By Itamar Apelblat, CEO and co-founder, Token Security

The New Frontier of Security Challenges

Every major technology wave creates the same uncomfortable moment for security leaders. Oftentimes, the business moves first and security is asked to make it safe afterward. We saw this pattern with Cloud, SaaS, and DevOps adoptions. Now, agentic AI is doing it again.

The difference is that AI agents are not just another service or application category. They are digital actors that authenticate, receive permissions, call APIs, write code, trigger workflows, query databases, and take action across production environments. In many organizations, they are already doing this with credentials, API tokens, OAuth grants, and cloud roles that nobody has fully inventoried.

This makes the central security question bigger than "what can the model say?" The real questions that need to be answered are: Who is this agent, what is it allowed to do, who is responsible for its actions, and can we revoke or constrain it when something changes?

Yes, agentic AI has an identity problem and attackers are starting to take notice.

Why Traditional Identity Programs Fall Short

The Human-to-Machine Identity Shift

Security teams have spent years building identity programs around humans. Employees join, move, and leave. Access can be reviewed, managers can attest to what people need, and behavior can be monitored against a relatively stable baseline.

Machine identities strained that model. Service accounts, secrets, certificates, workload identities, and API keys multiplied across cloud and DevOps environments. Many were overprivileged, poorly owned, and rarely reviewed. Still, most machine identities were deterministic and performed defined tasks in predictable ways.

The Autonomy Problem

AI agents break this assumption. An agent behaves more like a human in that it can interpret a goal, choose a path, and act across systems. But it scales like software and processes at machine speed.

It can be created quickly, embedded into SaaS products, copied by developers, delegated permissions by users, and left running long after the original need is gone.

This combination of autonomy, scale, and decentralization creates a new class of identity risk that traditional models were never designed to handle.

Least Privilege Doesn't Scale

Traditional least privilege is where identity and access management falls short for agentic AI. With a human or service account, least privilege often means granting the minimum static permissions required for a role or function.

But an agent may need different access depending on its goal, the data involved, the user or system on whose behalf it is acting, and the environment it is touching.

For example, a support agent summarizing a ticket does not need the same privilege as an agent that can issue refunds, modify customer records, or execute commands in production.

A coding agent running in a sandbox is different from one that can open pull requests, access secrets, or deploy infrastructure.

Access for agents should be contextual, intent-based, time-bound, and continuously evaluated, but this is not how most enterprises operate today.

The Three Critical Problems

1. Visibility Problem

Many organizations already have shadow AI, just as they once had shadow IT. Agents are built by internal teams, arriving through SaaS platforms that quietly add autonomous features, running locally on endpoints or inside developer environments, and connecting to automation platforms, identity providers, cloud consoles, and ticketing systems.

If security teams do not know these agents exist, they cannot secure and govern them. Without knowing which credentials the agents use, they do not understand the scope of the blast radius, and if they do not have the ability to map the agent to an owner, purpose, and lifecycle, they will not be able to hold anyone accountable when the agent makes a harmful decision or is abused by an attacker.

2. Overprivilege Problem

Agents are often given broad access because it is easier during experimentation. A developer may grant an API token so a prototype can work, a business unit may connect an agent to a SaaS account with admin rights, or an application team may embed secrets into a workflow because it is faster than designing proper delegation. These types of shortcuts create identity debt, and agentic AI can accumulate that debt at scale and machine speed.

3. Prompt Injection and Indirect Manipulation

If an agent can read untrusted content and also take privileged action, attackers do not always need to compromise a traditional account. They may only need to influence what the agent can access because that agent may be overprivileged. Without proper scope boundaries and access controls, prompt injection becomes a vector for unauthorized action.

The Path Forward: Identity-Centric Governance

Why Identity Security is Foundational

CISOs cannot wait for a separate AI security program to mature in isolation. Agentic AI governance must be anchored in identity security. The controls we need start with the basics, but they must be adapted for autonomous systems.

Essential Controls for Agent Identity

Every agent should have a distinct identity. Shared accounts and borrowed human credentials are unacceptable. Each agent must have an owner, a business purpose, an approved scope of action, and a defined lifecycle. Access needs to be granted based on the task, not convenience. Privileges should expire when no longer needed and secrets should be protected, rotated, and removed from places agents can expose them.

Automated Enforcement and Governance

Manual reviews do not scale when agents can be created by developers, business users, and SaaS vendors across the enterprise. Identity governance for agents must discover new agents, classify access, detect risky paths, enforce policy, and trigger remediation without waiting for a quarterly review.

Decentralized Control with Centralized Policy

Accountability requires a shift: security teams cannot be the central bottleneck for every agent. The better model allows teams to build and adopt agents while requiring guardrails for identity, access, ownership, logging, and revocation. Decentralized control with centralized policy enables innovation without sacrificing governance.

Learning From Past Technology Waves

Cloud, SaaS, and DevOps all moved faster than traditional security models. The enterprises that succeeded were not the ones that said no. They rebuilt their controls around how the new technology actually worked.

Agentic AI is now forcing the same evolution. Organizations that treat this as a standalone AI security problem will miss the mark. This is fundamentally an identity problem, and it demands an identity solution.

Reframe the Security Question

Security leaders should stop thinking only about what AI generates and start focusing on what AI can do. Today's magnifying risk is an autonomous action taken by an identity nobody governed, using access nobody reviewed, toward an outcome nobody intended. That is the identity problem at the heart of agentic AI, and it is the problem CISOs need to solve now.

The time to act is not in six months. It is now. The longer organizations wait to implement identity-centric agentic AI governance, the harder it will be to regain control.

Get started with a demo from Token Security to see how an identity-centric approach could work in your organization.

Sponsored and written by Token Security.