Akeyless strategy hire underscores the shift to real-time identity control

At a glance

What this is: Akeyless frames AI agent and machine identity growth as a real-time governance problem, arguing that static human-era access models cannot keep up.

Why it matters: It matters because IAM, PAM, and NHI teams now have to govern identities that act at machine speed across clouds, SaaS, and internal systems.

👉 Read Akeyless's statement on AI-era identity strategy and ecosystem expansion

Context

AI agent identity risk is the governance gap that appears when identities can request, combine, and consume access at runtime rather than on a human-paced approval cycle. The article argues that the old model of static access and long-lived credentials no longer matches how non-human identities operate across cloud, SaaS, and internal systems.

For IAM and NHI teams, the practical issue is not whether machine identities are growing. It is whether access decisions, federation, and revocation can happen quickly enough to constrain blast radius when agents interact directly with critical services and data.

Key questions

Q: How should security teams govern AI agents that can act across multiple systems?

A: Security teams should govern AI agents as runtime identities, not as static accounts. That means binding access to a task, a session, or an approved workflow, then revoking it automatically when the activity completes. The key is to control what the agent can do while it is executing, not just what it was allowed to receive at provisioning time.

Q: Why do long-lived credentials create more risk for machine identities than for humans?

A: Long-lived credentials create more risk for machine identities because machines can act continuously, move faster, and reach more systems than a human can manually supervise. If the credential survives beyond the task, the blast radius survives too. That is why static secrets and standing privilege are such poor fits for AI-driven environments.

Q: What breaks when identity governance is split between IAM, PAM, and secrets tools?

A: What breaks is the ability to see and revoke effective access as one chain. A user can look compliant in IAM while a secret, token, or federated session still grants access elsewhere. Fragmentation creates false confidence, because the governance state is no longer aligned with the actual execution path.

Q: When should organisations move from periodic review to runtime access control?

A: Organisations should move when identities can complete meaningful actions before the next review cycle would ever see them. If access can be created, used, and discarded within a short session, periodic certification is too slow to govern it. Runtime controls are necessary whenever the identity’s behaviour changes faster than the review process.

How it works in practice

Why static identity models fail at AI agent speed

Traditional IAM assumes access is provisioned, reviewed, and revoked on a cadence that makes sense for humans or durable service accounts. AI agents break that assumption because they can initiate actions, request tools, and traverse systems in short-lived sessions. In that environment, standing privilege becomes a structural liability, not just a policy weakness. The control problem is not simply who can log in, but whether identity decisions can be made at runtime with enough context to prevent overreach while the session is active.

Practical implication: shift design reviews from periodic entitlement management to runtime access control for agent and workload identities.

What just-in-time access means for non-human identities

Just-in-time identity creation limits the lifetime of credentials and privileges to the exact task window, which is why it maps well to AI agents and workloads. The article points to dynamic grant and revoke behaviour as the relevant control pattern, because long-lived keys and static entitlements do not fit systems that spin up, act, and disappear quickly. Federation across cloud and enterprise platforms matters here because it reduces the need to duplicate secrets while still preserving source-of-truth identity decisions.

Practical implication: reduce the number of persistent credentials by binding access to task scope, session scope, and federation rules.

Why a unified control plane matters across humans, machines, and agents

The article positions identity as a control plane that spans humans, machines, and AI agents rather than separate IAM programmes. That matters because the governance failure is often fragmentation: one system for workforce access, another for machine secrets, and another for agent runtime controls. When those controls are disconnected, policy drift and inconsistent revocation create exposure paths that are hard to detect. A unified model does not erase the differences between actor types, but it does make lifecycle, federation, and enforcement visible in one place.

Practical implication: map human, machine, and agent access into one governance model so revocation and review are consistent across actor types.

NHI Mgmt Group analysis

AI agent identity risk is really a runtime governance problem. The issue is not just that more identities exist. It is that traditional controls were built for access that persists long enough to be reviewed, certified, and revoked on a human cycle. When agents act at machine speed, governance has to follow the session, not the calendar. Practitioners should treat runtime access as the primary governance surface.

Static privilege assumptions fail once an identity can act autonomously across systems. Least privilege was designed for access that can be bounded in advance, but AI agents can branch into new tools and systems while the task is still in motion. That means the control boundary is no longer a provisioning record. It is the live execution context, and that changes how identity risk must be assessed.

Identity fragmentation is now an operational risk multiplier. Separate controls for workforce IAM, machine identities, and agent runtime access create blind spots when the same workflow spans all three. The more fragmented the programme, the easier it is for standing privilege, stale federation, or orphaned credentials to survive in one layer while another layer appears compliant. Practitioners should collapse review around the actual execution chain.

Unified identity control planes are becoming the category-defining architecture for AI-era security. The market is moving toward platforms that can manage humans, machines, and agents under one policy and enforcement model because the old separation between IAM, PAM, and secrets management is too slow for agentic environments. That does not remove the need for specialised controls. It does mean governance teams should expect tighter convergence across identity domains.

Runtime access governance is the named concept that now deserves its own operating model. The core failure mode is not only over-provisioning. It is the absence of controls that can decide, scope, and revoke access while the identity is actively executing. That is a different problem from traditional entitlement review, and practitioners should stop treating it as a simple extension of NHI hygiene.

From our research:

• 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation, according to Ultimate Guide to NHIs.
• Our research also shows that 97% of NHIs carry excessive privileges, which is why runtime scoping matters more than after-the-fact review.
• For a broader operating model, see Top 10 NHI Issues for the governance failures that most often drive exposure.

What this signals

Runtime access governance: AI-era identity programmes will need a distinct operating layer for identities that can request, use, and discard access faster than a human review cycle can observe. That is especially true where federated access spans cloud and SaaS platforms, because revocation has to follow the live session, not the entitlement record.

With 97% of NHIs carrying excessive privileges according to Ultimate Guide to NHIs, the practical signal is clear: the exposure problem is structural, not incidental. Teams should watch for any identity programme where the source of truth and the enforcement point are no longer the same system.

The next programme shift is toward convergence between IAM, PAM, and secrets governance for machine and agent identities. That convergence will not be cosmetic. It will decide whether an organisation can prove that access was bounded at the moment of execution, which is the standard agentic environments now force.

For practitioners

• Inventory agent and machine identities by runtime authority Classify every AI agent, workload identity, and service account by the systems it can reach, the tools it can invoke, and whether access is persistent or task-bound.
• Replace standing access with task-scoped access decisions Use just-in-time provisioning for identities that do not need durable access, and require explicit expiration for any cross-cloud or cross-system privilege.
• Unify federation and revocation across control planes Align IAM, PAM, and secrets workflows so that revocation in one layer actually removes effective access in the others, including federated agent sessions.
• Review where agents can cross trust boundaries without supervision Map every place an AI agent can move from one system to another, especially where cloud, SaaS, and internal systems share identity trust.

Key takeaways

• AI agent identity risk is no longer just about more identities, but about access that changes too quickly for traditional governance cycles to contain.
• The scale problem is already visible in enterprise data, with Akeyless reporting hundreds of billions of workload identity transactions annually.
• Practitioners need runtime access control, tighter federation, and consistent revocation across IAM, PAM, and secrets workflows.

Key terms

• Runtime access governance: Runtime access governance is the practice of deciding, limiting, and revoking identity permissions while the identity is actively executing. It matters most when access decisions must keep pace with agents, workloads, or automation that can move faster than periodic review cycles.
• Standing privilege: Standing privilege is access that remains available even when the identity is idle or no longer needs it. For non-human and agentic identities, standing privilege is especially risky because it can outlive the task and expand the blast radius of a compromise or misuse.
• Federated identity: Federated identity lets one system trust another system's authentication result so users or machines can access connected services without duplicating credentials. In NHI governance, federation reduces secret sprawl, but it still needs lifecycle control, revocation visibility, and policy consistency.
• Agentic identity: Agentic identity is an identity used by an AI system that can choose actions and interact with tools during runtime. The governance challenge is not only who created the identity, but whether its permissions can be bounded, monitored, and revoked while the agent is still operating.

What's in the full announcement

Akeyless's full article covers the operational detail this post intentionally leaves for the source:

• The appointment context and ecosystem strategy narrative behind the CSO hire.
• Akeyless's description of its platform architecture, including distributed fragments cryptography and agentic runtime authority.
• The specific integration list across cloud providers, security tools, and enterprise platforms.
• The vendor's own framing of how its identity controls are applied across humans, machines, and AI agents.

👉 Akeyless's full post covers the CSO appointment, platform framing, and ecosystem plans in more detail.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance in your organisation, it is worth exploring.