Notifications
Clear all
Topic starter
07/06/2026 8:51 pm
TL;DR: As organisations deploy AI agents that act on behalf of users, the core security problem shifts to authenticated identity, delegated authority, and revocation, according to WorkOS. Data governance still matters, but agentic systems fail fastest when identity controls cannot define who the agent represents, what it may do, and when that authority ends.
NHIMG editorial — based on content published by WorkOS: Concentric AI vs WorkOS, comparing data governance with identity for agentic security
By the numbers:
- WorkOS supports transparent pricing starting at $125/month for up to 1M Monthly Active Users.
Questions worth separating out
Q: How should security teams govern AI agents that act on behalf of users?
A: Security teams should treat every agent as an identity relationship, not just a tool.
Q: Why do data protection controls not solve agentic security on their own?
A: Data controls reduce exposure after access exists, but they do not decide whether access should exist in the first place.
Q: What should organisations measure to know if agent access is actually controlled?
A: Measure whether delegated access is explicit, reviewable, and revocable across all connected systems.
Practitioner guidance
- Map every agent to an explicit identity relationship Record whether the agent acts as a user, under a service account, or through delegated impersonation.
- Scope agent sessions to the task, not the account Limit permissions by context, trigger, or time window so an agent cannot reuse a broad entitlement after the original purpose ends.
- Separate content controls from identity controls Use DSPM and data classification to reduce exposure, but do not treat them as substitutes for authentication and authorization.
What's in the full article
WorkOS's full article covers the operational detail this post intentionally leaves for the source:
- Implementation details for enterprise SSO, directory sync, and MFA across agent workflows
- Examples of fine-grained authorization rules for context-based agent access decisions
- Product-specific guidance for service account authentication and delegation controls
- Pricing and deployment details for teams evaluating the WorkOS platform at scale
👉 Read WorkOS's comparison of Concentric AI and agentic identity controls →
Agentic security: what identity teams need to fix first?
Explore further
08/06/2026 8:34 am
Identity is the foundation of agentic security, not a supporting layer. Agentic systems cannot be governed safely if the programme starts with data inspection and treats identity as an implementation detail. The article shows the correct hierarchy: authenticate the actor, bound the delegation, then constrain the data. That is the control sequence practitioners should preserve across human, NHI, and autonomous workflows.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- A separate NHI study found that lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations, showing how quickly delegated access becomes a governance issue.
A question worth separating out:
Q: What is the difference between agent identity controls and DSPM?
A: Agent identity controls define who may act, under what authority, and with what session scope. DSPM classifies and protects the data the agent reaches. They solve different parts of the problem, and both are needed when agents can touch sensitive systems at enterprise scale.
👉 Read our full editorial: Agentic security needs identity first, not data controls alone
