John Smith7 min readSomething substantial is happening in the identity industry right now, and I think it's being completely misunderstood.
In the past few weeks alone, SailPoint launched Agentic Fabric, Okta has launched its Okta for Ai Agents blueprint , and every IAM and NHI vendor is rushing to claim their role in the "agentic enterprise." The message is consistent: extend your existing identity controls to cover AI agents. Discover them. Govern them. Map them to a human owner. Create Policies. Enforce policies and least privilege.
It's a reasonable instinct. It's also, I'd argue, wrong - or at least incomplete in a way that matters enormously.
I'll be at Identiverse presenting on exactly this topic, and I wanted to share some of the thinking before we get to Las Vegas. The identity community has always been good at asking hard questions early, this is one of those moments, and there's no better room to have it in.
When you hear "identity security fabric," what you're really hearing is: we're weaving AI agents into the same infrastructure we built for humans and/or machines. The fabric metaphor implies continuity, one connected surface, uniform treatment, consistent controls.
That would be great, if AI agents were anything like the identities those fabrics were designed for.
Human identity is relatively stable. A person has a role, a set of entitlements, a consistent pattern of behavior. A human joins the organization with a clear birthright identity, then maybe moves during its tenure once or twice a year (maybe every month at the extreme of it) with the identity modified, and then leaves the organization and the identity is deprecated. You grant access based on who they are and what they're supposed to do.The relationship between identity and action is predictable enough that static governance models work and are very stable.
Non-human identity: service accounts/workloads, bots, API keys - is more dynamic, but still essentially deterministic. An API key should keep doing what it's configured to do, and if not an alert is triggered. A service account has a very defined scope. You can audit it, rotate it, bind it to a principal fairly easily.
Enterprise AI agents are new players we have not experienced ever before in IT history, they are categorically different. Not just in degree, in kind. They don't execute fixed instructions. They reason, plan, and adapt in response to context. Their behavior at runtime can diverge from anything that was true at provisioning time, and that gap is exactly where existing security models break down.
There are roughly three types of AI agents in the wild today, and it matters enormously which one we're talking about.
The first type is what you might call development or coding agents tools that assist engineers within a bounded, well-understood environment. GitHub Copilot, cursor-style tools. Their context is narrow, their blast radius is limited, and they operate with a meaningful human oversight in the loop. These agents thrive today with early adopter developers and engineering teams.
The second type is in-product agents - AI capabilities embedded in software to enhance a specific workflow. A support chatbot. A summarization feature. Again, relatively bounded, operating within a defined product context, with clear defined and well designed ownership and scope.
The third type is what I'm focused on, and what I believe the industry is underestimating: Enterprise AI Agents. These are agents built directly into core workforce business processes, operating across Finance, HR, Sales, Marketing, Operations, IT. They don't live inside a single product. They traverse organizational boundaries, connect disparate systems, execute multi-step tasks, and make consequential decisions, often with no humans in the loop.
These agents don't have fixed roles. Their scope shifts with the task, very similar to a human employee behavior. Their identity is often ambiguous because they inherit context from the processes and people that invoked them. And critically, they operate at machine speed across systems that were never designed to talk to each other. Moreover, unlike Human identities of Machine identities, they frequently change their intent (at a very different from pace of a “Mover”)
Wrapping them in the same governance model you use for a service account isn't wrong, exactly. It's just insufficient in precisely the places where it matters most.
Traditional non-human identity security was built for a world of Machine-to-Machine (M2M) communication. One service calls another. Credentials are exchanged. The trust relationship is explicit, scoped, and auditable.
We are moving fast into an Agent-to-Agent (A2A) world, and the difference is profound.
In A2A interaction, identity is passed through chains. An enterprise agent might invoke a sub-agent, which invokes another, which eventually accesses a sensitive system, with the original human actor entirely abstracted from the transaction by the time it reaches anything that can be secured or audited. Who is responsible for that access? Who owns it? What was the original intent?
The "map every agent to a human owner" approach, which is the right instinct and a necessary starting point, doesn't answer these questions at runtime. Ownership is a governance concept. At the moment an agent chain is executing at machine speed across five systems, ownership attribution doesn't tell you whether this specific action, in this specific context, with this specific data, is within acceptable boundaries.
Here's the core of what I'll be arguing at Identiverse: securing enterprise AI agents requires a fundamentally different mental model. Not an extension of IAM. A new layer.
Static entitlements and ownership mapping are necessary but not sufficient. What's missing is real-time observation across the IT stack at the point of operation, understanding not just what an agent can do, but what it is doing right now, why, and whether that behavior is consistent with the intent that authorized it in the first place.
This means a hybrid identity model, one that evolves with context rather than remaining fixed at provisioning time. It means dynamic controls driven by continuous behavioral analysis, not just policy enforcement at the gate. And it means thinking about agent operations as chains of intent that need to be traceable end-to-end, even as the original human actor becomes increasingly abstracted.
The goal isn't to restrict the Enterprise AI agents - you want to enable them to achieve their tasks and for the organization to benefit from the huge advantage they have to impact productivity and efficiency. If done wrong, security and IAM teams become the departments that prevent the business from using AI at all, which is not a sustainable position. The goal is to enable safe, cross-system AI operations through reusable, intelligent connections that let agents do their jobs while operating within understood boundaries.
We're at a rare inflection point. The decisions the identity industry makes in the next 12-18 months will shape how enterprise AI is governed for a decade. Boards across industries are already putting pressure.
If we commit to the "extend the fabric" approach, treating enterprise AI agents as a variation on the NHI problem, we'll build governance frameworks that look complete on paper, but miss the most dangerous failure modes in practice. An agent that has correct entitlements and a mapped human owner can still cause enormous harm if its behavior deviates from expected intent and there's no runtime control to detect and respond. Therefore the industry needs a new AI relevant fabric, weaving in the Enterprise AI Agent identity management or adding this unique fabric layer on top.
If instead we acknowledge that not all agents are born equal, that enterprise AI agents require agent-native identity, not adapted human-identity infrastructure, we have a chance to build a security fabric that actually matches the new threat model.
The aizome team will be in the NHI + AI Pavilion at Kiosk 08.
On June 15th, I'll be participating in the Non-Human Identity & Agentic AI Summit, a half-day event for practitioners who are already past "should we do something about AI agent identity?" and into the harder questions of how.
On June 16th, I'll be presenting "Not All AI Agents Are Born Equal" in the NHI Pavilion Theater at 6:20 PM, diving into the agent taxonomy, the M2M to A2A shift, and the new identity model aizome is built around.
We're also participating in The Exchange meetings. If you're a CISO, CIAO, IAM leader, or architect thinking hard about how to govern enterprise AI agents without strangling the business, I'd genuinely like that conversation. Come find us at Kiosk 08, or reach out before the conference to set something up.
The question isn't whether AI agents need identity security. It's whether the identity security we're building is actually designed for the agents we're deploying.
I don't think it is yet. That's why we built aizome.
Amir Ofek is Co-Founder and CEO of aizome.
John Smith
The latest news, technologies, and resources from our team.
By the end of 2026, most large enterprises will operate a digital workforce of over 1,600 AI agents, according to IBM's Think 2026 survey. That number sounds like progress. It is progress. But it comes with a question most enterprises cannot answer.
Roee Salomon
I've spent a significant part of my career thinking about incident response. Not the playbook version - the real version. The version where something has already gone wrong, the pressure is high, the timeline is compressed, and the team is trying to answer a deceptively simple question: what happened, and how do we stop it from getting worse. With enterprise AI agents, it's about to get categorically harder.
Chris Cochran
If you were working in enterprise security in the early 2010s, you remember the BYOD moment. We are at that moment again. But this time, the thing employees are bringing into the enterprise isn't a device. It's an agent. And the governance gap is significantly larger.
Chen Pipek
OAuth 2.0 is a well-designed protocol. It solved a real problem elegantly, it scaled across the internet, and the patterns it established are genuinely good engineering. It was also designed for a world that no longer describes what enterprise AI agents actually do.
Roee Salomon
The identity industry has spent the last two years building NHI security programs, extending governance frameworks, and applying non-human identity controls to enterprise AI agents. The vendors are on board. The analysts are aligned. The conference sessions are packed. And we are governing the wrong thing.
Amir Ofek
Static policy cannot see context. It can tell you whether an action is permitted. It cannot tell you whether a permitted action is appropriate, right now, in this workflow, for this data, at this moment in the chain. That gap is not a failure of NemoClaw. It's a structural limitation of policy-based security applied to systems that reason and adapt.
Chen Pipek
Occasional, substance-first notes on making enterprise AI agents accountable. No spam; unsubscribe anytime.
