Notifications
Clear all
Topic starter
08/06/2026 4:44 pm
TL;DR: Agentic AI moves from simple bots to autonomous digital workers, and Strata argues most IAM systems cannot govern the resulting identity, delegation, and policy complexity across five maturity levels. The real break is structural: access controls built for stable, reviewable identities do not hold when agents act, collaborate, and escalate across systems at machine speed.
NHIMG editorial — based on content published by Strata Identity: Agentic identity orchestration is the only thing standing between you and AI chaos
Questions worth separating out
Q: How should security teams govern AI agents that use shared service accounts?
A: Treat shared service accounts as a temporary migration state, not a stable operating model.
Q: Why do agentic AI systems create more identity risk than ordinary automation?
A: Because agentic systems can decide, delegate, and act at runtime, not just execute a fixed script.
Q: How do organisations know when agent identity governance is not working?
A: Look for reused secrets, unreadable delegation chains, and actions that cannot be tied to a specific agent identity and purpose.
Practitioner guidance
- Map agent maturity to control requirements Classify each deployed agent by whether it is a bot, delegated assistant, coordinated workflow participant, goal-driven actor, or autonomous worker.
- Eliminate shared credentials for agent workloads Replace static API keys and shared service accounts with per-agent identities, short-lived credentials, and traceable issuance.
- Control token exchange at every handoff Treat OAuth On-Behalf-Of flows, delegated access, and multi-agent context passing as explicit control points.
What's in the full article
Strata Identity's full article covers the maturity model detail this post intentionally leaves at a strategic level:
- Step-by-step explanation of the five agent maturity levels and how each changes identity design
- Specific protocol references such as OIDC, OAuth On-Behalf-Of, SPIFFE/SVID, OPA/Rego, and Cedar in agent workflows
- Operational examples of how Maverics is positioned for discovery, token issuance, and runtime orchestration
- The article's own view of why identity orchestration is presented as the organising layer for agentic AI
👉 Read Strata Identity's analysis of agentic identity orchestration and AI maturity levels →
Agentic identity orchestration: what IAM teams need to rethink?
Explore further
08/06/2026 6:32 pm
Identity orchestration is becoming the control plane for agentic AI, not an add-on to IAM. The article is right that agents move from scripts to delegated actors, which means identity stops being a login problem and becomes an operational routing problem. When an agent can plan, act, and collaborate, the security question shifts to whether every decision path is constrained by verifiable identity context. Practitioners should treat orchestration as the governance layer that binds authentication, delegation, and runtime policy together.
A few things that frame the scale:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
- Our research also found that only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
A question worth separating out:
Q: What should teams do when an agent can affect multiple systems at once?
A: Set policy at the handoff points, not only at initial authentication. Multi-system agents need separate identity checks, narrow scopes, and runtime logging for each exchange so a failure in one workflow cannot silently expand into another. That is the minimum control for cross-system execution.
👉 Read our full editorial: Agentic identity orchestration is now an IAM design problem
