Notifications
Clear all
Topic starter
08/06/2026 5:05 pm
TL;DR: AI agents are moving into critical workflows with decision-making and API chaining, but static provisioning, long-lived credentials, and human-era governance models do not scale to their velocity or delegation patterns, according to Strata Identity. The core issue is that identity systems assume stable, reviewable access, while agents appear, act, and retire faster than those controls can track.
NHIMG editorial — based on content published by Strata Identity: why AI agents need just-in-time identity provisioning
Questions worth separating out
Q: How should security teams govern AI agents that need access only for a single task?
A: Use just-in-time identity issuance tied to the task, not a standing account that remains valid after the work finishes.
Q: Why do static credentials create such a problem for AI agent governance?
A: Static credentials assume access needs are known in advance and stay stable long enough to be reviewed.
Q: What breaks when AI agent provenance is not tracked?
A: You lose the ability to connect an action back to the delegator, scope, and context that authorised it.
Practitioner guidance
- Map every agent workflow to a runtime identity boundary Define when the agent is created, what task scope it receives, and the exact point at which access expires.
- Replace broad service accounts with task-scoped entitlements Remove catch-all permissions that were added to avoid breakage.
- Bind delegators to agent actions for auditability Record which human, service, or upstream agent authorised the task, along with context and scope.
What's in the full article
Strata Identity's full post covers the operational detail this post intentionally leaves for the source:
- How Strata frames JIT provisioning for AI agents as an implementation pattern rather than a governance principle.
- The article's step-by-step argument for binding delegators to agent actions and preserving provenance across workflows.
- Its discussion of agent identity profiles, TTL, and audit trail requirements in multi-cloud environments.
- The closing section that introduces Strata's Maverics platform and a hands-on sandbox for AI agent identity controls.
👉 Read Strata Identity's analysis of why AI agents need just-in-time identity →
AI agent identity at runtime: are your controls keeping up?
Explore further
08/06/2026 7:05 pm
Static provisioning is the wrong governance model for agents that exist on demand. AI agents do not behave like human users with stable accounts and predictable access horizons. A provisioning model built for joiner-mover-leaver processes assumes the identity remains visible long enough to be reviewed, certified, and revoked, but agentic execution compresses that entire lifecycle into runtime. Practitioners should treat this as a structural mismatch, not a tuning problem.
A few things that frame the scale:
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation, according to AI Agents: The New Attack Surface report.
- Our 2024 Non-Human Identity Security Report found that only 19.6% of security professionals express strong confidence in their organisation's ability to securely manage non-human workload identities.
A question worth separating out:
Q: What is the difference between human IAM and AI agent identity governance?
A: Human IAM is built around stable identities, predictable logins, and review cycles that assume access persists over time. AI agent governance has to handle ephemeral identities, delegated actions, and runtime scope changes. The difference is not just scale, it is that the access decision must often be made at execution time, not at onboarding.
👉 Read our full editorial: Why just-in-time identity breaks human-era controls for AI agents
