Agentic identity: when your users aren't human

Identity systems make a quiet assumption that has held for fifty years: the principal on the other end of the connection is either a person, who improvises but authenticates interactively, or a machine, which authenticates non-interactively but does the same thing every day until someone decommissions it. Every control we have, from MFA prompts to anomaly detection baselines, leans on that split.
AI agents break it. An agent authenticates like a machine and behaves like a person. It improvises. It chains actions across systems in orders nobody scripted. It works at 3 a.m. because someone in another timezone asked it a question. Feed that behavior to a risk engine trained on the old dichotomy and you get one of two failure modes: the engine screams constantly, so someone mutes it, or it shrugs, because service accounts are allowed to be weird.
The service account was already a lie
Let us be honest about the baseline. Long-lived credentials, permissions accreted over years, ownership recorded in a wiki page last edited by someone who left in 2022. Service accounts have been the soft underbelly of enterprise security for a long time. Agents did not create this problem. They took it, multiplied it by a few orders of magnitude, and gave it initiative.
I find that clarifying rather than terrifying. We were never going to fix service account hygiene by asking nicely for the eleventh consecutive year. A new class of principal that obviously cannot be managed the old way is the forcing function this industry needed.
What an agent-shaped identity looks like
Three properties, none of them optional. First, provenance: every agent identity is bound to an accountable human or team, cryptographically, not in a spreadsheet. Second, delegation: when an agent acts for a user, the credential carries the whole chain, so a downstream API can distinguish Alice from an agent acting for Alice from an agent acting for an agent acting for Alice, and apply different policy to each. Third, ephemerality: authority is minted per task and expires in minutes. An agent at rest should hold roughly nothing.
The question is not whether the agent is trustworthy. The question is whether you can afford the worst thing it is currently authorized to do.
That last framing is the one I push on customers. Trust is a property of models and vendors and vibes. Authorization is a property of your infrastructure, and it is the only one of the two you actually control.
Where this goes
We have been quietly building toward this for over a year, and several design partners are running agent workloads on it now; there will be a product announcement when it is ready and not before. In the meantime, the practical advice is unglamorous: inventory your non-human principals, assign every one of them a living owner, and start measuring credential lifetime the way you measure vulnerability age. The organizations that do that boring work now will find the agentic era an upgrade. The ones that do not will find it an audit finding.
Writing from inside the identity layer since 2025. For the conversation this post starts, bring it to your next architecture review — or to ours.
