TL;DR: Identity programmes now have to govern humans and delegated or autonomous agents through the same access, audit, and step-up model, while joining Twilio will extend its identity stack, agent-ready integrations, and fraud controls into a broader communications and data environment, sharpening support for AI agents and context-aware applications, according to Stytch.
At a glance
What this is: Stytch’s move into Twilio reframes identity as a shared control plane for human users and AI agents, with emphasis on scoped auth, fraud prevention, and channel-aware trust.
Why it matters: IAM, IGA, and security teams need to reassess how delegated access, step-up, and audit trails work when applications must recognise both people and agentic systems.
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.
👉 Read Stytch’s blog post on joining Twilio and supporting AI agent identity
Context
Stytch’s acquisition by Twilio is less about a product announcement than about where identity control is moving: from human login flows toward mixed environments where applications must handle people, delegated agents, and automated actions in the same trust model. That shift matters because identity no longer ends at authentication, it has to extend into authorisation, audit, and abuse prevention for whatever initiates the request.
For identity teams, the pressure point is not whether AI agents will exist in the stack. It is whether the existing IAM, PAM, and lifecycle model can distinguish between a human session, a delegated token, and an autonomous runtime action without creating blind spots. The article points to scoped permissions, human-in-the-loop step-up, and agent-ready auth as the relevant design primitives, which places this squarely in the NHI and agentic identity governance domain.
Key questions
Q: How should security teams handle delegated access when AI agents act on behalf of customers?
A: Security teams should treat delegated access as a separate governance layer, not as a normal login session. Define what the agent can do, how much value it can move, which approvals are required, and how delegation is revoked. Without those boundaries, the agent inherits more authority than the customer intended and fraud risk expands quickly.
Q: Why do local AI agents complicate identity and access management?
A: They can retain legitimate permissions while changing timing, prioritisation, and action sequence outside human presence. That means the visible identity may remain stable even as the operational behaviour becomes autonomous. IAM teams then lose the simple link between user session, authorisation, and accountability.
Q: What breaks when scoped tokens are reused across human and agent workflows?
A: Reusing tokens across human and agent workflows destroys attribution, makes audit trails ambiguous, and creates privilege creep in places where the original intent is no longer visible. The same credential can end up representing different actors and different purposes, which weakens both fraud detection and access review.
Q: Who is accountable when a compromised AI agent misuses delegated access?
A: Accountability usually spans the business owner of the workflow, the team that issued or approved the credential, and the vendor if a third-party integration was involved. The critical governance question is not who logged in, but who allowed the delegation chain to exist and remain valid. That chain must be documented before incidents occur.
Technical breakdown
Scoped tokens and fine-grained permissions for agent access
When an application has to support AI agents, broad user sessions are too coarse. Scoped tokens limit what a delegated actor can do, while fine-grained permissions separate read, write, and action-specific access. That matters because an agent may need to call a tool, read a record, or trigger a workflow without inheriting the full rights of the human who initiated it. In practice, the security challenge is not just issuing a token but binding it to purpose, duration, and auditability.
Practical implication: Treat every agent token as a constrained non-human identity and map it to explicit task scope, not user convenience.
Human-in-the-loop step-up in delegated and autonomous workflows
Step-up is the control that interrupts risky actions and asks for additional verification before the system proceeds. In mixed human-agent flows, it becomes the boundary between routine delegation and high-risk action. If the application cannot tell whether the next action is still within the delegated intent, step-up must be triggered by context, not just by login state. That is especially relevant where an AI agent operates under partial delegation but can still attempt sensitive actions.
Practical implication: Define the exact events that must force step-up, then test them against delegated agent behaviour rather than human-only journeys.
Channel-aware identity and reputation signals
Channel-aware identity combines authentication with the surrounding trust context, such as phone reputation, email reputation, device signals, and abuse patterns. The article’s emphasis on communications infrastructure and reputation graphs points to a broader control pattern: identity decisions increasingly depend on how the user or agent arrives, not just on credentials alone. This helps reduce fraud, but it also expands the number of signals that need governance and ongoing validation.
Practical implication: Correlate identity signals with channel risk and treat reputation data as part of your access decisioning model, not a separate fraud tool.
Threat narrative
Attacker objective: The objective is to gain trusted access that can be used for abuse, fraud, or unauthorised actions without triggering obvious authentication failures.
- Entry occurs through a legitimate sign-up, login, or delegated agent flow that appears valid at the point of request but may hide abuse intent. Escalation follows when a scoped credential is used beyond the original context or when a trusted channel is exploited for fraud or account takeover. Impact arrives as unauthorised actions, account abuse, or fraudulent transactions that still look like ordinary identity activity in the logs.
Breaches seen in the wild
- Meta AI Instagram Account Takeover — 20,225 Instagram accounts hijacked via compromised Meta AI support chatbot with overprivileged access.
- Replit AI Tool Database Deletion — Replit vibe coding AI assistant deletes live production database and creates 4,000 fake user records.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Stytch’s move signals that identity for AI agents is becoming a first-class governance problem, not a feature request. The important change is not communication scale alone, but the need to authenticate and authorise non-human actors alongside people in the same application journey. That places scoped delegation, audit, and step-up under one identity model rather than separate fraud and IAM workflows, which is now the practitioner baseline.
Channel reputation is becoming part of identity assurance, but it does not replace access governance. Phone and email reputation can improve trust decisions, yet reputation data only tells you about the path into the system, not whether the resulting privilege is appropriate. Organisations that treat reputation as an access control will overestimate their protection and miss abuse that originates from a valid but overbroad grant.
Agent-ready auth will expose the difference between delegated access and autonomous behaviour. A human can delegate a task, but an agent can repeat, chain, or re-trigger actions at runtime in ways that outgrow the original intent. That means the governance model must distinguish who approved the access from what the runtime actor is allowed to do, or accountability will blur across the delegation chain.
Identity convergence is now the market direction, but convergence increases the blast radius of bad assumptions. When authentication, fraud prevention, and application access share data and controls, weak lifecycle hygiene or unclear scope boundaries become easier to propagate across the stack. The implication for practitioners is that convergence only works if entitlements, audit evidence, and offboarding remain precise across human and non-human identities.
From our research:
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
- From our research: 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
- For a broader view of identity sprawl, Ultimate Guide to NHIs shows why visibility and privilege control have become baseline requirements, not optional hardening.
What this signals
Identity convergence is pushing IAM teams toward a single governance model for people, service identities, and agents. That model will only hold if inventory, scope, and offboarding are treated as one lifecycle problem instead of three disconnected workflows. The organisations that succeed will be the ones that can prove who or what acted, under which policy, and for how long.
Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs, which means most teams are still blind to the non-human layer that agentic applications will inherit. If your programme cannot inventory machine identities today, it will struggle to govern delegated AI access tomorrow. The first step is to make non-human identity visibility a prerequisite for any agent rollout.
For practitioners
- Define separate policy paths for human and agent sessions Classify every incoming identity event by actor type before it reaches access logic. Human login, delegated token use, and agent-triggered action should not share the same approval path unless the policy explicitly allows it.
- Bind agent credentials to task scope and expiry Issue scoped tokens with short duration, explicit resource boundaries, and revocation hooks tied to the task lifecycle. Avoid reusable credentials that outlive the action they were created to support.
- Add step-up controls for high-risk delegated actions Require additional verification before payouts, account changes, role changes, or data export when an agent or delegated session attempts them. Test the step-up logic against both normal and abuse paths.
- Correlate reputation data with IAM evidence Use phone, email, and device reputation as input to policy decisions, but keep access decisions anchored in identity evidence, permissions, and audit logs. Reputation should influence trust, not replace authorisation.
- Review lifecycle offboarding for non-human identities Ensure APIs, service credentials, and delegated tokens are revoked when application relationships or agent workflows change. Build offboarding into the same governance process used for privileged human access.
Key takeaways
- This announcement reflects a broader shift: identity now has to govern both human actions and non-human application behaviour in the same control framework.
- Channel trust and reputation signals can improve fraud decisions, but they do not remove the need for scoped permissions, audit, and step-up controls.
- Teams should assume that AI agents will stress existing IAM and lifecycle assumptions long before they stress authentication alone.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | The article centers on agent-ready auth and delegated runtime behaviour. | |
| OWASP Non-Human Identity Top 10 | NHI-03 | Scoped tokens, revocation, and lifecycle control are central NHI concerns here. |
| NIST CSF 2.0 | PR.AA-1 | Identity proofing and authentication assurance underpin the trust model described. |
| NIST Zero Trust (SP 800-207) | Section 2.1 | Zero Trust principles fit the article’s emphasis on continuous verification and scoped access. |
| NIST AI RMF | GOVERN | Agent governance and accountability matter if AI systems act on behalf of users. |
Map agent access to scoped authorisation boundaries and review any tool-use path that can act without human gating.
Key terms
- Persistent Token: A persistent token is a credential that remains valid across sessions and can continue authorizing access until it is revoked or expires. These tokens are risky in AI and SaaS environments because they often outlive the original workflow and are hard to track consistently.
- Step-up Authentication: Step-up authentication is an additional verification step triggered when a session becomes higher risk or a user attempts a sensitive action. It is used to reduce exposure without forcing extra friction across every interaction, which makes it useful for runtime access governance.
- Channel Reputation: Channel reputation is the trust signal derived from the history and risk profile of a phone number, email address, or similar communication path. It helps detect abuse patterns, but it does not prove authorisation or reduce the need for access governance and audit.
- Delegated Identity: Delegated identity is when one actor acts on behalf of another with explicit permission and bounded authority. In AI-assisted commerce, it requires clear consent, limited scope, and traceable records so the retailer can distinguish authorised delegation from unauthorised automation.
What's in the full analysis
Stytch’s full blog post covers the operational detail this post intentionally leaves for the source:
- How the combined identity stack is positioned for AI agents, including scoped tokens and step-up patterns.
- The communications and reputation data inputs used to strengthen fraud and abuse decisions.
- What customers should expect around SDKs, API keys, pricing, and integration continuity.
- How the publisher frames support for Claude Connectors, ChatGPT Apps, and remote MCP servers.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM or identity security programme, it is worth exploring.
Published by the NHIMG editorial team on July 14, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org