Agentic identity is a three-layer stack, not one product

At a glance

What this is: This is an architecture analysis of agentic identity that finds the market is converging on three layers for discovery, governance, and cryptographic proof.

Why it matters: It matters because IAM, IGA, PAM, and NHI teams will need to decide which layer owns registration, lifecycle, and non-repudiation as agent estates expand.

By the numbers:

• Gartner expects 40% of enterprise applications to ship task-specific AI agents by the end of 2026, up from under 5% in 2025.

👉 Read Scramble ID's analysis of the agentic identity stack

Context

Agentic identity is the governance problem created when software agents need to be registered, scoped, monitored, and held accountable like identities rather than treated as ordinary automation. In practice, the article argues that this is not a single product category but a stack, because discovery, lifecycle governance, and proof of action answer different questions for the same agentic identity programme.

That distinction matters for identity security teams because the controls that govern non-human identities do not automatically prove what an agent actually did, and proof layers do not replace lifecycle ownership. The article's primary message is that IAM, NHI, and agentic AI teams will need to align around a layered model instead of forcing one platform to do three jobs at once.

Key questions

Q: How should security teams govern agentic identity without relying on one platform?

A: Use a layered model. Discovery finds agents and related NHIs, directory governance controls ownership and lifecycle, and per-action proof preserves evidence for high-impact actions. That separation prevents one tool from being overloaded with inventory, authorisation, and non-repudiation requirements at the same time.

Q: Why do agentic systems need proof of action as well as access control?

A: Access control can say an agent was allowed to act, but it cannot on its own prove what the agent actually did under that authority. Proof of action matters when the workflow creates financial, legal, or audit exposure, because logs alone are too easy to dispute or misattribute.

Q: What breaks when discovery, lifecycle, and audit are forced into one control plane?

A: The programme usually ends up with gaps in one of three places: incomplete inventory, weak ownership and deprovisioning, or evidence that does not stand up to scrutiny. Separating those duties gives each layer a clear job and makes accountabilities easier to enforce.

Q: How do IAM and NHI teams decide which agent actions need stronger controls?

A: Start with impact. Actions that move money, approve transactions, alter records, or trigger external obligations should receive lifecycle controls plus cryptographic evidence. Low-risk actions can stay in normal monitoring, but the classification must be explicit before agents are allowed to scale.

Technical breakdown

Agent directories and lifecycle governance for AI agents

This layer treats agents as first-class identities inside a directory so they can be assigned owners, scopes, expiry, and conditional access. The mechanism is lifecycle control, not runtime proof: registration, onboarding, deprovisioning, and audit logging define whether an agent may operate at all. In enterprise terms, this is the same governance family as IGA and PAM, but applied to non-human actors that may use OAuth, MCP, or workload federation. The architectural point is that lifecycle state answers who the agent is and what it may do, but not whether each individual action is attributable with evidence.

Practical implication: place ownership, expiry, and deprovisioning controls in the directory layer before you rely on downstream detection or audit.

Discovery, posture, and detection for non-human identities

Discovery tools answer the inventory problem by finding sanctioned and shadow agents, MCP servers, and other NHIs across cloud and SaaS environments. Posture and detection then evaluate privilege excess, risky configuration, and anomalous behaviour so teams can see whether the estate is sane. This is a classic NHI control plane problem: visibility first, posture second, response third. The key technical limit is that discovery can tell you what exists and how exposed it is, but it cannot establish non-repudiation for a specific action or replace governance ownership for the identity behind it.

Practical implication: use discovery to reduce unknown agents and posture drift, then hand governed identities to lifecycle controls.

Per-action proof and non-repudiation in agentic workflows

Per-action proof adds cryptographic evidence to each agent action so the record can stand independently of logs, platforms, or operator claims. The model described here uses a signature on every request, customer-held or device-bound keys, and a hash-chain ledger to preserve integrity and attribution. That is different from ordinary logging because logs are descriptive while signatures are evidentiary. For regulated or high-impact actions such as payments, filings, approvals, or deletions, the architecture closes the accountability gap that appears when agents can act faster than human review cycles.

Practical implication: require cryptographic action evidence for high-impact agent workflows instead of relying on platform logs alone.

NHI Mgmt Group analysis

Agentic identity is not a single control problem. The market is splitting into discovery, governance, and proof because those layers solve different identity questions. Discovery tells you what exists, lifecycle governance tells you what is allowed to act, and per-action proof tells you what actually happened. That separation will shape how procurement, architecture, and audit teams divide responsibility, so practitioners should stop shopping for a one-layer answer.

Per-action proof is becoming the missing control plane for consequential agent behaviour. Traditional identity tools can scope an agent, but they cannot by themselves prove that a specific agent executed a specific action under a specific authority. That creates a non-repudiation gap whenever the action has legal, financial, or regulatory impact. The implication is that evidence must be designed into agent workflows, not reconstructed after the fact.

Identity and privilege abuse in agentic systems is now a governance architecture issue, not a point-product issue. The article maps the OWASP agentic identity findings to separate layers because rogue agents and privilege misuse span inventory, lifecycle, and evidence. That means IAM, NHI, and platform teams need a shared operating model instead of isolated tool ownership. Practitioners should expect architecture reviews to focus on layer boundaries, not feature checklists.

Ephemeral credential trust debt: The assumption that an identity stack can grant access, observe behaviour, and prove action with one lifecycle record was designed for slower, human-paced systems. That assumption fails when agents can create, use, and discard authority across short runtime windows while consequential actions continue. The implication is that governance design has to separate authorisation from evidentiary proof.

The stack model will accelerate standardisation pressure. As more applications ship task-specific agents, buyers will ask which layer is mandatory, which is optional, and where standards should sit. That pressure will push vendors toward clearer boundaries around directory, posture, and proof rather than all-in-one claims. Practitioners should expect category clarity to improve, but integration planning will become more important.

From our research:

• 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, according to the Ultimate Guide to NHIs.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• For the lifecycle angle behind this stack model, see the NHI Lifecycle Management Guide.

What this signals

Agentic identity will push governance teams toward explicit layer ownership. As task-specific agents become more common, the biggest programme risk is not tool sprawl alone but unclear responsibility for discovery, lifecycle approval, and proof. The organisations that separate those duties early will be able to scale faster because they will know which team owns the control surface at each stage.

The operational signal for IAM and NHI teams is that inventory quality will stop being enough on its own. Discovery without lifecycle enforcement still leaves shadow authority in place, and lifecycle without per-action evidence still leaves audit disputes unresolved, so the architecture must mature in all three directions at once.

For practitioners

• Map agentic controls to three ownership layers Assign discovery, lifecycle governance, and per-action proof to separate operational owners so no team assumes a control it cannot actually deliver. Use this split to decide what belongs in IAM, what belongs in NHI security, and what must be evidenced for audit.
• Inventory shadow agents and MCP servers first Build a complete inventory of sanctioned and unsanctioned agents, connected tools, and related non-human identities before expanding governance. Without inventory, lifecycle registration and proof controls will miss the systems that create the most risk.
• Separate lifecycle approval from action evidence Treat owner approval, scope assignment, and deprovisioning as directory functions, then require cryptographic evidence for high-impact actions such as payments, approvals, or deletions. A clean lifecycle record does not prove what an agent did.
• Define which actions require non-repudiation Classify agent workflows by business impact and require per-action proof only where the outcome could create audit, legal, or financial exposure. This keeps the proof layer focused on consequential actions rather than low-value telemetry.

Key takeaways

• Agentic identity governance is converging on a three-layer architecture because inventory, lifecycle control, and action proof solve different problems.
• The biggest control gap is non-repudiation, since access approval does not by itself prove what an agent actually did.
• Practitioners should assign clear owners to discovery, directory governance, and cryptographic evidence before agent estates scale further.

Key terms

• Agent Directory: An agent directory is the identity system where software agents are registered, owned, scoped, and removed. It gives each agent a governed identity record, lifecycle state, and policy context so security teams can manage access before the agent performs work.
• Per-Action Proof: Per-action proof is cryptographic evidence attached to an individual agent action so the event can be verified independently. It goes beyond logging by preserving non-repudiation, which matters when the action has audit, legal, or financial consequences.
• Shadow Agent: A shadow agent is an AI or software agent operating without a clear owner, approved registration, or formal governance record. It creates identity risk because the organisation may not know what it can access, which tools it can call, or who is accountable for its behaviour.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an identity security programme, it is worth exploring.

This post draws on content published by Scramble ID: The Agentic Identity Stack: Where Okta, Microsoft Entra, Astrix, Oasis, and ScrambleID Fit Together. Read the original.