Looker_Studio - stock.adobe.com
How IAM providers are preparing for agentic AI
There is little doubt that enterprises will be deploying agentic AI. As such, technology firms are looking at various ways to secure these systems
There is a very real sense that every organisation dabbling with artificial intelligence (AI) – in particular, agentic AI – is heading directly into an IT security catastrophe.
Richard Wainwright, field chief technology officer for Europe, the Middle East and Africa at Okta, says most of the businesses he speaks to seem stuck in pilots and are not obtaining value from the AI investments they’re making.
“They are building AI agents using a combination of API [application programming interface] keys and service accounts, which offer long-lived credentials to provide non-human identities [NHIs] with access to the corporate IT environment,” he says.
Wainwright warns that this creates a range of problems for IT security professionals. “It’s almost impossible to tie what the agent has done back to the person who called it,” he says.
Another area of concern, according to Wainwright, is that if a service account is used by a generalist AI agent, the scope it has is wide open. “This means it’s really powerful, but it can also break a lot of stuff,” he warns.
In its Workforce identity security platforms, Q2 2026 report, analyst firm Forrester recognises the limitations of identity access management (IAM) for tasks that many enterprises are looking to streamline using agentic AI.
In the report, Forrester notes that modern identity security platforms unify authentication, authorisation, lifecycle governance and identity risk intelligence across human, machine and AI agent identities to deliver consistent, policy-driven controls at scale.
Many organisations’ use of AI and agentic AI is at a stage where the agentic functionality being used is very limited and controlled. Identity and access management for AI agents is a bit different to the way organisations manage employees.
Przemek Czarnecki, chief technology officer at fashion retailer Asos, notes that while agentic AI is not the same as human identity and access management, it is hard to tell the difference. For example, he says: “If you are in Teams, you may confuse an AI agent for a human because agents in the Microsoft environment show up on Teams in the same way as humans.”
Asos is using Microsoft Copilot in phase one of its AI strategy, where employees are using it to start building agentic AI. “We have defined a very limited set of actions these agents can do because we want to make sure that agents developed by everybody cannot do harm to the company,” says Czarnecki.
The fashion retailer is democratising the use of AI across the business, which potentially enables IT and security teams to understand how people in the business are deploying agentic AI. This is an important first step in putting in place the right observability tools and dashboards.
Observing actions of AI agents
Visibility is perhaps the first challenge enterprises face when assessing the risk of introducing agentic AI into their organisations.
Amarinder Jassal, senior vice-president and global leader for pre- and post-sales engineering at Saviynt, says there are no industry standards or certification authorities that can certify that an agent is not a bad actor, or working on behalf of a bad actor, and does not lead to sensitive data being compromised, or that it has been audited and has achieved a level of quality assurance that makes it enterprise-ready.
Jassal says Saviynt is seeking to bring AI agents under one umbrella to observe their behaviour. “We are trying to bring all these agents into a single repository, which works rather like a CMDB [configuration management database]. There is one centralised repository for all the AI agents in your environment, whether they are registered or unregistered,” he adds.
To achieve this, Saviynt has developed integration with technical partners and is working with the likes of Zscaler and CrowdStrike to capture shadow aspects of agentic AI.
Observability is key because even legitimate uses of agentic AI systems can perform tasks they are not designed for.
Chandra Gnanasambandam, executive vice-president of product and chief technology officer at SailPoint, recently came across an AI-powered loan processing system that had inadvertently bypassed security measures to complete a credit check it was not supposed to run. “The agent’s intent was to solve a task, and it found ways to do so even when it was being told not to do so,” he says.
Read more about agentic AI security
- Identity security for AI agents: The proliferation challenge: Identity teams can accelerate AI adoption with strong security foundations. But managing nondeterministic AI agents is different from securing human identities and traditional NHIs.
- What it takes to secure agentic commerce: With AI agents increasingly acting as digital concierges for shoppers, verifying bot identities, securing the APIs they rely on and detecting anomalous behaviour will be key to safeguarding automated transactions.
In this example, Gnanasambandam says a bank had deployed a supervisor agent to manage the loan approval process, with various helper agents to perform specific tasks. One of these agents was tasked with performing a credit check, but it was denied access to the internal credit-checking application. It reported to the supervisor agent that it did not have access to this application and so could not complete the task. However, the supervisor agent had a goal to complete loan applications in three minutes, and all the other helper agents had already completed their work.
According to Gnanasambandam, the supervisor agent refused to accept the helper agent’s inability to complete its task. As a consequence, seeking an alternative way to complete its task, the helper agent searched the internet for vulnerabilities in the credit risk system.
“It was trying to access a credit risk score and found a GitHub repository where a developer had accidentally left in a token that provides access to the system. So it found the token and accessed the credit risk system. The task was complete – except it did something it was not supposed to do,” he says.
Monitoring agentic AI access
This example is illustrative of the IT governance nightmare that is likely to unfold as agentic AI is deployed in live production environments. What is clear is that AI agents cannot simply be treated in the same way as human users, and they have the ability to work around security measures that limit what they are authorised to do.
Okta is identified by Forrester as a leader in IAM. It recently updated its Auth0 IAM tool for autonomous agents. The Auth0 for AI Agents aims to address the difference between how software developers write software for human users and when an agent is deployed to run the software. The approach Okta is taking shows the challenges IAM software providers are looking to address, along with usability, performance and scalability considerations.
Traditional permission models tend to use APIs to authenticate users to applications. But according to Okta, this approach slows performance in an agentic AI workflow and prevents the deployment of AI agents in production environments, as Gareth Davies, Auth0 chief product officer, explains: “When an AI agent needs to access dozens of different tools, developers are often forced to manually hardcode API keys or build custom authorisation logic from scratch. This impacts productivity and exponentially increases the risk of a breach.”
He says Auth0 for Agents provides an independent identity platform that securely connects agents to any tool, any system and any provider, which means developers can focus on building applications.
Rather than treating AI agents as user extensions, which Okta says can lead to overly broad permissions or shadow identities that bypass enterprise controls, Auth0 for Agents offers a feature called Agent as Principal. This enables software developers to assign unique identities to AI agents, which Okta says are distinct from the users they serve and means agent actions can be independently permissioned and audited, enabling them to operate with proper oversight.
Another problem area Okta is seeking to address with Auth0 for Agents is the performance overhead incurred by fine-grained authentication (FGA) when deploying relationship-based access control. FGA is a way to ensure that only data the user or the agent is authorised to view is accessed when they run a search query across enterprise systems.
This can be achieved by using an AI agent that performs retrieval-augmented generation (RAG) to run a search with a permissions task to augment and generate the responses it is authorised to access. Okta says developers need to make trade-offs: either building a secure system that is too slow to use, or a fast system that risks sensitive data being disclosed. To overcome these trade-offs, Auth0 implements a permissions index, which works rather like a database index, for lookups of permissions data. Since permissions are stored locally in a standard database format, Okta says applications or search engines can query business data that the user or agent is authorised to access by looking up a precomputed permissions table.
Identity and access management companies are taking different approaches to securing agentic AI systems. What is clear from the conversations Computer Weekly has had with IAM firms is that monitoring agentic AI is key.
Simon Gooch, field CIO at Saviynt, says: “Agentic AI is fundamentally shadow IT back with a vengeance.” As organisations start democratising the use of agentic AI, Gooch urges IT and security leaders to ensure they have controls in place to make sure that the democratisation of agentic AI is predictable and the technology is being used sensibly within a framework that the organisation considers safe and secure.
