Notifications
Clear all
Topic starter
08/06/2026 5:09 pm
TL;DR: The repeat inclusion in Redpoint’s InfraRed 100 sits alongside the claim that hundreds of organisations use the platform to manage external identities across end users, partners, APIs, and AI agents, highlighting how external IAM is expanding beyond customer login flows, according to Descope. The real governance issue is that identity boundaries are now spanning humans, machines, and agentic workflows at the same time.
NHIMG editorial — based on content published by Descope: Descope named to Redpoint’s InfraRed 100
Questions worth separating out
A: Security teams should classify external identities by actor type, then assign separate authentication, authorisation, and revocation rules for each class.
Q: Why do APIs and AI agents create more external IAM risk than human users?
A: APIs and AI agents often run continuously, use credentials programmatically, and operate at machine speed, which makes scope creep harder to notice.
Q: What breaks when external identity lifecycles are not defined clearly?
A: When external lifecycles are unclear, access can outlive the business relationship that justified it.
Practitioner guidance
- Inventory external identity classes Classify every external actor your programme touches, including customers, partners, APIs, service identities, and AI agents.
- Separate human and non-human policy paths Do not rely on one shared policy model for all external access.
- Build lifecycle offboarding into external access design Make revocation a first-class requirement for partner apps, APIs, and agent identities.
What's in the full analysis
Descope's full article covers the company-specific context and recognition details this post intentionally leaves aside:
- The InfraRed 100 recognition context and why Redpoint included the company again
- Descope's own explanation of its external IAM positioning across end users, partners, APIs, and AI agents
- The company examples it cites, including how customers use the platform in practice
- The broader business background around funding, growth, and market visibility
👉 Read Descope's InfraRed 100 recognition note and external IAM context →
External IAM for APIs and AI agents: what this recognition signals?
Explore further
08/06/2026 7:11 pm
External IAM is becoming the governance layer where human, machine, and agent identities collide. The article shows that the category is no longer limited to customer authentication, because APIs and AI agents now sit inside the same identity surface. That makes the policy problem broader than login orchestration. Practitioners should treat external IAM as a shared control plane for every identity that crosses organisational boundaries.
A few things that frame the scale:
- 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to the 2026 Infrastructure Identity Survey.
- Only 13% of organisations feel extremely prepared for the reality of agentic AI, according to the 2026 Infrastructure Identity Survey.
A question worth separating out:
Q: How do you know if external IAM is actually reducing identity sprawl?
A: You know it is working when every external identity class has a named owner, a documented access path, and a revocation event that can be traced end to end. If teams still discover unknown API keys, unmanaged partners, or untracked agent credentials, the programme is reducing friction more effectively than it is reducing risk.
👉 Read our full editorial: Descope’s InfraRed 100 recognition and what it means for external IAM
