Agentic identity maturity exposes the limits of traditional IAM

At a glance

What this is: This is Strata Identity’s analysis of the Agentic Identity Maturity Model, arguing that AI agent growth breaks human-era IAM assumptions around discovery, lifecycle, and privilege control.

Why it matters: It matters because IAM, NHI, and PAM teams need to govern agent identities as first-class subjects before agent sprawl, stale credentials, and over-scoped access become the default operating model.

By the numbers:

• Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.
• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.

👉 Read Strata Identity’s analysis of agent identity maturity and governance

Context

AI agent identity is the governance problem that appears when software begins acting with its own runtime discretion across tools, data, and workflows. Traditional IAM was built for people, service accounts, and predictable approval chains, so it struggles when agents appear in large numbers, operate ephemerally, and change scope faster than review cycles can keep up.

The core issue is not simply scale. It is that the identity programme now has to account for discovery, registration, lifecycle state, runtime observability, and policy enforcement across agent populations that may be hidden inside orchestration platforms, MCP-connected services, or short-lived task graphs.

Key questions

Q: How should security teams govern AI agents that act on behalf of users?

A: Security teams should govern AI agents as first-class identities with ownership, scope, lifecycle state, and runtime evidence. The priority is not only provisioning but continuous discovery, policy-based authorization, and traceable actions. Without those controls, an agent can accumulate access faster than review or incident response can follow.

Q: Why do AI agents complicate traditional IAM and IGA models?

A: AI agents complicate IAM and IGA because those programmes assume predictable logins, stable entitlements, and review cycles that fit human-paced work. Agents can be spawned ephemerally, use delegated access immediately, and disappear before a certification cycle. That breaks the link between entitlement, observation, and accountability.

Q: What breaks when AI agents rely on static credentials and broad scopes?

A: Static credentials and broad scopes create silent privilege sprawl. They let agents reach systems and data beyond the task boundary, and the access can remain valid even after the workflow that needed it has ended. That combination increases audit gaps, lateral movement risk, and the chance of unintended data exposure.

Q: How do organisations keep AI agent governance aligned with Zero Trust?

A: Organisations keep agent governance aligned with Zero Trust by making authorization continuous, contextual, and policy-driven. Each action should be evaluated against current scope, provenance, and risk rather than inherited from an earlier trust decision. That approach works only when telemetry and policy are unified across tools and runtimes.

Technical breakdown

Why agent identity discovery fails in fragmented orchestration stacks

Agent discovery is not the same as application discovery because the identity subject can be spawned, delegated, and retired inside a single workflow. In these environments, an orchestrator may create platform-resident agents, inbound third-party agents, and ephemeral task agents that all need distinct identity records. If telemetry stays local to each platform, security teams lose the registry needed for entitlement reviews, audit trails, and incident reconstruction. The technical problem is fragmentation across clouds, runtimes, and tool frameworks, which makes central governance impossible unless identity data is normalised first.

Practical implication: inventory agent populations from orchestrators, MCP endpoints, and runtime logs before you try to enforce policy.

How runtime observability changes agent governance

Runtime observability is the difference between knowing an agent exists and knowing what it actually did. For agentic systems, logs must capture delegated task context, API calls, tool use, and the execution path that produced the action. Without that layer, privilege reviews become theoretical because the security team cannot tie access to behaviour. This is where agent identity departs from conventional workload identity: the relevant control is not just issuance, but continuous behavioural evidence that supports risk scoring, auditability, and policy decisions in flight.

Practical implication: require observability data that links each agent action to owner, provenance, scope, and runtime context.

Why static credentials and long-lived scopes do not fit agentic AI

Static keys and broad OAuth scopes assume the identity will remain stable long enough for human-controlled governance to catch up. Agentic systems break that assumption because access can be created for a task, used immediately, and then become stale before a review cycle starts. That is why just-in-time issuance, short TTLs, and policy-as-code controls matter, but only when paired with real-time risk scoring. The architecture must treat access as an event-driven state, not a durable entitlement.

Practical implication: replace standing agent privilege with ephemeral access and automated policy enforcement tied to task context.

Threat narrative

Attacker objective: The objective is to turn trusted agent access into silent overreach, so the actor can reach systems, data, or actions beyond the intended task boundary.

1. Entry occurs when an agent is registered, spawned, or delegated access through an orchestrator, MCP service, or inbound integration with more privilege than the task requires.
2. Escalation happens when the agent uses broad OAuth scopes, static credentials, or fragmented local policy to reach systems and data outside its intended scope.
3. Impact follows when unobserved agent actions trigger data leakage, unauthorized system changes, compliance failures, or operational instability across clouds and workflows.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Agent identity is becoming a governance class, not just a technical integration problem. Once software can act on behalf of users, the old distinction between application, workload, and identity management becomes too narrow to be useful. Discovery, registration, ownership, and runtime evidence now have to sit in the same control plane, or the organisation loses the ability to answer basic questions about who or what is acting. The practical conclusion is that agent identities must be governed as first-class subjects.

Identity review cadences were designed for access that persists long enough to be observed. That assumption fails when agents acquire, use, and discard privileges within a task window that may be shorter than a human approval cycle. The implication is not merely that current reviews are slow, but that the review model itself no longer matches the behaviour of the subject being governed. Security teams must rethink whether certification can even detect the relevant state change.

Agentic identity maturity depends on a named control gap we call runtime governance gap. That gap appears when organisations can enumerate agents but cannot connect identity state to what happened at execution time. The result is a programme that looks complete on paper while remaining blind to over-scoped actions, stale access, and policy bypass in practice. Practitioners should treat runtime governance as the missing layer between discovery and enforcement.

Zero Trust for agents only works when authorization is contextual and continuous. The article points toward policy-based orchestration, but the deeper lesson is that agent trust cannot be granted once and assumed stable. Each action needs a current trust decision tied to scope, provenance, and execution context. The conclusion for IAM and PAM teams is that agent governance must behave like adaptive access control, not static provisioning.

The hybrid identity model now includes human, machine, and agentic subjects in one control problem. That is why silos between IAM, IGA, PAM, and NHI teams become operationally expensive as agents proliferate. The same governance discipline must stretch across all three identity types, but the control evidence differs for each. The practitioner takeaway is to unify policy and visibility without flattening the distinct behaviour of each actor type.

From our research:

• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials, according to AI Agents: The New Attack Surface report.
• 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation, according to AI Agents: The New Attack Surface report.
• Read OWASP Agentic AI Top 10 for the control patterns that connect agent scope, tool misuse, and identity governance.

What this signals

Runtime governance gap: the next phase of AI agent security is not about proving that agents exist, but proving that their actions stayed inside the intended policy boundary. When access can be created, used, and retired in rapid succession, governance programmes need evidence that is current at the moment of execution, not only during periodic review. For a practical control lens, see OWASP Agentic AI Top 10.

The programme signal is clear: identity teams need a shared operating model across IAM, IGA, PAM, and NHI rather than separate responses to the same agent population. If visibility, policy, and telemetry stay split, every review cycle will lag the behaviour it is meant to govern. The governance burden moves from point controls to continuous orchestration.

With 98% of companies planning to deploy even more AI agents within 12 months, per the AI Agents: The New Attack Surface report, the control challenge is not whether agent sprawl will happen but whether it will be centrally governable. That makes discovery and runtime evidence an identity operations priority, not a later-stage maturity item.

For practitioners

• Build an agent identity registry Create a central inventory for agents that records owner, provenance, lifecycle state, TTL, and delegated scope across orchestrators, MCP services, and inbound integrations. Treat this registry as the control source for reviews and incident response, not as a passive asset list.
• Replace standing agent access with task-scoped issuance Use short-lived credentials and just-in-time provisioning for agent tasks that can be bounded in time and purpose. Tie issuance to policy decisions so the access record expires before it becomes a stale entitlement.
• Normalize runtime telemetry into governance evidence Ingest logs from agent runtimes, orchestrators, and tool endpoints so each action can be traced back to identity state, scope, and policy decision. Without that linkage, audit and certification remain disconnected from actual behaviour.
• Score agents continuously by behaviour and scope Assign dynamic risk scores based on privilege level, abnormal actions, policy violations, and execution patterns. Use those scores to trigger step-up controls, containment, or deactivation before the agent completes additional high-risk actions.
• Unify IAM, IGA, PAM, and NHI policy enforcement Align policy-as-code rules across human and non-human subjects so the same access intent cannot be enforced differently in separate stacks. Central policy consistency matters most when agents move quickly across clouds and tools.

Key takeaways

• AI agents expose a structural mismatch between human-paced identity governance and machine-speed execution.
• The operational evidence is already clear because agents are acting beyond intended scope and leaving many teams unable to audit that behaviour.
• The practical response is to unify discovery, runtime telemetry, and policy enforcement so agent access is governed as a living identity state.

Key terms

• Agent Fabric: A registry and governance layer for AI agents that ties discovery, metadata, runtime observability, and policy enforcement together. It treats agents as identities that must be inventoried, owned, and monitored across their full operational lifecycle rather than as hidden workflow components.
• Runtime Observability: The capture of execution-time evidence showing what an agent did, which tools it used, and what context drove the action. For agent governance, this is the bridge between identity state and behavioural accountability, because access alone does not explain impact.
• Agentic Identity Maturity: A maturity model for how well an organisation can discover, govern, and control AI agents as they move from isolated tasks to broad operational influence. It measures whether identity controls can keep pace with agent behaviour, scope, and runtime discretion.
• Runtime Governance Gap: The gap between knowing an agent exists and being able to prove that its actions stayed within policy at the moment they occurred. It appears when discovery, telemetry, and enforcement remain disconnected, leaving governance blind to actual agent behaviour.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or programme maturity, it is worth exploring.

This post draws on content published by Strata Identity: Agentic Identity Maturity Model and the case for an Agent Fabric. Read the original.