment isolation make a local mistake portable. Strong isolation keeps it local.
Next in the series: human use of NHIs, and why audit trails break when people, machines, and agents share the same credentials.