Machine identities and agentic AI: what changes for IAM teams?

TL;DR: Machine identities and AI agents now authenticate, access data, and execute workflows at machine speed, expanding enterprise attack surface and privilege sprawl, according to Delinea. The governance problem is no longer just access control, but whether identity programmes can keep trust boundaries visible as autonomy and entitlement multiply.

NHIMG editorial — based on content published by Delinea: The rise of machine identities and agentic AI: Securing trust in the next era of digital autonomy

Questions worth separating out

Q: How should security teams govern machine identities in cloud and AI environments?

A: Security teams should treat machine identities as first-class governed assets.

Q: Why do machine identities increase lateral movement risk?

A: Machine identities often carry persistent access that outlives the original task, system, or owner.

Q: What do teams get wrong about just-in-time access for non-human identities?

A: Teams often assume just-in-time access is enough on its own.

Practitioner guidance

• Inventory every non-human identity continuously Scan for service accounts, API keys, tokens, certificates, bots, and AI agents across cloud, SaaS, code repositories, and automation pipelines.
• Eliminate standing privilege where workloads allow it Replace persistent machine credentials with just-in-time access, short-lived tokens, and vault-managed secret retrieval.
• Classify AI agents as governed identities Document which agents can authenticate, which tools they can call, and which decisions they can make without human approval.

What's in the full article

Delinea's full blog covers the operational detail this post intentionally leaves for the source:

• A practical walkthrough of how Delinea says organisations should inventory every credential, token, and agent across hybrid environments.
• Guidance on classifying over-privileged and dormant accounts so teams can prioritise the highest-risk non-human identities.
• The article's own recommendations for least privilege, just-in-time access, secret rotation, and vaulting in machine workflows.
• Delinea's view on continuous monitoring for privilege drift and abnormal behaviour across machine and agent identities.

👉 Read Delinea's analysis of machine identities and agentic AI trust boundaries →

Machine identities and agentic AI: what changes for IAM teams?

Explore further

View Full Forum →  |  NHI Foundation Course →