Workload identity federation sets the baseline for AI agents

At a glance

What this is: This is an independent analysis of why workload identity federation is becoming the baseline for AI agent authentication and what that changes for identity governance.

Why it matters: It matters because IAM teams now have to govern AI agents as first-class non-human identities, with federation, auditability, and runtime authorization replacing long-lived secrets and key sprawl.

By the numbers:

• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.

👉 Read Defakto Security's analysis of workload identity federation for AI agents

Context

Workload identity federation replaces long-lived API keys with short-lived, cryptographically verifiable credentials that can be evaluated by enterprise identity systems. In this article, that shift is presented as the point where AI agent authentication starts to resemble the rest of the enterprise identity stack, rather than an exception sitting outside it.

The governance problem is not just credential format. It is whether AI agents are treated as first-class non-human identities with auditable federation, runtime authorization, and clear accountability across the tools and systems they touch. Without that model, secret sprawl, key rotation, and fragmented access control remain the default.

Key questions

Q: How should security teams replace API keys for AI agents?

A: Security teams should replace API keys with short-lived federated identities wherever the target service supports them. The goal is to remove standing secrets from agent workflows and shift trust to verifiable identity assertions, policy checks, and lifecycle-managed access. That reduces blast radius, improves auditability, and makes compromise far less persistent.

Q: Why do AI agents complicate traditional authorization models?

A: AI agents complicate traditional authorization because a valid credential does not describe intent, delegation, or the current task context. Agents may act on behalf of users, chain through other systems, and make decisions faster than periodic review cycles can capture. That makes static access lists too blunt for real governance.

Q: What breaks when agent identity stays outside enterprise IAM?

A: When agent identity sits outside enterprise IAM, organisations lose consistent lifecycle control, policy enforcement, and audit trail quality. Each platform ends up inventing its own credential pattern, which increases secret sprawl and weakens accountability. The result is a parallel identity estate that is harder to govern than the rest of the environment.

Q: Who should own governance for workload identity in AI systems?

A: Governance for workload identity in AI systems should sit with the identity or security team that already owns non-human identity, access policy, and lifecycle controls. If AI agents are treated as a separate class, enterprises usually create duplicated controls and fragmented accountability. The better model is one governance plane for all non-human identities.

Technical breakdown

Why API keys break down for AI agents

API keys are static bearer secrets, so anyone who obtains one can usually use it until it is revoked. That model was tolerable for low-frequency service integrations, but it becomes fragile when agents operate continuously across multiple tools and services. The problem is not only theft. Keys create standing access, weak attribution, and high blast radius when they leak through logs, code, or third-party platforms. Workload identity federation changes the credential shape by binding access to a verifiable identity assertion rather than a reusable secret. That shifts the control point from secret custody to identity trust and token exchange.

Practical implication: replace long-lived API keys for agent workloads with federated identities wherever the target platform supports them.

How workload identity federation changes agent authentication

Workload identity federation lets an agent present a short-lived token derived from an external identity provider instead of carrying a stored secret. In practice, that means the platform receiving the request can validate who the agent is, where it ran, and whether the credential was issued within policy. This is fundamentally different from vaulting a key, because vaulting still leaves a static secret in circulation. Federation also makes the agent portable across clouds, enterprise services, and, increasingly, MCP-connected tools, without creating per-platform key silos. The security value comes from verifiable, ephemeral trust, not from hiding a password-equivalent string better.

Practical implication: use federation as the default authentication pattern for agent-to-service access, then layer policy and attestation on top.

Why authorization still has to sit above the token

A token proves identity, not intent. Once agents can authenticate federatively, the harder problem becomes deciding what that identity may do in a given context. Defakto Security’s point is that authorization cannot be reduced to the presence of a valid credential, because agents may act on behalf of users, across chains of systems, and at machine speed. That means the enterprise still needs dynamic authorization, on-behalf-of context, and policy evaluation per request. Federation solves the login problem for agents, but not the governance problem of scope, delegation, and accountability.

Practical implication: keep authorization decisions separate from authentication and require contextual policy checks for every agent action.

NHI Mgmt Group analysis

API keys are an identity debt instrument, not a security control. Once AI agents depend on long-lived keys, organisations inherit standing privilege, weak attribution, and a recovery burden every time a third party is compromised. Vaulting and rotation reduce exposure, but they do not change the underlying model that treats agent access as a reusable secret. Practitioners should read that as a structural governance failure, not a tooling gap.

Workload identity federation moves AI agents into the enterprise identity plane where they belong. The important change is not just shorter credential lifetime. It is that agent authentication becomes legible to existing identity infrastructure, policy engines, and audit systems instead of living in a parallel secret-management stack. That is why the topic belongs in NHI governance rather than in a standalone AI platform conversation.

On-behalf-of context is now a governance requirement, not a nice-to-have audit field. When an agent acts for a user, and possibly through other agents, the enterprise needs to preserve the delegation chain across authentication and authorization decisions. Without that context, incident response can identify the action but not the accountable principal behind it. Practitioners should treat delegation traceability as part of identity design, not logging decoration.

Dynamic authorization is the control pattern that completes federation for agents. The article correctly positions federation as a baseline, because a valid credential alone does not solve scope drift, chained delegation, or real-time access decisions. The field is moving toward a model where identity is verifiable at runtime and permission is continuously evaluated against policy, context, and current task state. Practitioners should re-evaluate static access lists as the primary guardrail for agentic systems.

From our research:

• Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation, according to AI Agents: The New Attack Surface report.
• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.
• Build out the governance model in Ultimate Guide to NHIs before agent deployment expands the audit gap further.

What this signals

Ephemeral credential trust debt: the longer an organisation keeps AI agents on API keys, the more it accrues a hidden governance liability that shows up only when keys leak, tools are compromised, or customers are forced into emergency rotation. With 80% of organisations already reporting agent behaviour beyond intended scope, the programme question is no longer whether to modernise identity, but how fast the identity estate can absorb agents without creating a second secret-management stack.

The practical next step is to align workload identity, policy enforcement, and audit evidence under one NHI operating model. That means treating federated agent authentication as the starting point, then tying it to lifecycle controls, delegated access traces, and per-request authorization checks across cloud and internal systems.

Enterprises that already manage service accounts and workload identity should use that maturity as the control baseline for AI agents, not as an optional future phase. The gap to watch is not authentication alone, but whether the same identity plane can preserve accountability when the agent acts on behalf of a user through multiple downstream tools.

For practitioners

• Retire long-lived API keys for agent workloads Inventory every AI agent and service integration that still depends on a reusable secret. Replace those paths with short-lived federated credentials wherever the target platform can validate external identity assertions.
• Move agent identity into the enterprise NHI stack Assign ownership for agent authentication to the same governance team that manages workload identity, service accounts, and other non-human identities. Avoid building a separate identity lifecycle for agents.
• Preserve on-behalf-of context across delegation chains Record the originating user, intermediate agents, and final executing identity in a way that survives authentication, authorization, and incident review. Without that chain, accountability breaks at the point of action.
• Require dynamic authorization for every agent request Evaluate each request against current policy, current context, and the specific resource being accessed. Do not let a valid token become a blanket permission to act.

Key takeaways

• AI agents authenticated with API keys create standing-secret risk that federated identities are designed to remove.
• The evidence now shows a large audit gap, with only 52% of organisations able to track and review what their AI agents access.
• Practitioners should treat workload identity federation as the baseline and dynamic authorization as the control that completes it.

Key terms

• Workload Identity Federation: A method of letting a workload prove who it is by exchanging an external identity assertion for a short-lived credential. In agentic environments, it reduces reliance on reusable secrets and lets enterprise identity systems validate access through existing trust relationships and policy controls.
• On-behalf-of Context: The delegation information that shows which user, service, or agent initiated an action and which identities acted in the chain. It matters because agent authentication alone does not explain accountability, and without this context incident response cannot reliably trace who caused the change.
• Dynamic Authorization: Authorization decisions made at request time using current identity, policy, and context rather than static access assignments. For AI agents, it is the control that limits scope when behaviour changes across tasks, tools, or downstream systems.
• Non-Human Identity: An identity used by software rather than a person, including service accounts, API keys, tokens, certificates, and AI agents. In governance terms, it needs lifecycle control, auditability, and least privilege just as human identity does, but with different runtime behaviour and failure modes.

Deepen your knowledge

NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, agentic AI identity, machine identity security, IAM, human identity, identity lifecycle, secrets management, and workload identity. If you are responsible for identity strategy, governance, or operational control in your organisation, it is worth exploring.

This post draws on content published by Defakto Security: The agentic era just got the authentication model it needs. Read the original.