Identity is the real control plane for agentic AI and CISOs

At a glance

What this is: This is a season recap from 1Password’s Chasing Entropy Podcast showing that CISO scope is widening and agentic AI is pushing identity into the control-plane role.

Why it matters: It matters because identity, governance, and operational accountability now span human leaders, NHI credentials, and autonomous systems that can act inside production environments.

👉 Read 1Password’s season recap of CISO realities, agentic AI, and security operations

Context

The core problem is not that security teams lack tools. It is that security accountability now stretches across strategy, operations, and automation, while the actual control points still sit in fragmented processes, budgets, and ownership lines. In a modern IAM programme, that means identity governance has to cover CISOs, service accounts, and increasingly agentic systems that can take action inside business workflows.

1Password’s season recap treats agentic AI as a governance problem, not a feature story. The article argues that when systems can call tools, integrate with SaaS, and act with limited human oversight, the old assumption that identity only responds to requests starts to fail. That is why identity is being discussed as the real control plane for both access and accountability.

Key questions

Q: How should security teams govern agentic AI systems that can call tools and APIs?

A: Treat them as delegated runtime actors, not as simple applications. Limit the tool set, review every high-impact action path, and log the sequence of actions as well as the final output. If an agent can chain decisions without human approval, identity governance must define its authority at runtime, not only at provisioning.

Q: Why does identity become the control plane in agentic AI environments?

A: Because the risk is carried through who or what can act, on which systems, and under what oversight. When agents can invoke tools, access production services, and combine actions in one session, the deciding factor is delegated authority. Identity controls therefore govern both access and the blast radius of execution.

Q: What do security teams get wrong about CISO accountability?

A: They often treat accountability as a reporting issue instead of a control issue. A CISO may own risk outcomes but not budgets, engineering priorities, or vendor choices, so the programme must produce evidence that shows where authority sits and where it does not. Without that, governance becomes difficult to defend during incidents or board reviews.

Q: When do autonomous systems create more governance risk than ordinary automation?

A: They create more risk when they can decide the action sequence, choose tools at runtime, and execute without human approval. At that point, the system is no longer following a fixed script. The governance challenge shifts from workflow management to controlling independent action inside a session.

Technical breakdown

Why agentic AI changes the identity control plane

Agentic AI changes the control plane because the system can move from analysis to action without a person selecting every step. Once an agent can call APIs, chain tools, and touch production systems, the security question shifts from whether it can authenticate to whether its runtime decisions are bounded. That is different from ordinary automation, which follows a predefined workflow. In identity terms, the issue is not just credentials but delegated authority, action scope, and traceability across a session. For IAM teams, the architectural problem is controlling what an agent may do when the sequence is not fully known in advance.

Practical implication: treat agent access as runtime authority management, not as a static permission grant.

Why CISO accountability now depends on identity governance

The article shows a widening accountability gap. CISOs are increasingly expected to shape strategy, explain incidents, and translate security risk to executives, yet they often do not control the budgets, engineering priorities, or vendor decisions that create the exposure. That makes identity governance more than an operational discipline. It becomes the evidence layer that shows who can act, who approved it, and where the organisation still depends on informal trust. For practitioners, the lesson is that governance must be specific enough to survive board scrutiny and incident review.

Practical implication: map identity controls to accountability lines before the next incident or board review.

Tool access and blast radius in agentic environments

The practical risk in agentic environments is not simply that an AI system exists. It is that the system can inherit broad tool access, combine services in ways the operator did not plan for, and produce impact faster than human review cycles can intervene. That creates a different blast radius model from traditional NHI sprawl. The security issue is the combination of delegated access, non-deterministic action paths, and weak human oversight on high-impact steps. Identity programmes that only inventory credentials will miss the operational question: which actions can be chained once the session begins?

Practical implication: define and test the action chains an agent can create, not only the permissions it starts with.

Threat narrative

Attacker objective: The objective is to turn legitimate delegated access into faster, broader operational impact than the security team can observe or constrain in time.

1. Entry occurs when an agent is granted legitimate access to tools, SaaS platforms, or production-connected APIs as part of normal workflow integration.
2. Escalation follows when the agent combines tool calls or scopes actions beyond what the operator expected, expanding its effective authority during runtime.
3. Impact appears when the chained actions reach production systems, sensitive data, or business workflows before human review can break the sequence.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity governance built for human-paced approval loops is no longer enough. The article makes clear that CISOs are being asked to manage risk that spans strategy, operations, and AI-enabled execution. That is not a cosmetic expansion of remit. It means governance artefacts built around slow review cycles and linear approval chains no longer describe the way decisions are actually made. Practitioners should treat that as a structural governance shift, not a tooling issue.

Access review processes were designed for stable privilege, and that assumption fails under agentic behaviour. When an AI system can select tools, chain actions, and complete work inside a single session, there may be no durable access state to certify after the fact. The assumption collapse here is clear: access was assumed to persist long enough to be observed, reviewed, and revoked. The implication is that identity governance has to be redesigned around runtime authority rather than retrospective certification.

Agentic AI turns blast radius into an identity problem, not just a model-safety problem. The article repeatedly points to tool use, production access, and the need for human review on high-impact actions. That combination means the decisive question is who can compound authority across a session, not whether the model is intelligent. Frameworks such as OWASP-AGENTIC and NIST AI Risk Management Framework become relevant because the governance failure is about delegated action, traceability, and control boundaries.

Identity is the real control plane because operational risk now travels through delegated authority. The podcast’s strongest throughline is that security outcomes depend on who can act, on what systems, and under which oversight model. That is true for CISOs managing organisational risk, and it is increasingly true for AI systems operating inside business workflows. Practitioners should align governance, review, and monitoring around executable authority, not just named identities.

Cross-domain governance is now the differentiator between mature and fragile programmes. The article connects board communication, incident handling, SaaS sprawl, and AI rollout under one theme: responsibility outpaces control unless identity is managed across humans, NHIs, and autonomous systems. That is exactly where NHIMG’s analysis matters. Teams that still separate these domains will miss the dependency chain that creates real exposure. Practitioners should collapse those silos before the next rollout increases the gap.

From our research:

• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
• That is why readers should also review Top 10 NHI Issues for the control failures most likely to surface when access sprawl and weak oversight collide.

What this signals

Identity is increasingly the programme boundary: once AI systems can chain actions across SaaS and production tooling, the security team needs a view of executable authority, not just authentication events. With 85% of organisations lacking full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security, many programmes are already operating with blind spots that agentic workflows will widen.

The most useful named concept here is runtime authority drift: privilege appears normal at provision time but expands through session behaviour, tool chaining, and indirect delegation. That is the gap security leaders should watch because it breaks the assumption that static access reviews can fully describe live risk.

Teams should prepare for governance conversations that connect IAM, PAM, and AI oversight in one model. The right reference point is NIST Cybersecurity Framework 2.0, but the practical shift is internal: control evidence must cover who can act, what can be chained, and where human review still interrupts execution.

For practitioners

• Map executive accountability to identity controls Document which roles approve risk, who owns remediation, and which identity events must be surfaced for board-level reporting. Tie CISO narratives to measurable control evidence rather than generic risk statements.
• Inventory agent tool access by action chain List every API, SaaS connector, and production action an agent can reach, then test how those actions combine inside a live session. The objective is to see compound authority, not just individual permissions.
• Separate automation from autonomous authority Classify which workflows are fixed, which are human-reviewed, and which can make runtime decisions without approval. Only the last category needs agentic governance controls and stricter traceability.
• Use identity evidence in incident and budget conversations Bring revocation timelines, access scope, and approval logs into incident reviews and security funding discussions. That makes governance concrete and exposes where ownership breaks down between teams.

Key takeaways

• Agentic AI changes identity from a login problem into a runtime authority problem.
• CISO accountability is expanding faster than the control lines that support it.
• Security programmes need evidence for action chains, not only for access lists.

Key terms

• Agentic AI: Software that can decide and execute actions at runtime, including selecting tools and timing without a human approving each step. In identity governance, the key issue is not only authentication but delegated authority, traceability, and how much damage a single session can cause.
• Runtime Authority: The effective power an identity has while a session is active, including what it can do across tools, APIs, and connected systems. For autonomous or agentic systems, runtime authority is often more important than the permissions recorded at provisioning time.
• Blast Radius: The amount of operational, security, or business damage that can occur when an identity is misused or overextended. For agentic systems, blast radius depends on which actions can be chained before human review interrupts execution.
• Identity Control Plane: The layer where access, authority, and accountability are governed across systems and workflows. In modern programmes, it includes humans, non-human identities, and agentic systems because each can initiate actions that affect risk and compliance.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an identity security programme, it is worth exploring.

This post draws on content published by 1Password: Chasing Entropy Podcast season one recap. Read the original.