The identity stack most enterprises rely on today (the alphabet soup of IAM, IGA, and PAM) was built for a world with humans in the center.
IAM handled authentication and access for employees. PAM controlled privileged credentials for operators and admins. IGA sat alongside them to clean things up. Joiner, mover, leaver. Periodic access reviews. Compliance checks after the fact.
It’s not elegant, but it mostly worked because the system assumed a slow-moving, human-shaped reality. That assumption no longer holds.
The agentic enterprise breaks the old identity stack at a fundamental level because the model they are built on no longer matches how work actually happens.
How the old stack was supposed to work
In the traditional enterprise, identity followed a predictable path: A human joined a company, they appeared in an HR system, and that record flowed into IAM.
IAM provisioned credentials, issued a password or key, and granted access to applications. If that human needed elevated access, they logged into a privileged access vault, checked out credentials, and performed their work.
On the governance side, IGA enforced role-based access control, handled joiner and leaver workflows, and periodically certified that access still made sense.
Everything revolved around a human identity that was centrally created, centrally managed, and centrally reviewed.
That architecture assumes three things:
- Identities originate in HR
- Privileged access is controlled with vaults
- Entitlements are human-readable and role-based
Those assumptions collapse as soon as AI agents enter the system.
AI agents do not enter through HR
An AI agent does not show up in your HR directory. There is no onboarding form. No manager. No start date.
In practice, agents are usually created in a self-service way by humans. Often they exist as sub-identities of the person who created them. Sometimes they reuse that person’s OAuth credentials. They inherit access from their creator.
If I am running agents locally on my laptop, those agents are almost certainly authenticating as me. From the perspective of the identity system, nothing unusual is happening. From the perspective of the enterprise, everything has changed.
You now have autonomous agents operating continuously, using credentials that were issued for a human, with no clear boundary between who did what.
IAM was not designed for that.
Agents do not check out credentials from vaults, either
The PAM model also breaks. Privileged access management assumes a human who logs into a vault, checks out credentials, and uses them interactively to perform privileged work.
Agents do not work that way. Agents won’t log into vaults to retrieve creds. They access systems directly through APIs, service accounts, or model context protocol (MCP) servers. They act programmatically, not interactively.
The question is no longer “who checked out the credential,” but “should this action be allowed at all.”
That requires real-time verification of intent, scope, and policy. It also requires the ability to bring a human into the loop when necessary, not after the fact.
PAM was built to control access to credentials. It was not built to govern autonomous action.
Traditional IGA cannot see agents
The final failure is governance. IGA systems do not understand AI agents as first-class identities. They do not understand agent entitlements expressed through APIs or MCP access. They do not have a model for managing permissions that are created dynamically, used continuously, and scoped by policy rather than role.
As a result, agents fall completely outside the governance plane. They are invisible to access reviews. Invisible to certification. Invisible to entitlement management.
Traditional IGA assumes identities are static and enumerable. Agents are neither.
What actually needs to change
The problem is that the identity stack is still organized around people. In the agentic enterprise, identity must be organized around action.
You need to know what an agent is allowed to do, not just what it can log into. You need to verify behavior in real time, not audit it quarterly. You need governance that understands agents, APIs, and autonomous execution as native concepts.
Most importantly, you need a system that treats identity as the control plane for AI, not an afterthought bolted on once things get risky.
The old stack was built to manage access for humans. The next stack has to govern execution by machines.
If you try to stretch IAM, PAM, and IGA to cover that gap, the system will fail under its own assumptions. The agentic enterprise does not need more identity tooling. It needs a different identity model. That’s what we’ve built for at ConductorOne.
