Agentic Identity: The New Perimeter for Autonomous Systems
When an AI agent moves money, modifies infrastructure, or escalates a security incident, a question surfaces that most organizations have not answered: who is acting? The credential says a human. The action was autonomous. The audit trail points to a service account shared across three teams. This gap is not theoretical — it is the fastest-growing attack surface in enterprise identity.
The Problem: Agents Without Identity
Most AI agents in production run on borrowed credentials. A service account with broad permissions. An API key pasted into a configuration file. A personal OAuth token delegated to an automation pipeline without scope restriction.
This works at small scale. When three agents share one key, the blast radius is manageable. When hundreds of agents operate across dozens of systems — each acting on behalf of different users, with different authorization scopes, at different times — shared credentials become a liability that compounds.
Agents execute high-impact actions without clear attribution chains. The credential says human. The action was autonomous. The audit trail stops at a shared service account.
Three forces are converging to make this urgent:
- Scale — Gartner projects that a third of enterprise software will include agentic AI by 2028, with 15 percent of day-to-day work decisions made autonomously
- Velocity — agents spin up and tear down in seconds, not the days or weeks that human identity provisioning assumes
- Delegation depth — an agent acting on behalf of a user, who delegated to another agent, which was triggered by a policy engine, creates chains that existing IAM was never designed to trace
Three Definitions, One Concept
The term agentic identity is not settled. Three different communities use it with different emphases, and understanding all three is necessary to see why this is a new category, not an extension of existing identity management.
IAM: The Identity Practitioner View
In cybersecurity and identity and access management, an agentic identity is a digitally verifiable identity assigned to an AI agent — a bot, copilot, or autonomous system — that acts on a delegated basis. Unlike human identities (long-lived, MFA-authenticated) or machine identities like service accounts (scripted, static-key), agentic identities are:
- Ephemeral — spun up and destroyed in seconds
- Delegated — acting on behalf of a user or another agent
- Context-bound — scoped to a task, an intent, and an originator
This is not a service account with a new label. Service accounts are persistent, their permissions tend toward broad defaults, and they accumulate access over months. Agentic identities should be JIT-provisioned, task-scoped, and traceable to a delegation chain — attributes that existing NHI management does not provide.
Architecture: The Systems Builder View
In AI systems architecture, agentic refers to systems that perceive, reason, and act independently to accomplish goals. The identity question is not about credentials — it is about provenance. When a agent executes a trade, sends an email, or modifies a production config, the system needs to know:
- Who authorized this action?
- What scope was granted?
- Which agent instance performed it?
- Can this chain be reconstructed after the fact?
In multi-agent architectures, orchestration layers delegate tasks to specialist agents. Each delegation needs to carry identity provenance. Without it, an agent that escalates permissions or acts outside scope leaves no forensic trail.
Philosophy: The Agency View
In self-determination theory, agentic describes the innate human need to act as a causal agent of one's own life — exercising autonomy, competence, and relatedness. This is not independence from others but psychological freedom of internal will.
The philosophical definition matters because it reframes the design question. Agentic identity is not just about access control. Astrix Security frames it as the convergence of accountability, sovereignty, and delegation — recognizing that agents need identity systems that preserve the intent and authority of their human principals, not just their credentials.
Agentic identity is not just about access control. It is the convergence of accountability, sovereignty, and delegation — preserving human intent, not just human credentials.
Why Service Accounts Are Not Enough
The most common response to agent identity is: use service accounts with scoped roles. This assumes agents are just another workload. They are not, and three structural differences explain why.
| Property | Human Identity | Service Account (NHI) | Agentic Identity |
|---|---|---|---|
| Lifespan | Years | Days to months | Seconds to minutes |
| Origin | Manual enrollment | Scripted provisioning | JIT from policy |
| Authentication | MFA, SSO, passkeys | API key, mTLS cert | PKCE, DPoP, SVID |
| Access control | RBAC / ABAC | Scoped service roles | Task-bound, dynamic |
| Audit trail | User session | Coarse-grained | Delegation chain |
| Governance | IGA, certifications | Manual or SCIM | Policy-driven lifecycle |
Service accounts are designed for workloads that run continuously — a database connector, a sync pipeline, a monitoring daemon. Agents burst into existence, act, and terminate. Their identity lifecycle matches a function call, not an employee onboarding.
The delegation problem compounds this. A service account does not carry provenance. When agent A delegates to agent B, the audit trail shows two service account calls — not a chain from the user who authorized agent A, through A's delegated scope, to B's executed action.
The Six A's of Agentic Identity
Strata's framework identifies six pillars that every identity system must address for agents. Existing IAM addresses these for humans and workloads. None of the six work unchanged for autonomous agents.
| Pillar | Human Today | What Agents Need |
|---|---|---|
| Authentication | MFA, SSO, passkeys | Cryptographic proof of delegation chain, ephemeral credentials |
| Access Control | RBAC, ABAC policies | Intent-scoped permissions tied to task, not identity |
| Authorization | Static role assignments | Dynamic scope derived from delegation context and real-time risk |
| Auditing | Session logs tied to user | Full delegation chain: principal → delegator → agent → action |
| Administration | HR-driven provisioning | Policy-driven lifecycle — JIT creation, automatic revocation |
| Availability | Redundant IdP, fallback auth | Resilient delegation verification without human-in-the-loop delays |
Every pillar of identity management — authentication, access control, authorization, auditing, administration, and availability — must be rebuilt for entities that act in seconds, not days, and whose permissions must expire when the task does.
The MCP Wake-Up Call
The Model Context Protocol, which lets AI agents connect to external tools and data sources, has made the identity gap concrete and urgent. As documented in earlier coverage of MCP server sprawl, the numbers are stark:
- Sixteen thousand MCP servers appeared on public registries in the first half of 2026
- Over half of open-source MCP servers require credentials to operate — and of those, 53 percent use long-lived static secrets
- Only 8.5 percent implement any form of OAuth
- The STDIO transport layer, the most common deployment mode, has no authentication at all
The API boom of 2015 through 2020 took roughly five years to reach saturation. MCP hit 16,000 servers in 18 months. The speed of adoption has outpaced the development of identity standards by an order of magnitude.
Qualys launched TotalAI specifically to discover unknown MCP endpoints inside enterprise networks. Emerging gateway solutions — MCP Gateway, Envoy AI Gateway — are positioning themselves as the API gateways of the agent era. But identity enforcement at the gateway layer still requires an identity protocol designed for agents, not humans.
Exceptions: Where Shared Credentials Still Suffice
Not every agent deployment demands a full agentic identity framework. Three cases work fine with existing patterns:
- Single-tenant, low-risk agents — An internal bot that posts to one Slack channel, triggered by a known cron schedule, with no user delegation. A scoped service account with read-only access is sufficient.
- Human-in-the-loop orchestration — An agent that drafts content but requires human approval before publishing (as in agent memory architectures with human gates). The human's identity covers the final action.
- Air-gapped or sandboxed execution — Agents that operate on isolated data with no external API calls. The blast radius is contained by design.
In each case, the risk profile is bounded. The agent cannot escalate beyond its sandbox, and the actions it takes are either low-impact or human-supervised. Outside these narrow cases, shared credentials create unmanageable blast radius.
Honest Assessment
| Dimension | Mature | Emerging | Missing |
|---|---|---|---|
| Authentication | mTLS, SPIFFE SVID | PKCE, DPoP for agents | Delegation chain verification |
| Authorization | RBAC, ABAC for humans | Task-scoped OAuth flows | Intent-derived dynamic scopes |
| Auditing | Session logging | Agent event tracking | Delegation provenance chains |
| Administration | SCIM, IGA | Policy-as-code for agents | JIT lifecycle management |
| Protocol support | OAuth 2.0, OIDC | MCP authorization (draft) | A2A identity layer (proposed) |
| Vendor tooling | Okta, Auth0, Entra | Qualys TotalAI, Envoy AI Gateway | Purpose-built agentic IAM |
The infrastructure for cryptographic identity, dynamic scopes, and delegation chains exists in fragments. SPIFFE SVIDs solve workload identity. DPoP and PKCE handle ephemeral tokens. Policy-as-code tools enforce runtime scopes. What is missing is the connective tissue — a unified identity fabric that treats agents as first-class principals with their own lifecycle, audit requirements, and delegation semantics.
The components exist in fragments. What is missing is the connective tissue — a unified identity fabric that treats agents as first-class principals with their own lifecycle and delegation semantics.
Actionable Takeaways
- Audit your agent credential surface — Inventory every API key, service account, and OAuth token used by agents. Count how many are shared across agents or teams. Each shared credential is a blast radius multiplier.
- Map delegation chains — For each agent workflow, trace the full chain: which human authorized it, what scope was delegated, which agent instance executed. If you cannot trace it, you have an identity gap.
- Scope credentials to task, not identity — Replace broad service account permissions with JIT-provisioned, task-bound tokens. If an agent completes its work in 30 seconds, the credential should expire in 31.
- Separate agent identity from user identity — Agents acting on behalf of users need their own principal, not a borrowed token. Audit trails that show only a human username for agent actions are compliance risks.
- Plan for A2A delegation — Agent-to-agent handoffs are already happening in orchestrator patterns. Each handoff needs to propagate identity provenance, not just context. Design for delegation depth now, even if your current use cases are shallow.
- Treat MCP endpoints as identity boundaries — Every MCP server your agents connect to is a trust boundary. Demand OAuth support, scoped tokens, and audit logging from MCP providers. Avoid STDIO transport without a gateway.
Agentic identity is not a future concern. The agents are already running — on shared credentials, with no audit chain, and no standard for proving who authorized what. The perimeter has moved. The question is whether your identity infrastructure has moved with it.