Agentic AI exposes nine identity gaps in legacy IAM models

At a glance

What this is: This analysis argues that agentic AI breaks legacy IAM because agents are dynamic, ephemeral, and autonomous, creating nine identity gaps across the full lifecycle.

Why it matters: IAM teams need to treat AI agents as governed identities, because the controls that work for humans and static workloads do not reliably hold when access is delegated, task-bound, and runtime-driven.

By the numbers:

• By 2026, Gartner predicts 30% of enterprises will rely on AI agents that operate with minimal human input.
• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.
• 96% of technology professionals identify AI agents as a growing security threat, and 66% believe this risk is immediate.

👉 Read Strata Identity's analysis of nine agentic identity gaps in legacy IAM

Context

Agentic AI is a control problem before it is a tooling problem. These systems do not behave like static applications or ordinary service accounts. They decide, call tools, and complete tasks across multiple systems, which means identity, delegation, and authorisation must be evaluated at runtime rather than only at provisioning time.

For IAM and NHI programmes, the failure is structural: legacy models assume access can be defined once and reviewed later, but agentic workflows change mid-session and often leave weak evidence of what the actor intended. That is why this topic sits at the intersection of NHI governance, Zero Trust, and lifecycle control rather than inside a narrow AI operations bucket.

Key questions

Q: How should security teams govern AI agents that act on delegated authority?

A: Security teams should govern AI agents as delegated identities with explicit subject, purpose, scope, and runtime evidence. That means binding the request to the actor, limiting authority to the task, and preserving a policy record that can be audited later. If the delegation chain cannot be explained, it is not controlled enough for production use.

Q: Why do AI agents complicate Zero Trust and least privilege models?

A: AI agents complicate Zero Trust because they can change tool use, data access, and execution timing during a session. Least privilege is harder to define when intent is dynamic and the actor can discover new paths at runtime. That forces security teams to move from static entitlement thinking to task-scoped enforcement.

Q: What breaks when AI agent access is reviewed like human access?

A: Human-style access review fails when the evidence you need is the task, not the person. Agent access can be ephemeral, delegated, and context dependent, so a periodic recertification may miss the real risk window entirely. Teams need runtime logs, policy decisions, and delegation records instead of only periodic attestations.

Q: How can organisations tell whether AI agent governance is working?

A: Organisations should look for three signals: every agent action is tied to an explicit delegating subject, sensitive actions require policy-backed step-up approval, and investigators can reconstruct the full delegation chain after the fact. If any of those is missing, governance is partial rather than trustworthy.

Technical breakdown

Why agentic identity breaks static authentication models

Agentic identity inherits the need for authentication, but not the human cadence that older IAM flows assume. The problem is not merely that an agent logs in differently. It is that the authenticating subject, the delegated actor, and the runtime task can diverge quickly, especially when the agent chains tool calls across APIs. Passwordless sign-in, OIDC, passkeys, and workload identity all matter here, but only if they bind the delegated action to a verifiable identity context. Without that binding, authentication proves presence, not authority. Practical implication: design identity proofing and delegation so the action trail is as explicit as the login event.

Practical implication: Bind agent authentication to the delegated task and preserve verifiable identity context across tool calls.

Delegation, intent capture, and fine-grained authorisation

Legacy OAuth-style trust is often too coarse for agentic systems because the authorisation boundary is implied rather than explicit. An agent may receive broad scopes, then infer how to act from prompt context, which creates a gap between what was intended and what was permitted. Intent capture is the missing control plane. It should tie the human or system request, the agent’s planned action, and the policy decision into one auditable chain. ABAC and OPA-style policy enforcement become necessary because task scope changes faster than static role design can absorb. Practical implication: make intent and scope machine-readable before the agent starts work.

Practical implication: Record intent, scope, and policy together so the agent cannot drift beyond the authorised task.

Observability for agentic workflows and delegation chains

Traditional logs are too coarse when an agent can discover endpoints, invoke tools, and escalate through a chain of delegated actions. Security teams need to see subject, actor, policy decision, tool selection, and outcome in one record. That is the only way to reconstruct whether an action was legitimate, excessive, or simply impossible to explain later. This is where agentic identity differs from ordinary workload identity: the evidence problem is not just who connected, but how authority moved during the session. Practical implication: log the full delegation chain and retain enough context to support incident review and compliance evidence.

Practical implication: Capture the full delegation chain so investigators can reconstruct authority movement, not just access events.

Threat narrative

Attacker objective: The attacker aims to hijack or overextend an agent’s delegated authority so it can access systems, disclose data, and act without reliable human oversight.

1. Entry occurs when a human or upstream system delegates access to an AI agent through weak or implicit authentication and coarse trust scopes.
2. Credential access or abuse follows when the agent relies on static keys, broad API credentials, or insufficient workload identity protections to reach downstream systems.
3. Escalation happens as the agent discovers additional tools and endpoints, expands beyond intended scope, and performs actions without a runtime human approval gate.
4. Impact arrives when over-permissioned or poorly observed agent activity exposes data, alters systems, or leaves the enterprise unable to reconstruct what happened.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Agentic identity is not just another NHI subtype. It changes the governance problem because the actor can decide, select tools, and execute actions during the session rather than only at provisioning time. That means controls built for static access, static intent, and delayed review are operating against the wrong behavioural model. Practitioners should treat agentic AI as a separate identity governance class with its own runtime controls.

Intent capture is the new missing control plane. The article shows that the most dangerous gap is not only weak authentication, but the absence of a durable link between request, purpose, policy, and execution. Without that link, authorisation becomes a guess after the fact. NHI governance should therefore move from access entitlement thinking to delegated action traceability.

Delegation boundaries built on implicit trust fail at machine speed. Legacy OAuth and coarse scopes were designed for slower trust chains and more obvious operators. Agentic systems can move through those boundaries too quickly for review cycles, which means the failure is not simply weak implementation but a trust model that no longer matches the actor. Security teams should stop treating scopes as sufficient evidence of authority.

Agentic observability is now a compliance control, not a logging luxury. If the platform cannot record subject, actor, intent, policy decision, and outcome together, then forensic reconstruction will fail even when the security stack is otherwise healthy. This is where the identity control plane becomes an evidence plane. Teams should measure whether they can prove who caused an agent action, not just whether the action occurred.

Runtime privilege for agents must be governed as ephemeral blast radius. The article’s nine gaps all point to the same field-level issue: agentic systems need controls that bound what can happen in a single task, not just what an identity may theoretically hold. That shifts practitioner thinking toward task-scoped authority and away from persistent entitlements.

From our research:

• Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation, according to AI Agents: The New Attack Surface report.
• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.
• The next control question is not whether agents are useful, but whether their behaviour can be governed as cleanly as their access can be assigned, as discussed in OWASP NHI Top 10.

What this signals

Agentic governance will become a core IAM programme test. When agents are expected to operate with minimal human input, security teams need proof that intent, scope, and authorization remain linked throughout the task. The practical shift is toward runtime evidence, not just entitlement review. For teams extending Zero Trust principles to agentic systems, the OWASP Agentic AI Top 10 is now a useful external reference point.

Delegation-chain logging is the new evidence boundary. If your programme cannot reconstruct who delegated to the agent, what policy approved the action, and what tools were invoked, you will struggle with audits and incident response. That is why the NHI Lifecycle Management Guide matters here: lifecycle control is becoming evidence control for machine actors.

For practitioners

• Map every agent to a named delegating subject Require each agent workflow to identify the human or system that initiated the task, the policy that authorised it, and the downstream systems it may touch. Do not allow anonymous or orphaned agents to operate under generic shared credentials.
• Replace broad scopes with task-scoped ABAC policy Define policies around task, data class, and runtime context instead of broad application-level permissions. Use attribute-based decisions to constrain what the agent can do, then re-evaluate those attributes before each sensitive action.
• Enforce step-up approval for sensitive agent actions Insert runtime human approval for actions that move data, change entitlements, or trigger external side effects. The approval gate should be tied to the specific action and context, not to a generic session.
• Log the full delegation chain and policy decision Capture the original intent, delegated scopes, tool calls, policy evaluations, and final outcome in a single investigation record. That evidence should support compliance review, incident response, and post-action audit without reconstruction from scattered logs.
• Review workload identity protections for agent-to-API access Where agents authenticate to APIs, replace static keys and generic client credentials with workload identity patterns that reduce spoofing risk and improve attribution. Align this with existing NHI lifecycle controls in the NHI Lifecycle Management Guide and the Ultimate Guide to NHIs.

Key takeaways

• Agentic AI breaks legacy IAM assumptions because the actor can make runtime decisions, select tools, and execute work independently of human review cycles.
• The article identifies nine distinct identity gaps, and the most consequential are weak delegation, missing intent capture, coarse authorization, and poor observability.
• Practitioners should shift to task-scoped authority, runtime approval for sensitive actions, and delegation-chain logging if they want agent governance that is actually auditable.

Key terms

• Agentic Identity: An agentic identity is the identity representation used by an AI system that can decide and act during runtime. Unlike a static workload identity, it may choose tools, alter execution paths, and create evidence requirements that depend on the task as well as the actor.
• Delegation Chain: A delegation chain is the sequence of trust and authority passed from the original requester to the actor that performs the action. In agentic systems, the chain must show who initiated the task, what authority was granted, and how that authority changed during execution.
• Intent Capture: Intent capture is the process of recording why an action was authorized, not just that access was granted. For agentic AI, it binds the request, policy decision, and resulting action together so investigators can determine whether the system stayed within mandate.
• Task-Scoped Authorisation: Task-scoped authorisation limits an identity to the specific work it was assigned rather than a broad role or application-wide grant. For autonomous or semi-autonomous agents, it is the practical way to shrink blast radius when runtime behaviour can change quickly.

Deepen your knowledge

Agentic identity, delegation, and observability are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building governance for AI agents from a human or NHI starting point, it is worth exploring.

This post draws on content published by Strata Identity: agentic identity gaps in legacy IAM. Read the original.