SPIFFE and AI agent identity expose the next authorization gap

At a glance

What this is: This analysis argues that workload identity is now foundational and that AI agents expose the next gap: authentication is no longer the hard part, authorization is.

Why it matters: It matters because IAM teams now need controls that work for service accounts, workloads, and AI agents that behave dynamically, making human-era privilege assumptions unreliable.

By the numbers:

• For every human identity in your organization, there are approximately 80 non-human identities.

👉 Read Cerbos' analysis of workload identity and AI agent authorisation

Context

Workload identity is the practice of giving services and machine-run processes a verifiable identity so they can authenticate and be authorised without relying on shared secrets or human credentials. In this article's framing, the primary identity challenge is not whether a workload can prove who it is, but whether its access can be constrained once identity is established.

That distinction matters for NHI governance because most enterprises already manage large populations of service accounts, API keys, tokens, and certificates with controls that were designed for people. As AI agents enter the environment, the same gaps in visibility, least privilege, and lifecycle discipline become harder to ignore and easier to abuse.

For teams building workload identity programmes, the article is a reminder that standards adoption does not end the governance problem. It shifts the question from identity creation to runtime authorisation, auditability, and blast-radius control.

Key questions

Q: How should security teams govern AI agents that need access to multiple systems?

A: Security teams should treat AI agents as workloads with tightly bounded runtime authorisation, not as humans with delegated convenience access. Give the agent a verifiable identity, then enforce policy on each request based on task, context, and resource sensitivity. The safest pattern is task-scoped access with centralized decisioning and full auditability.

Q: Why do workload identity standards matter more as AI agents proliferate?

A: Workload identity standards matter because they create a common way to prove identity across services and agents without relying on shared secrets or one-off integrations. As AI agents proliferate, the bigger challenge shifts to controlling what those identities can do after authentication. Standards reduce identity chaos, but governance still has to manage privilege and behaviour.

Q: What breaks when teams rely on human judgment to limit machine access?

A: What breaks is the assumption that dangerous permissions will remain safe because a human will make cautious decisions. Machine actors do not have judgment, fatigue, or self-preservation, so they will attempt every permitted action if it helps achieve the goal. That makes implicit restraint an unreliable control.

Q: Who should own authorization for AI-powered services and workloads?

A: Authorization should be owned by the platform or identity team, with application teams consuming shared policy rather than writing their own rules. That model keeps policy consistent, reduces drift, and makes it possible to update controls once when a new agent behaviour or risk pattern appears.

Technical breakdown

Why SPIFFE became the default workload identity layer

SPIFFE provides a standard way to issue and validate workload identities using cryptographic identifiers rather than shared passwords or ad hoc tokens. In practical terms, it separates identity from transport and gives platforms a portable trust anchor for services, containers, and agents. That standardisation matters because it reduces the number of custom identity patterns teams must maintain, and it creates a common substrate for mTLS, attestation, and policy enforcement. The article's point is not that SPIFFE solves authorisation. It solves the baseline identity problem cleanly enough that governance can move up the stack.

Practical implication: treat SPIFFE as the identity substrate, then build authorisation and audit controls on top of it.

Why AI agent identity is not just another workload credential

AI agents are workloads in the identity sense, but their behaviour is materially different from predictable services. A normal service usually repeats a known interaction pattern, while an agent can choose actions dynamically, combine tools, and alter execution paths based on context. That means the risk is not simply credential exposure. The risk is that a valid identity can be used in ways the original provisioning decision did not anticipate. Identity exists, but the work the identity performs is no longer fully knowable at provisioning time.

Practical implication: govern AI agent access by runtime context and allowed action scope, not by the assumption that its behaviour will stay fixed.

How fine-grained authorisation becomes the control plane

The article makes a clear distinction between authentication and authorisation. Authentication proves the workload or agent is legitimate. Authorisation decides what it may do, to which resource, under what context, and for how long. For AI agents, this needs to happen at request time because the sequence of actions is dynamic and the blast radius of one over-permissioned decision can cascade across databases, queues, email systems, and ticketing platforms. That is why policy-based authorisation becomes the real control plane for these identities.

Practical implication: move authorisation checks into a reusable platform layer so teams do not invent inconsistent AI access rules service by service.

NHI Mgmt Group analysis

SPIFFE standardisation has shifted the NHI problem from identity issuance to identity governance. Once a common workload identity standard is assumed, the competitive and operational differentiator is no longer how to mint credentials. It is how to constrain privilege, prove use, and govern runtime behaviour across services and AI agents. Practitioners should read the market shift as a sign that identity issuance alone is becoming table stakes.

Non-human identity sprawl is now the structural baseline, not an edge case. When an environment has roughly 80 non-human identities for every human identity, humans are no longer the dominant governance model. That ratio means service accounts, API keys, tokens, and workload credentials are the larger security surface, and every new AI agent adds to that existing burden. Practitioners should stop treating NHI governance as a subset of IAM and start treating it as the centre of it.

Least privilege remains the right principle, but the control failure is overtrust in human judgment. The article shows that many environments have relied on people to avoid dangerous actions even when permissions technically allowed them. That assumption collapses when the actor is an AI agent because there is no judgment layer, no hesitation, and no self-preservation instinct to dampen risky behaviour. The implication is that privilege design must no longer depend on discretionary restraint.

Shift down is the right operating model for AI authorisation, not shift left. Pushing every engineering team to implement its own identity and policy logic creates fragmented controls and inconsistent enforcement. A platform-level authorisation layer is the only scalable pattern when AI agents can trigger many actions from one request path. Practitioners should centralise decisioning so policy updates propagate uniformly.

Ephemeral agent identity trust debt is the new governance gap. Ephemeral actors can be authenticated cleanly, yet still carry unresolved trust assumptions about what they will do after authentication succeeds. The problem is not that the identity is untrusted at issuance. The problem is that runtime scope, tool use, and decision timing are not fully knowable when access is granted. Practitioners should re-evaluate whether their governance model assumes stable behaviour where none exists.

From our research:

• Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• For the broader control model, see Ultimate Guide to NHIs , Standards for the standards and framework alignment that underpins workload identity governance.

What this signals

Ephemeral credential trust debt: the more an organisation relies on short-lived identities without unified policy, the more it accumulates hidden assumptions about what those identities will do after authentication. Teams should watch for environments where credentials are easy to issue but hard to explain, because that is where AI agents and service accounts can outgrow governance faster than review cycles can respond.

With 96% of organisations storing secrets outside secrets managers in vulnerable locations including code, config files, and CI/CD tools, the operational signal is clear: identity hygiene still lags architecture. That creates a widening gap between modern workload identity ambitions and the reality of how access is actually delivered.

Practitioners should prepare for a shift toward policy-as-platform and stronger workload attestation. The practical question is no longer whether an identity can be issued, but whether its permissions can be constrained, observed, and revoked cleanly across every runtime path.

For practitioners

• Separate authentication from authorisation Issue verifiable identities to workloads and agents, then enforce context-aware policy at request time. Do not treat a valid workload credential as proof that the requested action is acceptable.
• Centralise policy for AI-enabled services Move access decisions into a shared platform layer so service teams are not each building their own authorization logic, audit logging, and exception handling for agents.
• Limit agent permissions to task-scoped actions Define the exact resources, records, and operations an agent may use, then deny everything else by default. Reassess whether a request path needs database write access, ticket updates, and outbound messaging or only one of them.
• Build forensic-grade observability into identity flows Ensure each action is attributable to a specific workload identity, policy decision, and timestamp so auditors can reconstruct what happened without IP guessing or shared-account archaeology.
• Use workload identity as the secure default Replace hardcoded secrets, impersonated user accounts, and long-lived tokens with a standard workload identity pattern that applications can consume without friction.

Key takeaways

• Workload identity is becoming the baseline control for services and AI agents, but governance now depends on what those identities are allowed to do after they authenticate.
• The article's core warning is that human-era assumptions about restraint and context do not survive machine-speed execution or dynamic tool use.
• IAM teams should centralise policy, tighten scope, and improve observability now so agent and workload access can be explained, not merely granted.

Key terms

• Workload Identity: A workload identity is a cryptographically verifiable identity assigned to a service, container, or machine-run process. It replaces shared secrets and informal trust with an identity that can be authenticated, authorised, and audited consistently across environments.
• Policy-Based Authorisation: Policy-based authorisation evaluates each access request against rules, context, and resource sensitivity before allowing an action. In NHI and agentic environments, it is the control that limits what a valid identity may do after authentication succeeds.
• Non-Human Identity: A non-human identity is any machine-operated identity used by software, services, or autonomous systems to access data and tools. It includes service accounts, API keys, tokens, certificates, and AI agents, all of which require lifecycle and privilege governance.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Cerbos: Workload Identity Day 0 at KubeCon and the shift to AI agent governance. Read the original.