Agentic AI identity governance: can IAM keep up with agents?

TL;DR: AI agents are already powering hundreds of workflows and are expected to outnumber humans 80:1 in large enterprises, but most still operate without identity guardrails, according to Strata Identity. Traditional IAM assumptions break when identity, access, and audit must move at machine speed, not human pace.

NHIMG editorial — based on content published by Strata Identity: Field guide to agentic identity

By the numbers:

• 80:1 That’s how many more agents than humans large enterprises are expected to manage in the next few years.

Questions worth separating out

Q: How should security teams govern AI agent identities in enterprise environments?

A: Treat AI agents as governed identities with named owners, explicit delegated scope, and lifecycle controls.

Q: Why do AI agents create different identity risks than service accounts?

A: Service accounts are usually static identities with predictable access paths, while AI agents can change behaviour at runtime by choosing actions and tools in response to context.

Q: What breaks when AI agents are added to an IAM programme without new controls?

A: Visibility breaks first, followed by auditability and accountability.

Practitioner guidance

• Inventory every AI agent as a governed identity Create a complete agent registry that captures purpose, owner, delegated scope, connected tools, and retirement criteria.
• Apply on-behalf-of delegation with bounded scope Bind agent actions to an initiating principal and enforce task-scoped permissions rather than broad reusable access.
• Centralise policy with identity orchestration Use one control layer to coordinate access decisions across cloud, on-premises, and disconnected systems.

What's in the full article

Strata Identity's full guide covers the operational detail this post intentionally leaves for the source:

• How the Agent Fabric and registry are used to inventory and govern agent identities across environments
• How Identity Orchestration is positioned to centralise policy enforcement without rewriting applications
• How on-behalf-of delegation is described for traceable agent behaviour and least-privilege access
• How the six identity functions evolve for agentic systems, including authentication, authorisation, and audit

👉 Read Strata Identity's guide to agentic identity and AI agent governance →

Agentic AI identity governance: can IAM keep up with agents?

Explore further

View Full Forum →  |  NHI Foundation Course →