Identity in the agentic era needs constant, omnipresent, adaptable control

At a glance

What this is: This is a practitioner analysis of why identity infrastructure built for human users fails when AI agents, sub-agents, and delegated machine identities enter the control plane.

Why it matters: IAM, PAM, and NHI programmes now have to govern entities that authenticate faster, inherit authority more broadly, and change context continuously, which breaks review-based control models across human, non-human, and autonomous identity programmes.

By the numbers:

• 70% of IAM implementations fail to meet expectations, according to Gartner research.
• 99% of service accounts are over-permissioned.
• 86% of enterprises run multi-cloud strategies, yet only 9% are fully cloud-based for identity.
• 40% of enterprise applications will embed task-specific agents by the end of 2026.

👉 Read ConductorOne's analysis of identity control requirements in the agentic era

Context

The primary keyword here is AI agent identity governance. The article argues that identity systems were already underperforming in a human-only world, and that agentic systems expose those weaknesses because they authenticate more often, make decisions faster, and inherit authority through delegation chains that humans cannot reliably supervise.

For identity and access teams, the practical issue is not simply more accounts. It is that AI agents create sub-agents, cross systems and jurisdictions, and operate inside governance cadences built for quarterly review cycles. That makes the control model itself the problem, not just its implementation quality.

Key questions

Q: How should security teams govern AI agents that can create sub-agents?

A: They should govern the delegation chain, not just the initial agent account. Every parent-to-child handoff needs explicit ownership, policy scope, and revocation logic, because inherited permissions can expand far beyond the original approval. If sub-agents can spawn further access, the control point is the authority to delegate, not only the first credential.

Q: Why do AI agents break traditional IAM review cycles?

A: Traditional IAM review cycles assume access persists long enough to be observed, certified, and removed later. AI agents can authenticate and act at machine speed, so the useful control window is often shorter than the review cadence. That makes point-in-time certification a weak signal for runtime behaviour and a poor containment mechanism for agentic identity.

Q: What should organisations measure to see whether agent identity controls are working?

A: They should measure authorization latency, delegation depth, and how quickly access can be revoked after context changes. If an agent can keep acting after its purpose ends, the programme is measuring compliance paperwork instead of control. Useful metrics show whether policy enforcement is happening before the action, not after the audit.

Q: What is the difference between service account governance and agent governance?

A: Service account governance focuses on fixed credentials and stable workloads. Agent governance must also manage runtime decisions, inherited authority, and the ability to spawn further actions. That means lifecycle control, policy evaluation, and revocation need to account for behaviour that changes mid-session, not just for long-lived secrets or static roles.

Technical breakdown

Machine-speed identity evaluation in agentic systems

Traditional IAM assumes access decisions can be reviewed after the fact. That works poorly even for humans, and it fails harder for AI agents that authenticate hundreds of times per minute and change context continuously. Continuous Access Evaluation Protocol and related shared-signal approaches move authorization from calendar-driven checks to runtime enforcement. The architectural shift is from static review of entitlements to continuous signalling, state awareness, and immediate revocation when context changes. Without that, identity becomes observational rather than controlling.

Practical implication: move critical agent access decisions into continuous policy evaluation instead of periodic certification.

Delegation chains and sub-agent inheritance

The article describes agents creating agents, which means authority is no longer a single assignment but a reproducing chain. A human approves a parent agent, the parent spawns sub-agents, and those sub-agents inherit some version of the original permissions without direct human visibility. This creates delegated authority that spreads faster than governance records. In practical terms, the identity object is no longer the only thing to secure. The delegation relationship itself becomes the control surface.

Practical implication: track who can spawn, inherit, and extend authority across agent hierarchies.

Policy-based access control for adaptive identity

Static RBAC is a poor fit for entities whose context changes second by second. The source points toward policy-based control, where authorization logic is separated from application code and evaluated at runtime. That model can absorb new agent types, new jurisdictional constraints, and new task boundaries without redesigning every application. The technical advantage is not just flexibility. It is the ability to keep identity governance executable at machine speed while still expressing fine-grained conditions on who or what may act.

Practical implication: replace role snapshots with policy logic that can evaluate changing context in real time.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Constant identity is now a control requirement, not an availability preference. The source makes clear that quarterly reviews and annual certifications were already inadequate for human access, and they collapse completely for agents that make decisions at machine speed. The control assumption that privilege can be observed later fails when actions accumulate before the next review cycle. Practitioners should treat continuous authorization as the baseline for agent governance.

Delegation without governance is the named failure mode this article exposes. A human authorizes a parent agent, the parent creates sub-agents, and the original authority reproduces beyond human visibility. That model was designed for a world where access assignment was singular and reviewable. It fails when access can be inherited, multiplied, and executed by downstream entities that no one explicitly approved. The implication is that delegation relationships need to be governed as first-class identity objects.

Identity blast radius: When an agent can cross clouds, applications, and jurisdictions in one task chain, the real control problem is no longer account count but scope expansion. The source ties this to multi-cloud identity fragmentation and inconsistent policy enforcement across environments. That means the field needs to stop treating cross-domain access as an integration issue and start treating it as a governance boundary problem. Practitioners must measure how far delegated authority can travel before control breaks.

AI agents are not just another NHI category because they alter the behaviour of the identity object itself. The source distinguishes deterministic machine identities from agents that reason, spawn sub-agents, and take dynamic actions. That means identity models built around predictable service accounts cannot safely absorb agentic behaviour without changing how authorization, visibility, and revocation work. The implication is that NHI programmes must separate static workload identity from runtime-decision entities.

Identity infrastructure is becoming the enforcement layer for AI safety and regulatory scope. The article links agent behaviour to compliance regimes that can stack across jurisdictions in a single workflow. That shifts identity from administrative plumbing into runtime control for policy, privacy, and operational risk. The field should expect identity governance to be judged less by enrollment quality and more by whether it can bound agent behaviour in time, place, and authority.

From our research:

• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to Ultimate Guide to NHIs.
• 89% of organisations store secrets outside secret managers in vulnerable locations, according to Ultimate Guide to NHIs.
• For the deeper lifecycle lens, see Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs for offboarding, rotation, and access review patterns that agentic governance must extend rather than ignore.

What this signals

Identity programmes will be judged by runtime control, not administrative completeness. The article points to a market where quarterly reviews, static roles, and visibility snapshots cannot keep pace with agentic behaviour. As more applications embed task-specific agents, security teams should expect access governance to move closer to continuous policy enforcement and away from certification theater.

The operational shift is larger than AI adoption alone. With 80% of identity breaches involving compromised non-human identities, the next wave of risk will come from systems that inherit authority too broadly and too invisibly. Teams should prepare for delegation depth, revocation speed, and policy portability to become board-level metrics.

Delegation without governance: This is the failure pattern that will keep reappearing as agents spawn agents across clouds and jurisdictions. Identity teams should plan for cross-domain policy evaluation, not just isolated account management, and align that work with the NIST AI Risk Management Framework where autonomous decision-making enters the control plane.

For practitioners

• Map delegation chains before expanding agent access Inventory which humans can approve parent agents, which systems those agents can reach, and where sub-agents inherit permissions. Treat inherited authority as a separate risk object, not a side effect of automation.
• Replace periodic review with runtime authorization controls Move the highest-risk agent permissions into continuously evaluated policy so access can be revoked as context changes. Quarterly certifications are too slow for agents that authenticate hundreds of times per minute.
• Separate static workload identities from agentic principals Do not manage AI agents as if they were service accounts with fixed purpose and stable behaviour. Give them identity records, lifecycle ownership, and policy boundaries that reflect decision-making at runtime.
• Define a kill switch for agent revocation Ensure the identity layer can remove agent access instantly without depending on the same platform that is being governed. If the revocation path depends on a failing identity system, agents outrun containment.

Key takeaways

• The article argues that identity systems built for human tempo cannot govern AI agents that make decisions and spawn sub-agents at machine speed.
• The underlying risk is delegation without governance, where authority reproduces faster than human review and visibility can follow.
• Practitioners need runtime authorization, delegation tracking, and instant revocation paths if they want agentic identity control to be enforceable.

Key terms

• Agentic Identity: An identity used by a system that can choose actions, tools, and timing at runtime rather than following a fixed script. In practice, this means the governance problem is not only authentication. It is also the control of delegated authority, decision scope, and revocation speed.
• Delegation Chain: The sequence of authority passed from a human to an agent, and from that agent to additional sub-agents or systems. In agentic environments, the chain matters as much as the credential because each handoff can widen scope, obscure ownership, and complicate revocation.
• Continuous Authorization: A control pattern that evaluates whether access should still exist at the moment an action is taken, not just when access is granted. It is essential for fast-moving non-human and agentic identities because static approvals age faster than the behaviour they were meant to constrain.
• Identity Blast Radius: The total range of systems, data, and jurisdictions that an identity can affect before governance catches up. For agents, blast radius expands quickly because authority can reproduce through delegation, cross-cloud activity, and runtime decisions that no single reviewer can observe in time.

Deepen your knowledge

AI agent identity governance and delegation-chain control are core topics in the NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building controls for agentic systems that inherit human authority, it is worth exploring.

This post draws on content published by ConductorOne: Three Properties Identity Must Have in the Agentic Era. Read the original.