Agentic Shadow Infrastructure: How AI Supply-Chain Drift Creates Unmanaged Enterprise Infrastructure

Agent identity governance is advancing, though core agent identity and authorization questions remain unresolved: existing frameworks provision, authenticate, authorize, and retire non-human and agentic identities, governing the agent’s identity, credentials, and lifecycle while assuming the composition an agent was approved with remains the composition it runs with. This paper argues that assumption is the open seam. An agent’s effective composition—its tools, data sources, delegated authorities, policies, and child agents—is a runtime supply chain of capability, and that supply chain drifts. We introduce composition drift as the departure of an agent’s effective composition from the terms of its approval, and isolate its most consequential form, compositional drift: the accumulation of individually approved changes into capability that none authorized alone. We formalize this with a two-stage operator: a component-level diff detects that the composition changed (component divergence); a capability-closure stage detects when the change authorized something new (compositional drift)—a qualitative boundary, not a numeric threshold. The contribution is not the observation that approved changes can combine dangerously—long known to authorization security—but a temporal governance model for approved composition drift in agentic systems, linking emergent capability to reauthorization and inventory reconciliation. This drift produces shadow infrastructure: resources provisioned outside any inventory through benign, individually approved pathways. We propose composition attestation, a runtime composition-control layer complementary to identity governance. Paired positive and negative scenarios show the model discriminates, not labels. We bound our claims: the model establishes the phenomenon by construction and claims no deployment efficacy.