Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Agentic AI identity governance: can IAM keep up with agents?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: AI agents are already powering hundreds of workflows and are expected to outnumber humans 80:1 in large enterprises, but most still operate without identity guardrails, according to Strata Identity. Traditional IAM assumptions break when identity, access, and audit must move at machine speed, not human pace.

NHIMG editorial — based on content published by Strata Identity: Field guide to agentic identity

By the numbers:

Questions worth separating out

Q: How should security teams govern AI agent identities in enterprise environments?

A: Treat AI agents as governed identities with named owners, explicit delegated scope, and lifecycle controls.

Q: Why do AI agents create different identity risks than service accounts?

A: Service accounts are usually static identities with predictable access paths, while AI agents can change behaviour at runtime by choosing actions and tools in response to context.

Q: What breaks when AI agents are added to an IAM programme without new controls?

A: Visibility breaks first, followed by auditability and accountability.

Practitioner guidance

  • Inventory every AI agent as a governed identity Create a complete agent registry that captures purpose, owner, delegated scope, connected tools, and retirement criteria.
  • Apply on-behalf-of delegation with bounded scope Bind agent actions to an initiating principal and enforce task-scoped permissions rather than broad reusable access.
  • Centralise policy with identity orchestration Use one control layer to coordinate access decisions across cloud, on-premises, and disconnected systems.

What's in the full article

Strata Identity's full guide covers the operational detail this post intentionally leaves for the source:

  • How the Agent Fabric and registry are used to inventory and govern agent identities across environments
  • How Identity Orchestration is positioned to centralise policy enforcement without rewriting applications
  • How on-behalf-of delegation is described for traceable agent behaviour and least-privilege access
  • How the six identity functions evolve for agentic systems, including authentication, authorisation, and audit

👉 Read Strata Identity's guide to agentic identity and AI agent governance →

Agentic AI identity governance: can IAM keep up with agents?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

AI agent identity is now a governance category, not a feature request. Once agents can act across workflows, access is no longer a simple entitlement problem. It becomes a question of whether the identity layer can describe, constrain, and audit independent runtime behaviour. Practitioners should treat agent identity as its own control domain, adjacent to but distinct from human IAM and classic workload identity.

A few things that frame the scale:

  • 92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so, according to AI Agents: The New Attack Surface report.
  • Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.

A question worth separating out:

Q: Who should own AI agent governance in the identity stack?

A: Ownership should sit with identity and security teams together, because agent governance spans access policy, audit, lifecycle, and platform integration. It cannot live only in application teams or only in infrastructure operations. The right model is shared accountability with a single control plane for policy and revocation.

👉 Read our full editorial: Agentic AI identity governance needs machine-speed control models



   
ReplyQuote
Share: