For the past two years, the security conversation around AI has focused almost entirely on prompt injection, data poisoning, and model manipulation. These are real risks — but they miss a deeper structural problem that is already appearing in enterprise environments.
AI agents are becoming identities.
And identities without governance are a security incident waiting to happen.
What Is an Agentic AI Identity?
An AI agent, in the enterprise context, is an autonomous system that takes actions on behalf of a user or process — browsing the web, calling APIs, executing code, reading and writing files, interacting with databases, sending communications, and orchestrating other systems.
Unlike a static AI model that returns a response and stops, an agent operates in a loop. It observes, plans, acts, and observes again — often making dozens of API calls and file system operations before a human sees the result.
Each of those API calls requires authentication. Each file operation requires authorisation. The agent needs credentials.
That means the agent is not just a tool. It is an identity.
Why Existing Identity Controls Do Not Cover This
Enterprise identity governance was built around two categories: human users and machine services. Human users log in with credentials, follow workflows, and have managers who can approve or revoke access. Machine services have static credentials provisioned by an administrator.
Agentic AI falls into neither category cleanly:
- Unlike human users, agents act at machine speed, making hundreds of access decisions per minute
- Unlike traditional machine services, agents have dynamic, context-dependent permission requirements that change with each task
- Unlike either, agents are often provisioned by developers experimenting with new tooling — outside the standard identity governance process
The result is that AI agents in most enterprises today are running under shared credentials, developer API keys, or service accounts created for “temporary” experiments that have long since become permanent fixtures.
The Attack Surface You Are Not Watching
Consider what a compromised AI agent can do:
An agent with access to your code repositories, email system, and project management tools has — in practice — access to your intellectual property, your communications, and your roadmap. If that agent is operating under a developer’s personal API key, there is no audit trail, no anomaly detection, and no automatic revocation when the developer changes roles.
Now scale that to an enterprise running dozens of agents across customer support, code generation, data analysis, and business process automation.
The attack surface is not hypothetical. It is already in production.
What Agentic AI Identity Governance Looks Like
Governing AI agent identities requires applying — and extending — the same principles that govern other identity types:
Unique identity per agent. Every agent instance should have its own cryptographic identity, not a shared service account. This enables attribution, auditing, and precise revocation.
Dynamic least privilege. An agent’s permissions should be scoped to the current task, not its maximum possible requirements. A customer support agent should not hold standing access to the production database it queries once a month.
Behavioural baseline and anomaly detection. Agents have predictable usage patterns for a given task type. Significant deviations — unusual access times, access to new resource types, abnormal data volumes — should trigger automatic investigation.
Just-in-time access with automatic expiry. Permissions should be granted for the duration of a specific task and automatically revoked on completion. No standing access for agentic workloads.
Complete session recording. Every action taken by an agent should be logged in a tamper-resistant audit trail — for compliance, forensics, and model auditing.
The Window Is Closing
Most enterprises currently have weeks to months to establish agentic AI identity governance before the problem becomes critical. The organisations deploying agents most aggressively are also — for now — the most aware of the identity risk.
That window will close. Agents will proliferate faster than governance programmes can catch up if organisations wait for the first breach to force the issue.
The time to build the governance foundation is now — while you can still see all the agents you have, understand what they are doing, and establish control without a crisis driving the programme.