Notifications
Clear all
Topic starter
08/06/2026 5:04 pm
TL;DR: AI agents are dynamic, ephemeral and autonomous, so the source article argues they need identity controls at every step from OIDC authentication to JIT provisioning, policy evaluation and human approval for sensitive actions, according to Strata Identity. The core issue is that legacy IAM assumes fixed, long-lived identities, while agentic work creates delegation chains and runtime decisions that existing NHI models do not cover.
NHIMG editorial — based on content published by Strata Identity: the agentic identity flow and how identity controls need to change for AI agents
By the numbers:
- By 2026, 30% of enterprises will rely on AI agents that act independently, triggering transactions and completing tasks on behalf of humans or systems.
Questions worth separating out
Q: How should security teams govern AI agents that can act on behalf of users?
A: Security teams should govern AI agents as delegated actors with explicit subject-actor binding, task-scoped authority and step-up approval for sensitive actions.
Q: Why do AI agents expose gaps in existing NHI governance?
A: AI agents expose gaps because many NHI controls assume fixed scopes, stable credentials and predictable task boundaries.
Q: What breaks when agent identities are not provisioned just in time?
A: Without just-in-time provisioning, agent identities accumulate like any other standing account, which increases exposure, permission drift and audit noise.
Practitioner guidance
- Map subject, actor and delegation chains Inventory every agentic workflow so the human, delegating agent and executing agent are explicitly linked in policy, logs and approvals.
- Convert standing agent access into task-scoped identities Issue agent credentials with TTL, purpose, risk and delegation context, then retire them automatically when the task ends.
- Gate sensitive actions with step-up approval Require liveness validation and human confirmation for actions that touch payments, production data or entitlements.
What's in the full article
Strata Identity's full analysis covers the operational detail this post intentionally leaves for the source:
- Step-by-step agentic user flow from OIDC login through MCP discovery and execution
- Policy orchestration details for PDP and PEP evaluation across purpose, risk and delegation context
- How JIT provisioning attaches TTL and purpose to agent identities before retirement
- Hands-on sandbox material for binding, delegating and observing agent authentication and authorization
👉 Read Strata Identity's analysis of agentic identity flow and Zero Trust controls →
Agentic identity flow: what legacy IAM controls are missing?
Explore further
08/06/2026 7:03 pm
Agentic identity is not a variant of NHI governance, it is a different control problem. The article makes the right distinction between static machine credentials and dynamic, self-directed agent behaviour. A service account is assigned a task and kept inside fixed bounds, but an AI agent can reason, delegate and select execution paths mid-session. That changes what identity evidence needs to prove, and practitioners should stop treating agentic access as a simple extension of workload identity.
A few things that frame the scale:
- 92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so, according to AI Agents: The New Attack Surface report.
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
A question worth separating out:
Q: Who should approve high-risk actions taken by an AI agent?
A: A verified human should approve high-risk agent actions before execution, especially where money, sensitive data or privilege changes are involved. Approval should be coupled with liveness validation and logged context so the organisation can prove the decision was intentional and attributable.
👉 Read our full editorial: Agentic identity flow exposes the limits of legacy NHI governance
