Because cloud and AI increase the number of identities that must be trusted, monitored, and revoked. Traditional IAM models were built around people, but modern environments depend on continuous machine-to-machine access as well. As scale rises, visibility gaps and privilege sprawl become resilience issues, not just administrative inconveniences.
Why Scale Changes the Identity Problem
As cloud estates grow, the identity surface expands faster than the security team can review it. Human users are only part of the picture. Service accounts, API keys, workload identities, and autonomous agents now create the majority of trust decisions, and those decisions happen continuously. That is why identity strategy becomes a resilience issue, not just an IAM housekeeping task. NHI Mgmt Group’s Ultimate Guide to NHIs shows why this matters: NHIs outnumber human identities by 25x to 50x in modern enterprises, yet only 5.7% of organisations have full visibility into their service accounts. When scale rises, hidden privilege and stale secrets compound quickly. The NIST Cybersecurity Framework 2.0 frames identity as core risk management, not an admin function. In practice, many security teams encounter over-privilege only after a breach chain has already used it to move laterally or extract data.
How Identity Strategy Should Adapt for Cloud and AI
Modern identity strategy has to assume that access is dynamic, distributed, and often machine-driven. Static RBAC still has value, but it cannot be the only control plane when an AI agent can decide to call tools, chain actions, and pursue a goal without a fixed workflow. Current guidance suggests combining workload identity, intent-based authorisation, and JIT credentials so access is granted for a task, not for a long-lived standing entitlement. That aligns with the principle of ZSP and supports ZTA by reducing the blast radius of compromise.
Practically, this means issuing short-lived secrets, binding them to workload identity, and evaluating every sensitive action at request time. A strong model uses cryptographic workload identity, such as SPIFFE or OIDC tokens, to prove what the agent is, then applies policy-as-code before any secret is released or action approved. The Top 10 NHI Issues and Ultimate Guide to NHIs — What are Non-Human Identities both reinforce that rotation, offboarding, and visibility are foundational. Security leaders should also note that 67% of organisations still rely heavily on static credentials, which is a poor fit for autonomous systems that can operate at machine speed. The NIST Cybersecurity Framework 2.0 and identity governance patterns both point toward continuous verification rather than one-time trust. These controls tend to break down in legacy automation pipelines because shared secrets and broad service accounts are hard-coded into deployment logic.
Where the Edge Cases and Tradeoffs Appear
Tighter identity controls often increase operational overhead, requiring organisations to balance faster delivery against stronger containment. That tradeoff becomes especially visible in agentic environments, where policies must be both strict and responsive. There is no universal standard for this yet, but current guidance increasingly favours context-aware approval over pre-assigned blanket access. One useful signal is the research in Snowflake breach and 230M AWS environment compromise, which shows how weak identity boundaries turn into large-scale exposure when cloud access is both broad and persistent.
The same logic applies to AI agents. A cautious organisation may prefer manual approvals for high-risk actions, but that approach can slow down incident response or break autonomous workflows. The more scalable pattern is to keep long-lived access out of the agent path and let the policy engine decide at runtime whether a requested action matches the current intent, context, and risk threshold. One operational exception is regulated batch processing, where a fixed service account may still be appropriate if it is tightly scoped, monitored, and rotated. Another is vendor-managed agent tooling, where the identity model may be constrained by the platform. Best practice is evolving here, so organisations should document exceptions explicitly and revisit them as autonomy grows.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A01 | Autonomous agents need runtime access control, not static trust. |
| CSA MAESTRO | MAESTRO addresses governance for autonomous AI systems and their identities. | |
| NIST AI RMF | AI RMF fits the governance and accountability needs of scaling AI identity risk. |
Use AI RMF governance to define accountability, monitoring, and escalation for agent behavior.
