Agentic AI Needs an Identity Model You Haven't Built Yet

We’re about to hand AI agents real keys. Not “summarize this thread” or “draft that email.” Actual authority to act. File the ticket. Reset the password. Move the money. Reconcile the invoice and post the entry. The day an AI stops suggesting and starts doing, it becomes something every security team already has a name for: an identity with permissions.

Most teams are about to secure it like a new employee. That’s the mistake, and an understandable one.

The instinct is half right

An agent that acts really is an identity, and the discipline we built for human ones still applies. Least privilege. Knowing exactly who, or what, can touch which system. Being able to reconstruct, after the fact, what happened and who set it in motion. None of that goes away; if anything, agents make it matter more. The organizations that did the unglamorous Zero Trust work years ago start this race with a real, earned advantage: conditional access, identity governance, the access reviews nobody ever put on a slide.

That work is the floor. But the floor isn’t the building.

Where the human playbook breaks

A human identity is, by the standard of what’s coming, almost quaint. It’s stable: the same person, more or less, month to month. It acts at human speed. And it gets reviewed on a human cadence: a quarterly access certification, a manager clicking approve.

An agent is none of those things.

It can spin up for ninety seconds to do one task and then cease to exist. It can act thousands of times a minute. And it delegates. That is the part that should hold your attention. An agent calls another agent, which calls a tool, which touches data three steps removed from any human who would recognize what just happened. Authority flows down a chain no org chart shows and no quarterly review was ever designed to catch.

Securing that with the controls we built for people is bringing a badge reader to something that moves at machine speed.

The new primitives

So the work in front of us is real, and it’s genuinely new. A few of the pieces I’d be building now, not next year.

Credentials that are short-lived and scoped to a single task. Minutes of life, one job, then gone. Not the standing access we hand a person and forget about. An agent that exists for ninety seconds should not hold a key that lives for ninety days.

Provenance that survives delegation. When an agent acts, you need to trace the chain back to the human whose intent started it. “The system did it” is not an answer a regulator, a board, or your own incident review will accept. Every autonomous action needs a thread back to a person.

Guardrails that watch behavior in real time, not permissions granted in advance. You can’t pre-enumerate everything an agent might try, the way you write a person’s job description. So the control moves from “what was it allowed to do an hour ago” to “what is it doing right now, and does that still look right.”

Governance that runs continuously. “We’ll review it next quarter” means nothing for something that already acted a million times this morning. The review cadence has to match the action cadence, which means it has to be automated, because nothing human keeps up.

The trap

Here’s the uncomfortable part: the organizations furthest ahead on human identity are the ones most likely to assume they’ve already got this. They have the maturity, the tooling, the Zero Trust architecture. They have the foundation. They do not have the new layer yet. Almost nobody does. And the gap widens every week we hand agents a little more to do.

I’m not neutral here. I lived through a breach where the distance between “we have an identity model” and “we can actually prove what every account is permitted to touch” stopped being academic in about an hour. Part of the cleanup was a sweep of more than two thousand service accounts: non-human identities that had quietly accumulated for years, plenty of them with no clear owner. That was the static version of this problem, and it was hard enough.

Now picture the same problem, except the accounts create themselves, act on their own, and multiply every time someone wires up a new agent. That’s the wave coming. Machine identity was the warning. Agentic identity is the thing the warning was about.

What I’d do this quarter

Treat every agent that can take an action as a first-class identity from day one: inventoried, owned, scoped, logged. Not a convenience you bolt security onto later. Assume you will be asked, in front of people who matter, to explain exactly what one of your agents did and on whose behalf. Then build so you can answer.

Because the first time an agent does something you didn’t predict, and it will, the only question that matters is whether you can trace whose intent it was acting on, and stop it, before the next thousand actions go through.

Common questions

Can you secure an AI agent the same way you secure an employee?
No. An employee identity is relatively stable, acts at human speed, and is reviewed on a human cadence: a quarterly access certification, a manager clicking approve. An AI agent can spin up for seconds, act thousands of times a minute, and delegate to other agents and tools down a chain no org chart shows. Standing credentials and periodic access reviews do not fit something that ephemeral and fast. The fundamentals still apply: least privilege, audit, knowing who can do what. The controls around them have to be rebuilt for machine speed and autonomy.

What is the difference between machine identity and agentic identity?
Machine identity covers the non-human logins that already exist: service accounts, API keys, bot and CI/CD credentials, usually static and created by people. Agentic identity is the next wave: AI agents that act autonomously, mint or assume credentials at machine speed, and delegate to other agents. Machine identity is largely an inventory-and-ownership problem; agentic identity layers autonomy, delegation chains, and machine-speed creation on top of it.

What new identity controls do AI agents need beyond Zero Trust?
Four, beyond the human playbook. Short-lived credentials scoped to a single task instead of standing access. Provenance that traces every autonomous action back to the human whose intent started it. Runtime behavioral guardrails that watch what an agent is doing, not just what it was permitted to do an hour ago. And continuous, automated governance, because review cadences built for quarterly human certifications cannot track something that acts a million times a day.

Does Zero Trust already cover agentic AI?
Zero Trust is the foundation, not the finish line. The least-privilege, conditional-access, and identity-governance work mature organizations did for human and machine identities is exactly the head start they need. But it was designed around relatively stable identities acting at human speed; autonomous agents that self-provision and delegate require a new layer on top of it that almost no enterprise has built yet. The organizations furthest ahead on human identity are often the ones most likely to assume they have already covered the agentic case. They have not.