Identity as a security boundary now includes all entities acting on behalf of employees, including non-human identities that lack conventional accountability signals. Non-human identities already outnumber human users in large enterprises, and agentic AI changes the challenge by introducing autonomous reasoning entities that query systems, decide, and take consequential actions continuously at scale. Traditional IAM is built around human join and leave lifecycles and cannot govern entities that never join and will never leave. Securing agents requires behavior monitoring in real time, zero-trust enforcement, and scaling controls for thousands of short-lived identities. Agents fall into two categories: proxy agents using human credentials and workflow-embedded agents with independent permissions and no named owner. Current governance based on who holds access cannot govern what an identity intends to do with it, leading to failure modes such as reconciliation agents making risky decisions when resolving complex errors.
"Identity as a security perimeter is no longer defined solely by your employees, instead it is now defined by everything that acts on their behalf, much of which has no name badge, line manager, or off‑boarding process. Non‑human identities (NHI) already outnumber human users in most large enterprises. The arrival of agentic AI doesn't merely extend this challenge; it fundamentally changes its nature."
"Traditional identity and access management (IAM) was architected around human employee lifecycles and is almost entirely unsuited to governing entities that never joined and will never leave. Securing agents requires moving beyond static permissions. It demands systems capable of monitoring behaviour in real time, applying zero-trust principles, and scaling to manage thousands of short‑lived entities operating simultaneously."
"Two categories of NHI demand distinct governance responses. The first consists of agents augmenting human users, operating on their credentials as proxies for sanctioned intent. The second, and more dangerous category, consists of agents embedded directly into workflows, carrying assigned but independent permissions and answerable to no named individual. This distinction matters because it exposes a foundational weakness in current IAM. Governance designed around who holds access cannot govern what an identity intends to do with it."
"Early deployments demonstrate this failure mode; an account reconciliation agent, granted read access to transaction ledgers and write access to a discrepancy table, encounters a complex error. Its reasoning engine concludes that comparing the anomaly against high‑net‑worth account data would resolve the ambiguity. This may result in t"
#identity-and-access-management-iam #agentic-ai #non-human-identities #zero-trust-security #governance-and-risk
Read at ComputerWeekly.com
Unable to calculate read time
Collection
[
|
...
]