Agentic security needs identity first, not data controls alone

At a glance

What this is: This comparison argues that agentic security depends first on identity and authorization infrastructure, with data governance as a second layer.

Why it matters: IAM, NHI, and human identity programmes all need the same answer to delegated access: who is acting, under what authority, and how that authority is revoked.

By the numbers:

• With $67M in funding and reported 300% year-over-year growth, Concentric AI has established itself in data protection.
• WorkOS supports transparent pricing starting at $125/month for up to 1M Monthly Active Users.

👉 Read WorkOS's comparison of Concentric AI and agentic identity controls

Context

Agentic security is the problem of governing software that makes decisions, accesses systems, and acts on behalf of a user or workload. The article frames a split between identity and authorization on one side and data-centric governance on the other, which is the right place to start because agentic risk is not solved by inspection alone.

For IAM teams, the practical issue is delegated authority. If an agent can inherit a user's access, call tools, or move across systems, the security model has to define identity, session scope, auditability, and revocation with the same rigor used for privileged human access and NHI governance.

Key questions

Q: How should security teams govern AI agents that act on behalf of users?

A: Security teams should treat every agent as an identity relationship, not just a tool. Define who the agent represents, what authority it inherits, where that authority is logged, and how it is revoked. Then apply least privilege to the delegated session, not only to the underlying account.

Q: Why do data protection controls not solve agentic security on their own?

A: Data controls reduce exposure after access exists, but they do not decide whether access should exist in the first place. Agentic security begins with authentication, authorization, and delegation boundaries. Without those controls, sensitive data can still be reached through valid but over-broad identity paths.

Q: What should organisations measure to know if agent access is actually controlled?

A: Measure whether delegated access is explicit, reviewable, and revocable across all connected systems. Good signals include timely propagation of role changes, complete audit trails for agent actions, and a clear mapping between user intent and the permissions the agent received.

Q: What is the difference between agent identity controls and DSPM?

A: Agent identity controls define who may act, under what authority, and with what session scope. DSPM classifies and protects the data the agent reaches. They solve different parts of the problem, and both are needed when agents can touch sensitive systems at enterprise scale.

Technical breakdown

Enterprise authentication and authorization for AI agents

Agentic systems need identity primitives before they need content controls. Authentication answers who the agent is acting for, while authorization defines which resources, actions, and contexts are allowed. In practice, this includes federated identity, scoped delegation, session boundaries, and auditable policy enforcement. Without those primitives, the agent is effectively operating with borrowed trust that cannot be cleanly bounded or revoked. That makes the identity layer the control plane for everything that follows, including downstream data access and compliance evidence.

Practical implication: establish agent identity, delegation, and revocation before expanding data-access permissions.

Data security posture management for agent-accessed content

Data-centric controls focus on what the agent can see, classify, or exfiltrate after access is granted. DSPM tools discover sensitive data across repositories, classify it by context, and apply policy where the data resides. That matters when agents interact with unstructured content, collaboration systems, and GenAI workflows, because token-level controls alone do not describe the sensitivity of the underlying data. But DSPM is still a content control, not an identity substitute. It reduces blast radius after access exists; it does not define whether access should exist in the first place.

Practical implication: use data classification and monitoring as a second control layer, not a replacement for agent authorization.

Delegation, impersonation, and session scoping

Agentic systems often rely on service accounts, impersonation, or delegated sessions to perform tasks on behalf of users. The security challenge is to make that delegation explicit and bounded. Session scoping ties authority to a task, context, or time window, while impersonation controls determine whether the agent is acting as the user or merely under the user's sponsorship. This matters because revocation and audit trails only work when the system can distinguish direct access from delegated access. Without that distinction, access reviews become noisy and incident response becomes ambiguous.

Practical implication: separate direct user access from delegated agent access in policy, logging, and review workflows.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity is the foundation of agentic security, not a supporting layer. Agentic systems cannot be governed safely if the programme starts with data inspection and treats identity as an implementation detail. The article shows the correct hierarchy: authenticate the actor, bound the delegation, then constrain the data. That is the control sequence practitioners should preserve across human, NHI, and autonomous workflows.

Data governance without authorization governance creates a false sense of control. DSPM can tell you where sensitive content lives and how it moves, but it does not decide whether an agent should have been able to reach it. That distinction matters because many breach and exposure paths begin with over-broad access, not with weak classification. Practitioners should treat data controls as containment, not as the primary decision layer.

Delegated access without lifecycle governance is the real failure mode. The access model for agents only works if role changes, user departures, and policy updates propagate immediately through the delegation chain. That is the same governance problem IAM teams already face with human identities and service accounts, only with faster execution and more session volatility. The implication is that review cadences must be matched to the speed of delegated access, not to calendar process.

Service account identity is the named concept this article points to. Agentic systems often rely on service accounts, impersonation, and scoped sessions to bridge human intent to machine action. That creates a distinct identity boundary that must be governed as a first-class NHI, not absorbed into generic application logic. The practitioners' conclusion is straightforward: if an agent can act, it must be identifiable, reviewable, and revocable as an identity of its own.

Agentic security will converge identity and data controls, but identity will remain the policy anchor. The market direction is not either-or. Identity infrastructure decides who can act, while data governance decides what that actor may touch and how exposure is contained. Teams that treat those as separate programmes will duplicate controls and still miss the delegation gap. The practical conclusion is to align IAM, NHI, and DSPM around one access model.

From our research:

• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
• A separate NHI study found that lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations, showing how quickly delegated access becomes a governance issue.
• For a deeper control perspective, see Ultimate Guide to NHIs for lifecycle, rotation, and offboarding patterns that close the delegation gap.

What this signals

Delegation debt: when agents inherit human authority without a crisp lifecycle boundary, organisations accumulate access that is technically valid but operationally unowned. That is where identity, not data, becomes the primary failure domain, and it is where IAM teams need to align recertification with machine action rather than calendar cadence.

The next phase of agentic governance will look less like application permissioning and more like identity operations. Teams that can trace delegated authority end to end will be able to contain agent activity, while teams that cannot will discover that auditability disappears exactly when they need it most.

For practitioners

• Map every agent to an explicit identity relationship Record whether the agent acts as a user, under a service account, or through delegated impersonation. Include the revocation path for each model and make sure downstream systems log the relationship, not just the session. Use the same model for audits, incident response, and entitlement reviews.
• Scope agent sessions to the task, not the account Limit permissions by context, trigger, or time window so an agent cannot reuse a broad entitlement after the original purpose ends. Tie session controls to the specific workflow and verify that permission changes propagate before the next action executes.
• Separate content controls from identity controls Use DSPM and data classification to reduce exposure, but do not treat them as substitutes for authentication and authorization. Build policy so an agent must first prove who it is acting for, then receive the minimum access required to complete the task.
• Review delegated access as an identity lifecycle problem Fold agent permissions into joiner-mover-leaver, recertification, and offboarding processes. When a user changes role or leaves, remove or narrow the agent's authority at the same moment, and verify the change across every connected system.

Key takeaways

• Agentic security fails when organisations start with data controls and leave identity, delegation, and revocation underspecified.
• The evidence in the source article points to a split architecture, but the security boundary still begins with who the agent acts for and what it may do.
• IAM and NHI teams should treat agent sessions as governed identities, not as temporary application logic that can be left to downstream tools.

Key terms

• Agent Identity: An agent identity is the security representation used to govern software that acts on behalf of a person, team, or workload. It links the agent's actions to a known authority chain, so access can be audited, scoped, and revoked like any other identity in the enterprise.
• Delegated Access: Delegated access is permission granted to one identity to perform actions under the authority of another identity. In agentic systems, it must be explicit, time-bounded, and traceable, because the security model depends on knowing whose privileges are being used and when they stop applying.
• Data Security Posture Management: Data Security Posture Management is the practice of discovering, classifying, and protecting sensitive data across systems and repositories. It focuses on the data itself, which makes it useful for containment, but it does not replace identity governance, authorization, or delegation controls.
• Session Scoping: Session scoping limits what an identity can do within a specific session, context, or task. For agentic systems, it is the difference between bounded execution and reusable authority, and it should be tied to the exact workflow that triggered the action.

Deepen your knowledge

Agentic identity, delegation, and session scoping are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building controls for AI agents that act on behalf of users, it is worth exploring.

This post draws on content published by WorkOS: Concentric AI vs WorkOS, comparing data governance with identity for agentic security. Read the original.