TL;DR: Agentic AI systems can plan and act independently, which makes traditional transactional IAM models too rigid for safe governance, according to Token Security’s discussion with Webflow CISO Ty Sbano and CEO Itamar Apelblat. Access control must shift toward intent-aware permissions, tighter observability, and clearer lifecycle ownership because agent behaviour can drift, overshoot, or bypass expected scope.
NHIMG editorial — based on content published by Token Security: Securing Agentic AI: Defining Permissions for Unpredictable AI Agents
By the numbers:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems.
Questions worth separating out
Q: How should security teams implement policy-based permissions for AI agents?
A: Start by defining the agent's task boundary, then map the data sources, tools, and actions that are explicitly allowed inside that boundary.
Q: Why do agentic AI systems complicate traditional IAM controls?
A: They complicate IAM because the actor can choose actions at runtime rather than following a fixed, human-approved path.
Q: How do organisations know whether AI agent access is actually controlled?
A: They need to prove three things: the agent has a named owner, every action is logged with enough context to explain why it happened, and the permitted scope is narrow enough that unsafe tool chains cannot form silently.
Practitioner guidance
- Classify AI agents as a distinct identity population Place agent identities into IAM and IGA inventories with explicit ownership, business purpose, and data access boundaries so they are not hidden inside generic automation records.
- Define policy boundaries for agent tool use Restrict which systems, datasets, and actions each agent can reach, and express those limits in context-aware policy rather than broad standing access.
- Tie every agent action to an accountable owner Require named business and technical owners for each agent, with escalation paths for unusual behaviour, policy exceptions, and retirement decisions.
What's in the full article
Token Security's full post covers the operational detail this post intentionally leaves for the source:
- Speaker commentary from Token Security CEO Itamar Apelblat and Webflow CISO Ty Sbano on how they frame agentic AI permissions
- Examples of how RBAC, ABAC, and PBAC differ when applied to unpredictable AI agent behaviour
- Discussion of observability, auditing, and accountability patterns for agents that act across multiple systems
- The article's FAQ section on prompt injection, API misuse, recursive loops, output poisoning, and multi-agent collusion
👉 Read Token Security's analysis of agentic AI permissioning and guardrails →
Agentic AI permissioning: what IAM teams need to rethink?
Explore further
Agentic AI is not a variant of automation, it is a new identity governance problem. The article's core distinction is that these systems can plan, choose tools, and act without a person approving each step. That means access decisions are no longer just about who can log in, but about what an actor can decide to do next. Practitioners should treat agentic behaviour as a governance class of its own, not as a workflow shortcut.
A few things that frame the scale:
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation, according to AI Agents: The New Attack Surface report.
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.
A question worth separating out:
Q: Who is accountable when an AI agent exceeds its intended scope?
A: Accountability should sit with the business owner of the agent, the technical team that enabled its access, and the governance function that approved its lifecycle. If ownership is ambiguous, the programme has already failed, because an autonomous actor without clear accountability cannot be governed after the fact.
👉 Read our full editorial: Agentic AI permissioning exposes the limits of traditional IAM