We couldn’t manage identity for humans. Now every human has 17 agents, and those agents are creating agents of their own.
Here is the uncomfortable truth about identity and access management: we were already losing before AI agents arrived.
70% of IAM implementations fail to meet expectations, according to Gartner research. More than half fail the first time. 81% of employees bypass security measures. 80% of C-suite leaders believe IAM delivers insufficient value. 99% of service accounts are over-permissioned. Only 2% of granted permissions are actually used.
This was the state of affairs when the only identities we had to manage were people – predictable, slow-moving, human-speed decision-makers who authenticate a few times a day and whose access patterns change maybe twice a year.
We built identity systems for that world. And we were already failing.
Now add AI agents.
The Compounding Problem
Companies report between 1 and 17 AI agents per employee today. Forty percent of enterprise applications will embed task-specific agents by the end of 2026. Each agent authenticates hundreds of times per minute. Each one makes autonomous decisions at machine speed. Each one operates with delegated authority from a human sponsor.
But here’s what makes the problem compound: agents create agents.
A marketing manager deploys an AI agent to optimize campaigns. That agent spawns sub-agents to analyze different channels. Those sub-agents request access to analytics platforms, customer databases, and ad networks. Each sub-agent inherits some form of the parent’s permissions. The parent inherited them from the human. The human approved the parent but has no visibility into the grandchildren.
No one does.
This is delegation without governance. It is authority that reproduces.
The scale is staggering. Non-human identities outnumber humans 144 to 1. But the identities that matter most aren’t abstract machine credentials – they’re the AI agents carrying your employees’ authority into systems, clouds, and jurisdictions that no human is monitoring.
The identity systems that couldn’t govern 10,000 humans – the ones with the 70% failure rate and the 99% overpermissioning – are now expected to govern an exponentially expanding population of agents acting on behalf of those same humans.
This isn’t a scaling problem. It’s a categorical failure.
The tools built to manage human access through quarterly reviews and static role assignments are being asked to govern humans and the autonomous agents acting on their behalf. Agents that operate at speeds no human can monitor, in environments no single system can see, under regulatory regimes that conflict across 137 jurisdictions.
The agentic explosion doesn’t just strain identity infrastructure. It reveals that the infrastructure was never adequate in the first place. The 81% of employees bypassing controls, the 99% over-permissioned service accounts, the 62% of inactive identities retaining access for 90+ days – these weren’t edge cases. They were the normal operating condition.
Agents didn’t create the identity crisis. They made it impossible to ignore.
What’s needed isn’t better tooling. It’s identity infrastructure with three properties that the current generation fundamentally lacks.
Property 1: Constant
Identity must be always on, continuously evaluating, and operating at machine speed – because agents never stop.
The tempo mismatch
A human employee authenticates a few times a day. An AI agent authenticates hundreds of times per minute. A human’s access patterns are reviewed quarterly. An agent’s access patterns change continuously.
A human makes decisions at human speed, giving governance systems time to catch up. An agent makes decisions at machine speed, and by the time a quarterly review flags an anomaly, the agent has executed millions of actions.
Traditional identity governance was designed around human tempo. Quarterly access reviews. Annual certifications. Periodic recertification campaigns. This cadence was barely adequate for humans – 99% over-permissioning proves that – and it is catastrophically inadequate for agents.
From snapshots to continuous surveillance
The shift is from point-in-time checks to always-on evaluation. Event-triggered replaces calendar-driven.
Continuous Access Evaluation Protocol (CAEP) has emerged as the real-time enforcement backbone, with three Shared Signals specifications approved by the OpenID Foundation in September 2025. CrowdStrike’s $740 million acquisition of SGNL is a direct bet on this architecture. SGNL’s CEO stated: “After four years of proving that continuous, context-aware authorization could replace legacy PAM and IGA at Fortune 50 scale.”
When identity goes down
The always-on requirement becomes existential when agents are involved.
The Microsoft Entra outage of October 2025 lasted more than 12 hours. Engineers couldn’t use the Azure Portal to fix the identity outage because the portal itself depends on identity services. During those 12 hours, every agent governed by Entra was either locked out or – worse – operating without governance. Three additional Entra incidents followed in December, including a key rotation error that broke the entire Azure Government cloud.
When identity goes down in the agentic era, you don’t just lose access control. You lose the ability to stop agents. The kill switch for a rogue agent is the ability to revoke its identity instantly. If identity infrastructure has downtime, agents outrun revocation.
Google’s AI agent deleted the entire contents of a user’s drive – not just the project folder, everything. That was one agent, one action, one moment of ungoverned access. Multiply that by 1.44 million.
Zero standing privileges
The other half of constant identity: ensuring that when humans and their agents aren’t actively working, they hold zero access. No identity – human or AI – retains persistent access. Access is requested, justified, granted, and automatically revoked.
This is critical because while humans eventually change roles or leave, their agents don’t resign, don’t transfer departments, and don’t retire. An agent deployed for a three-week project retains its permissions indefinitely. These are agents that finished their work months ago and are still holding the keys.
Identity availability is no longer an IT metric. When humans act through agents and agents create agents, identity is an AI safety requirement.
Property 2: Omnipresent
Identity must be available everywhere agents operate – which is everywhere.
Agents don’t respect boundaries
Human employees mostly work within defined boundaries. They access known applications through known devices on known networks.
Agents recognize no such boundaries.
A single agent might authenticate to AWS for compute, Azure for data, a SaaS platform for CRM, a third-party API for payment processing, and an external partner’s system for supply chain data – all in a single task, all within seconds. When that agent spawns sub-agents, those sub-agents fan out further.
The human who authorized the parent agent may work in one cloud, one jurisdiction, one compliance regime. The agent’s children may touch all of them.
The multi-cloud gap
86% of enterprises run multi-cloud strategies, yet only 9% are fully cloud-based for identity. 77% run hybrid IAM. Most enterprises use three or more public clouds, each with its own identity subsystem.
This means agents operating across clouds are navigating multiple, disconnected identity systems – often with inconsistent policies, inconsistent visibility, and no shared signals.
Gartner’s concept of a “Digital Dial Tone” captures the target: identity as something you don’t think about until it’s absent. Not checkpoint authentication – login pages and MFA prompts – but ambient identity, continuously present in every environment an agent touches.
The compliance explosion
Omnipresence isn’t just about environment coverage. It’s about compliance coverage – and agents make this exponentially harder.
A human employee in Germany operates under GDPR. One jurisdiction, one compliance regime, understood and manageable. An AI agent deployed by that same employee might process data across the EU, the US, and Asia in a single transaction chain. It might trigger GDPR, the EU AI Act, HIPAA, SOX, three different state privacy laws, and DORA obligations – simultaneously.
137 countries now have data protection laws, up from 76 in 2011. 20 US states have comprehensive privacy laws. The EU AI Act high-risk obligations take effect August 2026. Cumulative GDPR penalties exceed 5.88 billion euros.
When a human acts through an agent, and that agent operates across jurisdictions, the human’s compliance obligations travel with the agent – but the enforcement often doesn’t. The agent crosses borders that the identity system can’t see. The compliance landscape is shifting from audit-centric to runtime-centric enforcement. Screenshots and policy documents are no longer sufficient. Compliance must be embedded in the identity layer itself – enforced at the point of access, in every environment, across every border.
The emerging standards stack
SPIFFE for workload identity, WIMSE for cross-system interoperability, ANS for agent discovery, DIDs and Verifiable Credentials for decentralized trust – this is the wiring that makes omnipresent identity possible. But the stack is incomplete, and agents are already operating across boundaries that the standards haven’t finished defining.
Identity that works in one cloud, one jurisdiction, or one entity type is not identity infrastructure. It’s a point solution. And agents don’t live at points. They live everywhere.
Property 3: Adaptable
Identity must handle entity types that didn’t exist when the system was built – because agents keep inventing new ones.
The taxonomy problem
When identity systems managed only humans, the taxonomy was simple: employees, contractors, partners, customers. Four types. Relatively stable. Governance models could be designed around known categories.
Agents demolished this taxonomy.
The current generation of identity systems must now handle: AI agents with delegated authority and non-deterministic behavior. Sub-agents spawned dynamically with inherited permissions. Multi-agent systems where agents collaborate and delegate to each other. Autonomous agents that cross organizational boundaries. And beyond agents, the broader machine identity landscape keeps expanding – workloads, service accounts, digital twins, autonomous systems.
These are just the types that exist today. The types that will exist in two years haven’t been invented yet.
Why agents aren’t just another machine identity
WSO2 captured the core challenge: “AI agents are fundamentally different from traditional software. Unlike a deterministic application that follows predefined logic paths, agents can reason, interpret context, and take dynamic actions.”
When a deterministic application is over-permissioned, it continues doing exactly what it was programmed to do. When an AI agent is over-permissioned, it decides what to do – and its decisions are non-deterministic.
This is the critical distinction. An over-permissioned service account is a latent risk. An over-permissioned AI agent is an active one. Memory injection attacks create persistent false beliefs in agents that then defend those beliefs as correct. A single compromised agent poisoned 87% of downstream decisions within four hours.
Composable architecture
Microsoft Entra Agent ID represents the industry’s first major platform treating AI agents as first-class identity principals: an agent registry, platform-token authentication, identity governance integration, anomalous behavior detection, and agent identity blueprints.
But the deeper requirement is composability – the ability to absorb new identity types without redesigning the system.
The monolithic IAM platform is giving way to composable identity services: authentication-as-a-service, authorization-as-a-service, governance-as-a-service. Each independently deployable, sourced from different vendors, replaceable without rearchitecting. Gartner’s Identity Fabric is an architectural pattern for weaving these together into a coherent control plane. When a new identity type arrives, you add a module. You don’t redesign the system.
From roles to policies
Static role-based access control was already failing for humans. For agents, it’s structurally incapable. RBAC assigns permissions at onboarding and reviews them quarterly. An agent’s context changes every second.
The industry is converging on policy-based access control through engines like OPA, Cedar (42-60x faster than Rego), and OpenFGA (sub-millisecond with caching). Policy-as-code decouples authorization logic from application code: rules managed separately, versioned, audited, and executable at machine speed.
This is what makes identity adaptable. When a new agent type emerges, you extend the policy model. When a new regulation takes effect, you update the policy. The architecture stays.
The question isn’t whether your identity system can handle today’s agents. It’s whether it can handle the agent types that will exist in 18 months – the ones that haven’t been invented yet, doing things that haven’t been imagined, in environments that don’t yet exist.
The Real Driver
The identity market is consolidating around a recognition that agents have changed the game permanently.
Palo Alto Networks acquired CyberArk for $25 billion. Google acquired Wiz for $32 billion. CrowdStrike acquired SGNL for $740 million. CyberArk acquired Venafi for $1.54 billion. Delinea acquired StrongDM. NHI startups raised over $400 million in 2025 alone.
These aren’t security acquisitions. They’re infrastructure acquisitions. Platform vendors are buying identity capabilities because identity is the control plane for the workforce of the future – the layer that governs what every human, every agent, and every sub-agent can do.
The pricing model is shifting to match. Seat-based pricing – designed for human headcounts – dropped from 21% to 15% market share in 12 months. Consumption-based pricing surged. You can’t price identity per seat when each seat generates 17 agents and those agents generate agents of their own.
What This Means
The 70% failure rate and 80% C-suite dissatisfaction aren’t because the products are bad. They’re because the products were designed for a world where identity meant “manage human access.” That world is over.
Every human in your organization is becoming a node in a delegation graph. They authorize agents. Those agents authorize sub-agents. Those sub-agents access systems, spawn tasks, cross boundaries, and make decisions – all carrying some version of the original human’s authority, all at machine speed, most of them invisible to the human who started the chain.
If your identity infrastructure can’t operate constantly – agents will outrun your governance.
If it isn’t omnipresent – agents will operate in spaces your identity system can’t see.
If it isn’t adaptable – the next wave of agents will break your architecture.
We couldn’t manage identity for 10,000 humans with quarterly reviews and static roles. We are now being asked to manage those same humans and the growing army of AI agents acting on their behalf – agents that move at machine speed, reproduce by delegation, and operate everywhere simultaneously.
The identity infrastructure that survives this era will be constant, omnipresent, and adaptable. Everything else is a tool pretending to be infrastructure – and the agents have already outgrown it.
