- Confirm whether each AI agent receives a freshly scoped, task-specific identity, rather than a standing account with persistent permissions.
- Verify that permissions are tied to the specific task, data sensitivity, and risk context, rather than a fixed role applied uniformly.
- Ensure the full delegation chain, from the human request through every agent and sub-agent involved, can be reconstructed after the fact for audit and accountability purposes.
Traditional identity and access management (IAM) was built around a simple question, who are you? It assumes the authenticated identity is the same entity making decisions, a person logs in, and that person acts. That assumption is already under strain as AI agents operate as non-human identities that reason and act on a human’s behalf, often through multiple layers of delegation involving sub-agents, tools, and APIs. The real question is no longer who is this, but whose authority is being exercised, under what constraints, and for how long.
This shift matters because organizations are deploying AI agents faster than their identity models can adapt. Static roles and standing permissions, designed for long-lived human and service accounts, do not map cleanly onto software that may exist for seconds, complete a single task, and disappear. Palo Alto Networks’ 2026 Identity Security Landscape report, based on a survey of 2,930 security decision-makers, found that machine identities, including AI agents, now outnumber human identities 109 to 1, and organizations expect AI agent identities to grow another 85% over the next 12 months. The same report found that only 37% of organizations can revoke an AI agent’s credentials and only 30% maintain immutable audit logging of agent activity. The population is exploding while the controls to govern it remain the exception.
From Authentication to Delegated Authority
Three changes follow directly from this shift, and security teams evaluating AI agent deployments should treat them as design requirements, not future considerations.
Identity Must Become Ephemeral
Service accounts today often exist for years with broad, standing permissions. An agent created to complete a single task does not need that lifespan. Provisioning a fresh, narrowly scoped identity for each task, and retiring it the moment the task completes, removes the standing privilege that turns a single compromised credential into a long-running exposure. The revocation gap makes this concrete: when only 37% of organizations can pull an agent’s credentials on demand, the safest credential is one that expires on its own the moment the task ends.
Least Privilege Must Become Contextual
Role-based access control has long served as a cornerstone of identity management, bundling permissions into roles tied to job functions. That model already strains under the complexity of modern enterprises, and it breaks further with AI agents. An agent’s permissions should instead depend on the specific task, the sensitivity of the data involved, and the current risk context, meaning the same agent may legitimately receive different permissions each time it runs. This is a harder engineering problem than traditional role assignment, but it is the only model that scales safely as agents take on a wider range of tasks.
Audit Must Capture the Full Delegation Chain
A traditional audit log answers who performed an action. An agentic audit trail needs to answer who initiated the request, which agent planned the work, which sub-agent made the decision, and which identity ultimately executed it. Without that chain, accountability collapses the moment more than one agent is involved in a workflow, which is increasingly the norm rather than the exception. With only 30% of organizations maintaining immutable audit logs for agent activity, most cannot answer the basic question of which agent accessed what, and when, let alone reconstruct the full chain of delegation behind an action.
From Access Control to Authority Governance
Together, these changes point toward a broader shift in how identity itself needs to be managed. Access has historically been the central security boundary, can this identity reach this resource. With autonomous agents, authority becomes the harder and more important boundary, how much authority is delegated, whether it can be delegated further, and how quickly it can be revoked.
This is sometimes described as a shift from identity administration to runtime identity orchestration, the dynamic creation, governance, and retirement of identities as agents execute work, rather than the static administration of long-lived accounts. An identity is created for a task, scoped to only what that task requires, evaluated continuously while the task runs, and removed the moment it ends.
Traditional IAM was built for people logging into applications. Agentic IAM has to be built for autonomous software acting on people’s behalf, and that is a fundamentally different governance problem, not simply an extension of the old one.