Agentic AI access control: what static IAM gets wrong

TL;DR: Agentic AI systems are generating 148 times more authentication requests than human users and 60% of enterprises are expected to use AI agents within a year, creating authorization blind spots that legacy RBAC and OAuth cannot absorb, according to PlainID and CSA. Static permissions and context-blind access checks are no longer adequate when agents act at machine speed.

NHIMG editorial — based on content published by PlainID: Challenging the Status Quo: Why Agentic AI Demands a New Approach to Access Control

By the numbers:

• 60% of enterprises are expected to utilize AI agents within the next year.

Questions worth separating out

Q: How should security teams govern access for AI agents that change tasks at runtime?

A: Security teams should govern AI agents with task-scoped permissions, runtime policy checks, and logging that ties each action back to the initiating context.

Q: Why do static IAM roles create risk for agentic AI?

A: Static IAM roles create risk because they assume the identity's purpose is known in advance and will not change mid-session.

Q: What breaks when delegated access is used for autonomous agent workflows?

A: Delegated access breaks down when the organisation cannot tell whether a downstream action still matches the original approved intent.

Practitioner guidance

• Map agent permissions to task scope, not job titles Replace broad, static role grants with narrowly bounded permissions tied to the specific action the agent is allowed to perform and the data it is allowed to touch.
• Add runtime policy checks before sensitive actions Evaluate the request in context at the point of use, including data sensitivity, request volume, time of action, and whether the current action still matches the original intent.
• Track delegation lineage across sub-agents Log the initiating identity, each handoff, and every downstream tool call so investigators can reconstruct who caused the final action even when execution is distributed.

What's in the full article

PlainID's full article covers the operational detail this post intentionally leaves for the source:

• The article's deeper explanation of why context-blind RBAC and OAuth break down for agentic workflows.
• PlainID's framing of the confused deputy problem and how it appears in AI agent behaviour.
• The vendor's discussion of dynamic authorization concepts that go beyond this post's governance analysis.

👉 Read PlainID's analysis of why agentic AI needs dynamic access control →

Agentic AI access control: what static IAM gets wrong?

Explore further

View Full Forum →  |  NHI Foundation Course →