Every employee now has an entourage of AI agents. The agents have agents of their own. And no one is on the podium.
An orchestra without a conductor is just noise.
Every musician might be world-class. The violins may be perfectly tuned. The brass section may be technically flawless. But without someone on the podium – reading the full score, cueing entrances, adjusting tempo, balancing dynamics across sections – you don’t get music. You get 80 people playing at the same time.
This is the state of enterprise identity in 2026.
Organizations have invested heavily in instruments. Authentication tools. Authorization engines. Privileged access managers. Governance platforms. MFA solutions. Secret managers. Agent identity tools. The average enterprise runs 12 or more discrete identity products. Each one works. Each one is tuned. And together, they produce something closer to cacophony than symphony.
The problem was never the instruments. The problem is that no one is conducting.
The Orchestra Is Growing Faster Than Anyone Can Score
The identity orchestra was manageable when it was a chamber ensemble – a few hundred employees, a handful of applications, some service accounts. A competent admin could keep the parts in sync manually.
That era is over.
Companies report between 1 and 17 AI agents per employee today. Forty percent of enterprise applications will embed task-specific agents by end of 2026. Each agent authenticates hundreds of times per minute. Each one makes autonomous decisions at machine speed. Each one operates with delegated authority from a human sponsor – and increasingly, agents are spawning sub-agents of their own.
A marketing manager’s campaign optimizer creates channel-specific sub-agents. An engineer’s code reviewer spawns security scanners. The human approved one agent. The orchestra grew by five.
When you add these agents to the broader landscape of service accounts and machine identities, a 10,000-person organization is governing millions of identities. That’s not a symphony orchestra. That’s a stadium full of musicians, each reading a different score, playing at different tempos, in different keys.
And the number roughly doubles every 18 months.
No amount of better instruments solves this. You could have the finest authentication system ever built, the most sophisticated authorization engine, the most comprehensive governance platform – and still produce chaos. Because the challenge isn’t any individual capability. It’s coordination across all of them, in real time, at machine speed.
That’s a conductor’s job.
What a Conductor Actually Does
A great conductor doesn’t play an instrument. They do something harder: they hold the complete score in their head and make thousands of real-time decisions about how independent parts relate to each other.
Access management needs the same thing.
Reading the full score
A conductor sees what no individual musician can: how the violin line interacts with the cello, how the timpani entrance affects the brass balance, how a tempo shift must cascade through every section simultaneously.
In identity terms, this is the unified view – seeing how a human’s role change should cascade to every AI agent they sponsor, how an agent’s authentication in one cloud relates to its authorization in another, how sub-agents inherit permissions the human never explicitly granted. No single identity tool holds this view. The conductor does.
Cueing entrances and exits
Musicians don’t decide when to start playing. The conductor cues them at precisely the right moment.
In access management, this is just-in-time provisioning and instant deprovisioning – identities activated when needed, revoked the moment they’re not. When a human employee leaves a project, their access should be revoked. But what about the agents they sponsored? The sub-agents those agents created?
In most organizations, those agents keep playing long after their human sponsor has moved on. An agent deployed for a three-week project retains its permissions indefinitely. These are musicians who were never told to stop playing. They’re still on stage, still making noise, long after their part ended.
Setting and adjusting tempo
A conductor sets the pace for the entire ensemble and adjusts it in real time based on what’s happening in the hall.
Traditional IAM operates at a fixed tempo – quarterly access reviews, annual certifications, static role assignments. That cadence was designed for human-speed operations: employees whose access patterns change maybe twice a year.
AI agents operate at machine speed. A single agent authenticates hundreds of times per minute. A human’s quarterly review might flag an anomaly three months after an agent has executed millions of actions.
The conductor must match tempo to the fastest player in the ensemble while keeping the slower sections in time. This is continuous authorization – CAEP, the Shared Signals Framework, real-time risk scoring – replacing the fixed metronome of periodic reviews with adaptive, responsive tempo control.
Balancing dynamics
An orchestra playing at uniform volume sounds flat. A conductor shapes dynamics – bringing up the quiet voices, restraining the loud ones, creating contrast and emphasis.
In access management, this is risk-based access control. Not every identity, every request, every context deserves the same level of scrutiny. A human reading public documentation needs a light touch. An AI agent requesting privileged access to production financial data at 3 AM from an unusual IP needs full fortissimo – step-up authentication, human-in-the-loop approval, session recording.
The conductor modulates intensity based on context. Static role-based access plays everything at the same volume.
Handling soloists
When a virtuoso steps forward for a solo, the conductor adjusts everything else – pulling back the ensemble, giving the soloist space, then bringing the orchestra back in seamlessly.
Privileged access is the identity solo: high-risk, high-visibility, requiring special handling. PAM solutions manage the soloist. But without a conductor, the orchestra doesn’t know to adjust.
The $25 billion Palo Alto Networks-CyberArk deal and the $740 million CrowdStrike-SGNL acquisition signal that the industry recognizes privileged access can’t exist in isolation. It must be orchestrated within the full ensemble.
Interpreting the score, not just reading it
The same symphony sounds different under different conductors because interpretation matters. Notes on a page are necessary but insufficient.
In identity, policies on paper (or in code) are necessary but insufficient. The conductor interprets policy in context: this compliance rule means this when applied to a healthcare AI agent processing patient data in Germany, and that when applied to a marketing bot pulling public social media data in the US.
137 conflicting data protection jurisdictions. 20 US state privacy laws. GDPR, EU AI Act, HIPAA, SOX, DORA, NIS2. The score is dense. Interpretation at performance time – not just composition time – is what separates music from noise.
The Case Against More Instruments
The enterprise identity market is expected to reach $56 billion by 2029. Agent identity and non-human identity startups raised over $400 million in 2025. New tools are launching constantly: agent identity management, identity threat detection, secrets scanning, posture management, delegation chain governance.
Each one is a new instrument. And each one, in isolation, makes the coordination problem worse.
This is not an argument against capability. You need good instruments. But the industry’s failure rate tells the story: 70% of IAM implementations fail to meet expectations. More than half fail the first time. 80% of C-suite leaders believe IAM delivers insufficient value.
These aren’t instrument failures. They’re conducting failures.
The organizations that succeed are the ones investing in orchestration – the layer that sits above individual tools and coordinates them into a coherent whole. Strata Identity’s Maverics platform decouples identity from applications through orchestration. Gartner’s Identity Fabric is an architectural pattern for weaving together IGA, access management, PAM, and emerging capabilities into a coherent control plane. The Cybersecurity Mesh Architecture provides the mesh network through which the conductor’s signals travel.
The composable identity pattern disaggregates the monolith:
- Authentication-as-a-service
- Authorization-as-a-service
- Governance-as-a-service
Each independently deployable, sourced from different vendors, replaceable without rearchitecting. But composability without coordination is just disassembly. The components need a conductor to make them cohere.
The Real-Time Imperative
Here’s where the metaphor sharpens into urgency.
A studio recording can be edited. A live performance cannot. Enterprise identity in the agentic era is a live performance – every decision is real-time, every mistake is heard immediately, and you can’t stop the music to fix a wrong note.
When Google’s AI agent deleted the entire contents of a user’s drive – not the project folder, everything – that was a wrong note that couldn’t be unplayed. When a single overlooked OAuth test application gave Russian state actors access to Microsoft executive email, that was a missed cue with catastrophic consequences. When Cloudflare missed 4 out of 5,000 credentials during rotation after the Okta breach, that was four musicians playing the wrong part in an otherwise flawless performance.
Four out of five thousand. That’s 99.92% accuracy. And it wasn’t enough.
The conductor’s job is to make sure every entrance, every exit, every dynamic shift happens correctly – not most of the time, but every time. At machine speed. Across every human, every agent, every sub-agent in the enterprise.
This is why policy-as-code matters: the conductor’s score must be machine-readable, version-controlled, and executable. This is why dynamic authorization engines matter: Cedar, OPA, and OpenFGA are the conductor’s real-time decision-making tools. This is why the Shared Signals Framework matters: it’s the conductor’s ability to signal every section of the orchestra simultaneously when conditions change.
And this is why identity orchestration matters: it’s the podium itself.
Getting on the Podium
If your enterprise identity strategy is a shopping list of instruments, you’re solving the wrong problem. The question isn’t which authentication vendor, which authorization engine, which governance platform. The question is: who – or what – is conducting?
Assess your orchestration gap. Inventory not just your identity tools but the connections between them. Where do signals not propagate? Where do policy changes take days to cascade? Where are identities active in one system and unknown in another? These are the places where sections of your orchestra are playing blind.
Invest in the orchestration layer. Identity fabric, identity orchestration, CSMA – whatever you call it, the layer that coordinates across tools is more valuable than any individual tool. An average conductor with great musicians produces better music than no conductor with virtuosos.
Make your score machine-readable. Policy-as-code isn’t a trend. It’s a prerequisite. If your access policies exist as PDFs in SharePoint, you don’t have a score – you have sheet music locked in a cabinet while the orchestra plays from memory.
Build for real-time tempo. Quarterly access reviews are rehearsal schedules, not conducting. Continuous authorization, real-time risk signals, and event-triggered governance are the conductor’s real-time beat. If your governance cadence is slower than your fastest agent’s decision cadence, you’re conducting yesterday’s performance.
Accept that conducting is a skill, not a feature. You can’t add “orchestration” as a checkbox to an existing platform. It requires architectural intent: a unified policy model, cross-tool signal propagation, real-time decision capability, and a view of the full score across every identity type, every environment, every jurisdiction. This is platform thinking, not product thinking.
The Crescendo
The enterprise identity orchestra is growing exponentially. Every employee is acquiring AI agents. Those agents are spawning sub-agents. The delegation chains are deepening. The regulatory score is being rewritten in real time across 137 jurisdictions.
The instruments are good enough. Many are exceptional.
What’s missing is the conductor.
Someone – or something – needs to step onto the podium, open the full score, raise the baton, and turn every human, every agent, and every machine identity into a coherent performance. Not by replacing the instruments. Not by playing louder. But by doing the thing that only a conductor can do: making the whole greater than the sum of its parts.
The music is already playing. The question is whether anyone is leading it.
