Identity and access management solves the same problem biology solved 500 million years ago. It’s time we built it that way.
Your body is managing 37 trillion cells right now. Each one carries molecular identity credentials. Each one gets continuously verified. Each one interacts with neighbors that could be allies or invaders.
Pathogens are constantly evolving to forge those credentials, hijack trusted cells, and exploit delegation chains between organs. Your body doesn’t solve this with a firewall at the skin. It solves it with an immune system—distributed, adaptive, always-on, embedded in every tissue, capable of recognizing threats it has literally never seen before.
Your enterprise has the same problem. And it’s getting worse.
Every employee is becoming a node in a delegation chain. They authorize AI agents. Those agents spawn sub-agents. Those sub-agents access systems, make decisions, and cross boundaries—all carrying some version of the original human’s authority, all at machine speed, most of them invisible to the human who started the chain.
Companies report between 1 and 17 AI agents per employee today. Forty percent of enterprise applications will embed task-specific agents by end of 2026. Most of these agents are ungoverned.
The identity surface area isn’t growing linearly. It’s exploding. Non-human identities outnumber humans 144 to 1. But the ones that matter most are the AI agents acting on behalf of your people—because those agents carry human authority and make human-consequential decisions at machine speed.
The problem they present—distinguishing self from non-self, at scale, under adversarial conditions—isn’t an engineering problem. It’s a biological one. And evolution solved it hundreds of millions of years ago.
The Core Problem: Self vs. Non-Self
The immune system solves the same fundamental problem as identity and access management: distinguishing self from non-self and responding accordingly.
Every cell in your body carries molecular ID badges—markers that let the immune system verify “this belongs here” at the cellular level. The enterprise equivalent is emerging: every human, every AI agent, and every service carrying cryptographically verifiable identity assertions (OAuth tokens, certificates, verifiable credentials) that let infrastructure verify “this belongs here” at the interaction level.
The parallels aren’t just poetic. They’re structural.
Five Properties of Immune Identity
1. Continuous, distributed verification
The immune system doesn’t check your cells once a day or once a quarter. T-cells patrol every tissue, continuously.
Modern identity is heading the same direction. Continuous Access Evaluation Protocol (CAEP)—the standard that drove CrowdStrike’s $740 million acquisition of SGNL – replaces periodic checkpoints with ambient, always-on verification.
The shift from quarterly access reviews to continuous authorization isn’t a feature upgrade. It’s the difference between having an immune system and getting a checkup four times a year.
2. Innate + adaptive response
Your immune system has two layers. Innate immunity is fast and general—it handles known patterns. Adaptive immunity is slower and specific—it learns to handle novel threats.
Modern identity mirrors this. Default-deny policies and baseline rules handle known patterns instantly. ML-driven behavioral analytics learn to detect anomalies the system has never seen before.
Think of static role-based access as innate immunity. Dynamic, context-aware authorization engines (OPA, Cedar, OpenFGA) are adaptive immunity. You need both.
3. Zero standing activation
T-cells don’t walk around armed. They must be specifically activated before they can act. This is zero standing privileges—no identity, human or AI agent, retains persistent access. Access gets requested, justified, granted, and automatically revoked.
The immune system invented just-in-time access 500 million years ago. The enterprise is just now catching up.
Humans accumulate permissions over years of role changes that no one revokes. AI agents are worse—they don’t resign, don’t transfer departments, and don’t retire. An agent deployed for a three-week project keeps its permissions indefinitely. Across the broader machine identity landscape, 99% of service accounts are overpermissioned.
That’s an immune system where T-cells never stand down.
4. Signal propagation
When your immune system detects a threat in one tissue, chemical signals alert the entire body within minutes.
The Shared Signals Framework and CAEP do the same for identity infrastructure. When a credential is compromised in one system, the signal propagates across every connected service in real time.
Without this, each organ fights alone. With it, the whole body responds as one. Most enterprises today are still fighting infections organ by organ.
5. Novel entity handling
This is where the analogy gets really powerful.
Your adaptive immune system generates roughly 100 billion unique receptor configurations from a finite genome. It can recognize and respond to pathogens it has never encountered before—including synthetic molecules that have never existed in nature.
This is exactly the challenge facing identity infrastructure: governing entity types that didn’t exist two years ago. AI agents with delegated authority. Sub-agents spawned dynamically. Multi-agent systems where agents collaborate, delegate, and make autonomous decisions.
The architecture must handle identity types that haven’t been invented yet, using mechanisms designed today. The immune system proves this is possible. A finite set of mechanisms can handle an essentially infinite set of novel entities – if you design for adaptation rather than enumeration.
When the Immune System Fails, It Fails Like IAM
The best test of any analogy is whether its failure modes match reality. The immune system’s pathologies are IAM’s pathologies:
Autoimmune disease: The immune system attacks the body’s own cells. In IAM terms: overly restrictive policies that block legitimate users and agents from doing their jobs. 81% of employees bypass security measures. When your identity system creates so much friction that users route around it, the body is attacking itself.
Immunodeficiency: The immune system fails to detect threats. In IAM terms: excessive permissions, no monitoring, orphaned accounts. The Snowflake breach exposed hundreds of millions of records through stale, unrotated credentials dating back to 2020. The PowerSchool breach – a single maintenance account without MFA – exposed 72 million records. Your identity system isn’t fighting infections. It doesn’t even know they’re there.
Cytokine storm: A cascading overreaction that damages the body more than the original threat. In IAM terms: security incidents that trigger cascading lockouts. The Microsoft Entra outage of October 2025 lasted 12+ hours. Engineers couldn’t use the Azure Portal to fix the identity outage because the portal itself depends on identity services. The immune response destroyed the body’s ability to heal.
Cancer: The body’s own cells evade detection and multiply unchecked. In IAM terms: insider threats and compromised identities acting as legitimate. The Midnight Blizzard attack exploited a dormant OAuth test application that retained full directory permissions. The identity was “self,” (it belonged to Microsoft) but it had been co-opted. In the agentic era, cancer risk multiplies: a compromised agent looks exactly like a legitimate agent because it is one—just poisoned or co-opted. Cancer doesn’t break in from outside. It starts as self.
Immune evasion: pathogens evolve to hide from detection. In IAM terms: agent memory injection attacks, token forgery, credential stuffing. The adversary isn’t attacking the perimeter. It’s learning to look like self.
Organ transplant rejection: the body rejects foreign tissue even when it’s beneficial. In IAM terms: cross-organizational identity federation failures. M&A identity integration is one of the hardest problems in enterprise IT because two organizations’ identity systems treat each other as non-self.
Every pathology has a documented, real-world IAM equivalent. And that’s what makes the immune system framing useful – it tells you not just what to build, but what will go wrong and why.
Building the Enterprise Immune System
If IAM is an immune system, the architectural implications are concrete.
Distribute, don’t centralize. The immune system has no single point of failure. There is no “immune server” that, if it goes down, leaves the body defenseless.
Yet most enterprises run centralized identity providers where a single outage cascades everywhere. Okta’s October 2023 breach exposed all 18,400 customers. Identity continuity architecture – multi-vendor failover, hybrid cloud/on-prem resilience – isn’t a nice-to-have. It’s the difference between a distributed immune system and a single spleen. Lose the spleen and you’re vulnerable. Lose a lymph node and the rest compensate.
Assume hostile environments. The immune system doesn’t assume the body is safe. It assumes pathogens are everywhere, all the time, evolving constantly.
Your identity architecture should assume every assertion will be tested, every token could be forged, every delegation chain could be exploited. 74% of investigated attacks in Q3 2025 were tied to compromised identities. Continuous verification, behavioral analytics, and the Shared Signals Framework aren’t premium features. They’re baseline immune function.
Build adaptive layers, not just rules. Static role-based access is innate immunity – necessary but not enough. It handles known access patterns well for humans in stable roles.
It cannot handle an AI agent that spawns sub-agents, chains permissions across clouds, and makes thousands of decisions per second in contexts that change continuously. A human’s access needs shift maybe twice a year. An agent’s context changes every second. You need policy engines that evaluate real-time context, learn from behavioral baselines, and respond to situations the system has never seen.
Accept irreducible complexity. The immune system is one of the most complex systems in biology, and it’s been successfully operating for 500 million years.
The identity industry’s 70% implementation failure rate and 80% C-suite dissatisfaction aren’t because identity is poorly engineered. The problem is complex: humans delegating to agents, agents delegating to sub-agents, all operating across clouds, jurisdictions, and compliance regimes simultaneously. Stop trying to make it simple. Start building it like what it is. Complexity isn’t the bug. Pretending it’s simple is the bug.
Treat identity as a safety system. When your immune system fails, you don’t just get one illness, you lose the ability to fight any illness.
When identity infrastructure fails in the agentic era, you don’t just lose access control, you lose the ability to stop AI agents. The kill switch for a rogue agent isn’t a power cord. It’s the ability to revoke its identity instantly. If your identity layer has downtime, agents outrun revocation. Identity availability is no longer an IT metric. It’s an AI safety requirement.
The Diagnosis
Most enterprises today are running identity infrastructure that would be diagnosed, in biological terms, as simultaneously immunocompromised and autoimmune. Too permissive where it matters. Too restrictive where it doesn’t. And lacking the adaptive capacity to handle the flood of AI agents arriving in the workforce.
The treatment isn’t another point product. It isn’t a better firewall, a smarter access review, or a more comprehensive dashboard.
It’s an architectural shift: from checkpoints to continuous surveillance. From static rules to adaptive response. From centralized control to distributed verification. From periodic reviews to real-time signal propagation. From enumerating known identities to generating responses to unknown ones.
From a security tool to an immune system.
Your employees are already delegating authority to AI agents that operate at machine speed, make decisions with inherited permissions, and spawn sub-agents your governance systems can’t see. The number roughly doubles every 18 months.
The question isn’t whether your enterprise needs an immune system. It already has one, it’s just profoundly sick.
The question is whether you’ll treat it before the infection becomes uncontainable.
