AI agent identity requires a new model for accountability

At a glance

What this is: Strata Identity argues that AI agents need a distinct identity model because autonomous execution, delegation, and auditability cannot be handled by traditional human or machine credentials alone.

Why it matters: This matters because IAM teams must govern agent actions, delegated sessions, and traceable accountability across NHI, autonomous, and human identity programmes without relying on human-only review patterns.

By the numbers:

• With 80x more agents than human users in coming years, identity for agents is not optional.
• 92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so.
• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.

👉 Read Strata Identity's analysis of AI agent identity and accountability

Context

AI agent identity is the problem of assigning and governing a verifiable identity to software that can make runtime decisions, invoke tools, and act on delegated authority. The gap is not just technical. Existing IAM models assume a stable human user or a long-lived machine account, while agents can act, adapt, and chain actions within the same operational window.

That assumption breaks delegation, logging, and accountability at the point of execution. For IAM and IGA teams, the question is no longer whether an agent can authenticate, but whether the organisation can prove who or what initiated each action, under what scope, and with what downstream effect.

Key questions

Q: How should security teams govern AI agents that act on behalf of users?

A: Security teams should govern AI agents as delegated identities, not as ordinary service accounts. That means binding each agent to an owner, limiting scope to the task, preserving on-behalf-of traceability, and logging every downstream action. If the organisation cannot reconstruct who initiated the action and what authority was used, the delegation model is too loose.

Q: Why do AI agents create accountability problems for IAM programmes?

A: AI agents create accountability problems because they can make runtime decisions, chain actions, and adapt scope without a human pause point. Traditional IAM assumes a stable user session or a persistent machine account. When the actor is an agent, the organisation needs identity records that show intent, delegation, and execution in one traceable chain.

Q: What breaks when organisations treat AI agents like normal service accounts?

A: What breaks is the governance model. Normal service accounts do not need to explain intent, but agents do because they can select actions and tools at runtime. If teams only manage credentials, they miss delegation context, policy scope, and auditability, which leaves them unable to prove who authorised the action or why it happened.

Q: Who is accountable when an AI agent causes an unauthorised action?

A: Accountability should flow from the delegated human or system owner through the agent to the action record. The organisation must be able to identify the originator, the policy that allowed the action, and the scope in force at the time. If that chain is missing, the issue is not just security. It is governance failure.

Technical breakdown

Agentic identity versus traditional NHI credentials

Traditional non-human identities are usually long-lived, scoped around infrastructure, and managed as static credentials or service accounts. Agentic identity is different because the subject can initiate actions, request tools, and change execution path in runtime. That requires identity to carry intent, origin, and delegation context, not just a token or certificate. In practice, the identity layer must support ephemeral issuance, task-bound scopes, and traceable handoffs across systems. The design problem is not authentication alone. It is preserving a verifiable chain from initial trust to each downstream action, especially when the actor can keep moving without a human pause point.

Practical implication: model agents as active identities with delegation metadata, not as ordinary service accounts.

The Six A's for agentic systems

Strata frames agent governance through six identity functions: authentication, access control, authorization, auditing, administration, and availability. The useful insight is that each function behaves differently when the actor is an agent. Authentication must cover ephemeral identity proof, authorization must reflect task-scoped delegation, and auditing must capture every tool call and policy decision in a machine-readable chain. Administration also changes because agents may need JIT registration, rotation, and expiry. Availability matters because an identity service failure can interrupt autonomous workflows and create unsafe fallback behaviour.

Practical implication: map every agent workflow to these six functions and identify which one currently has no enforceable control.

Delegation chains and on-behalf-of identity

Shared sessions and OAuth on-behalf-of flows become critical when humans and agents operate together. The technical requirement is not just token exchange. It is making sure the system can distinguish direct action from delegated action and preserve that distinction across logs, APIs, and incident review. If an agent purchases, refunds, or modifies infrastructure on behalf of a user, the identity chain has to remain intact from originator to execution. Without that, the organisation can observe activity but cannot reconstruct intent or accountability.

Practical implication: require end-to-end delegation traceability wherever agents act under human authority.

Threat narrative

Attacker objective: The objective is to use delegated agent identity to perform actions that appear authorised while obscuring who initiated them and how far the authority extended.

1. Entry occurs when an attacker or rogue workflow gains access to an AI agent through shared human tokens, overbroad delegated credentials, or weakly governed agent registration.
2. Escalation follows when the agent inherits broader scopes than the task requires and uses those privileges to call additional tools, APIs, or workflows without a human checkpoint.
3. Impact is reached when actions such as refunds, trades, infrastructure changes, or data access execute with poor traceability, leaving accountability gaps and audit failure.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

AI agent identity is becoming a governance layer, not a feature layer. Once software can decide, act, and adapt in runtime, identity has to describe the actor, the scope, and the delegation chain, not just prove login state. That shifts the control problem from access possession to action accountability. Practitioners should treat agent identity as a core IAM design domain, not an add-on to existing machine identity tooling.

Access review assumptions collapse when the actor is autonomous. Access review was designed for conditions where privilege persists long enough to be observed, certified, and removed. That assumption fails when an agent acquires, uses, and discards access inside a single operational cycle because the review artefact never stabilises. The implication is that governance programmes must rethink what constitutes reviewable access for agents.

Delegation without traceability creates a blind spot between human intent and machine execution. OAuth OBO, shared sessions, and chained authorisation can work only if every step remains reconstructable in logs and policy records. If the identity system cannot map the chain from human originator to agent action, accountability breaks even when authentication succeeds. Practitioners should treat delegation traceability as a governance requirement, not a logging enhancement.

Agentic identity exposes the limits of human-centric IAM language. Terms like user, session, approval, and recertification still matter, but they no longer describe the full lifecycle of autonomous software acting on behalf of others. That is why agentic identity and NHI governance now overlap: both require scope, lifecycle, and auditable authority, but agents introduce runtime decision-making that traditional machine identities do not. Security teams should align governance models to actor behaviour, not to legacy terminology.

Six-function identity models will outperform token-only thinking. Authentication alone cannot establish safe agent behaviour if administration, auditing, and availability are weak. The more agents are allowed to chain actions across systems, the more identity must be managed as a continuous control plane. Practitioners should evaluate whether their current stack can govern the entire action path, not just the initial credential exchange.

From our research:

• 92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so, according to AI Agents: The New Attack Surface report.
• Only 80% of organisations report their AI agents have already performed actions beyond their intended scope, including unauthorised system access, sensitive data sharing, and revealing credentials.
• That gap becomes harder to ignore as 98% of companies plan to deploy even more AI agents within the next 12 months, a signal that governance must scale before autonomy does.

What this signals

Agentic identity is crossing from niche architecture concern to programme-level IAM work. With 92% of organisations saying AI-agent governance is critical but only 44% having policies in place, the control gap is now bigger than the deployment gap. Security teams should expect more pressure to prove delegation traceability, not just credential issuance.

Six-function governance will matter more than token management. The most durable programmes will treat authentication, access control, authorization, auditing, administration, and availability as one control chain. That aligns with the direction of the NIST AI Risk Management Framework and the OWASP Agentic AI Top 10, where actor behaviour and runtime scope are the real risk surface.

Delegation traceability will become a board-level question. As agent use expands, teams will need to show not only that access exists but that it can be reconstructed after an incident or regulator inquiry. The practical test is whether a human reviewer can follow the chain from originator to action without guessing at intent or re-assembling logs by hand.

For practitioners

• Classify agent identities by delegated authority Inventory every AI agent, copilot, and automated workflow by who or what it acts for, what tools it can call, and whether it can change scope mid-session. Separate direct machine credentials from delegated agent identity so the review model reflects actual execution behaviour.
• Require end-to-end delegation traceability Log originator, agent identity, downstream API calls, and scope changes in a single chain that survives incident review. If a shared session or on-behalf-of flow cannot be reconstructed from identity to action, treat it as an unresolved governance defect.
• Define JIT registration and expiry for agents Register agents only when the task or workflow begins, bind them to a named owner, and expire them when the task ends. Do not allow persistent agent identities to accumulate without a clear lifecycle owner and revalidation step.
• Test for audit gaps before expanding autonomy Run table-top exercises that ask whether the organisation can prove who initiated an agent action, what the agent was authorised to do, and how scope changed before impact. If the answer depends on manual reconstruction, governance is not ready for broader autonomy.

Key takeaways

• AI agents change the identity problem from credential possession to action accountability because they can decide, execute, and adapt in runtime.
• Survey data shows the governance gap is already material, with broad concern but limited policy adoption and frequent out-of-scope agent behaviour.
• IAM teams should move to delegated identity, traceable on-behalf-of flows, and lifecycle controls that can prove who acted, under what scope, and why.

Key terms

• Agentic Identity: A verifiable identity assigned to software that can act on delegated authority in runtime. Unlike a normal service account, an agentic identity must carry intent, origin, scope, and traceable handoffs so the organisation can prove what the actor did and who authorised it.
• Delegation Chain: The sequence that connects a human or upstream system to an agent’s action through authentication, authorisation, and execution. In agentic environments, the chain has to remain reconstructable after the event, or accountability becomes guesswork rather than governance.
• On-Behalf-Of Flow: A token or session pattern where one identity acts for another while preserving evidence of delegation. For agents, the value is not just access propagation. It is the ability to show that the action was performed under a specific authority and within a specific scope.
• Task-Bound Scope: A limited permission set tied to a specific objective, duration, or workflow step. For agents, task-bound scope is essential because runtime behaviour can shift quickly, and broad standing access makes it impossible to distinguish intended execution from overreach.

Deepen your knowledge

AI agent identity, delegated authority, and auditability are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building governance for autonomous software that acts on behalf of others, it is worth exploring.

This post draws on content published by Strata Identity: AI agent identity and accountability in the enterprise identity model. Read the original.