AI agent identities: what just-in-time provisioning changes

TL;DR: AI agents are being instantiated at runtime, scoped to a task, and retired when that task ends, creating a governance problem that conventional identity systems were not built to handle, according to Strata Identity. The core issue is not just scale but assumption collapse: access review models assume identities persist long enough to review, while agent identities may not.

NHIMG editorial — based on content published by Strata Identity: just-in-time identity provisioning for AI agents

By the numbers:

• Agents could outnumber humans 80 to 1 by 2030.
• Gartner predicts that by 2026, 30% of enterprises will deploy AI agents capable of acting on behalf of users with minimal human intervention.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.

Questions worth separating out

Q: How should security teams govern AI agent identities that only exist for a single task?

A: Use task-scoped provisioning, short-lived credentials, and delegated context so the identity exists only for the duration of the job.

Q: Why do AI agents complicate traditional IAM lifecycle processes?

A: Traditional IAM assumes identities are durable enough to join, move, and leave over time.

Q: What breaks when organisations pre-provision identities for ephemeral AI agents?

A: Pre-provisioning creates standing accounts for actors that may never recur, which increases credential sprawl and leaves residual access after the task ends.

Practitioner guidance

• Classify agent identity by runtime duration Separate ephemeral agents from recurring services before assigning identity handling.
• Bind every agent action to delegation context Capture the delegator, task purpose, and execution scope as part of the identity record so audit trails can show why the agent existed and who authorised the work.
• Replace standing agent credentials with short-lived tokens Minimise persistent secrets for agent workflows by issuing short-lived scoped credentials that expire when the task completes, reducing orphaned access and credential sprawl.

What's in the full article

Strata Identity's full analysis covers the operational detail this post intentionally leaves for the source:

• Policy logic for deciding when an agent gets a minimal profile versus a full directory profile.
• Step-by-step examples of how delegation context is carried through agent authentication and API use.
• The ticket-purchase workflow that shows how short-lived tokens, age verification, and logging fit together.
• Runtime policy evaluation patterns for matching operation sensitivity to provisioning decisions.

👉 Read Strata Identity's analysis of just-in-time identity provisioning for AI agents →

AI agent identities: what just-in-time provisioning changes?

Explore further

View Full Forum →  |  NHI Foundation Course →