identity security

Humans, Machines, and Now AI Agents: Why we need a new category of IAM for Agentic Identities

For years, we’ve diligently built digital walls and gates, meticulously managing the identities of our human users. Then came the machines – the servers, the APIs, the IoT devices – and we adapted, creating new keys and new protocols for these non-human workers. We learned their languages, understood their predictable, programmed behaviours, and folded them into our Identity and Access Management (IAM) frameworks. But now, a new actor is stepping onto the stage, one that doesn’t just follow instructions but thinks, learns, and acts on its own. This is the era of agentic AI, and it’s about to shatter our conventional notions of digital identity.

We’re not just talking about another API key or a more sophisticated service account. Agentic AI systems are a fundamentally different class of non-human identity. To treat them as just another cog in the machine is not just a missed opportunity; it’s a security risk of unprecedented scale. It’s time to move beyond the binary of human vs. machine and recognize the dawn of a new identity category – the “agentic identity.”

From Programmed to Proactive: The Great Leap in Non-Human Identity

Think about a traditional API. It’s a reliable, if uninspired, employee. It does exactly what it’s told, following a predefined set of rules. You grant it access to a specific dataset, and it retrieves it. Its actions are predictable, its scope limited. Now, consider an agentic AI tasked with optimizing your supply chain. It doesn’t just follow a script; it analyzes real-time data, learns from market fluctuations, and makes autonomous decisions to reroute shipments, adjust inventory levels, and even negotiate with supplier APIs.

This leap from programmed execution to proactive decision-making is the crux of the issue. The key differentiators of agentic AI demand a new security paradigm:

  • Autonomy and Unpredictability: Unlike a machine that operates within a narrow, predetermined scope, an agentic AI can devise novel solutions and take unexpected actions to achieve its goals. This inherent unpredictability makes static, rule-based access controls dangerously obsolete. How do you define permissions for a system that can creatively problem-solve in ways you never anticipated?
  • Continuous Learning and Adaptation: Agentic AI systems are designed to evolve. They learn from their interactions and continuously refine their strategies. This means their access requirements can change dynamically. A marketing AI that initially only needed access to social media analytics might later determine it needs to interact with the customer relationship management (CRM) system to personalize campaigns. A fixed set of permissions would either stifle its potential or leave a gaping security hole.
  • Complex Decision-Making and Agency: These AI systems aren’t just processing data; they are making judgments and instigating actions that can have significant real-world consequences. An AI-powered financial advisor that can execute trades on a client’s behalf holds a level of agency far beyond that of a simple banking app. Its identity and access rights must reflect this heightened level of trust and responsibility.

The Coming Identity Crisis: “Shadow Agents” and the Perils of Mismanagement

If we fail to recognize the unique nature of agentic AI, we risk a new wave of security threats. The rise of “shadow IT” in the cloud era will pale in comparison to the proliferation of “shadow agents.” Imagine business units deploying their own agentic AI systems without proper identity governance. These unmanaged, often over-privileged agents could become prime targets for malicious actors, leading to “agent jacking” – where an attacker hijacks an AI’s credentials and turns its powerful capabilities to their own nefarious ends.

Furthermore, the very nature of agentic AI makes traditional auditing and forensics incredibly challenging. How do you trace the actions of a system that can learn, adapt, and even cover its tracks in sophisticated ways? The digital breadcrumbs left by a conventional machine are clear and linear; those of an agentic AI could be a complex, branching path of emergent behaviors.

Forging a New Path: Towards an Identity-First Future for Agentic AI

So, how do we move forward? The answer lies in building a new IAM framework specifically designed for agentic AI, one that is as dynamic and intelligent as the systems it seeks to govern. This new approach should be built on a foundation of principles and standards like those discussed in the NIST AI Risk Management Framework.

Key components of this new model include:

  • Verifiable Credentials and Decentralized Identifiers (DIDs): Instead of static API keys, agentic AI should possess their own Verifiable Credentials that attest to their capabilities, provenance, and authorized scope of action. DIDs can provide a secure and independent way to manage these identities without relying on centralized authorities, creating a more robust and flexible trust ecosystem.
  • Just-in-Time (JIT) and Context-Aware Access: Forget about long-lived, standing privileges. Agentic AI should be granted access on a just-in-time basis, with permissions dynamically adjusted based on the specific task at hand and the current context. If an AI is negotiating a contract, it gets temporary access to the legal database; once the task is complete, that access is revoked.
  • Continuous Authentication and Behavioral Analytics: We need to move beyond one-time authentication. By continuously monitoring an agentic AI’s behavior and comparing it to an established baseline, we can detect anomalies that might indicate a compromise. Is the AI suddenly accessing data it has never touched before? Is its decision-making pattern deviating from the norm? These are the new red flags in the age of intelligent machines.
  • A New Class of “Agentic Identity”: Ultimately, we need to formally recognize “agentic identity” as a distinct category within our IAM frameworks. This means developing new policies, new standards, and new technologies that can accommodate the unique characteristics of these powerful new actors.

The rise of agentic AI is not a distant future; it’s happening now. The systems we are building today will have a profound impact on our digital world for years to come. By treating agentic AI as the unique and powerful entities they are, we can unlock their immense potential while ensuring a secure and trustworthy digital ecosystem for all. The conversation needs to start now, because the new cogs in the machine are not just turning; they are thinking.

June 6, 2025 by Agentic AI identity security 0

Identity is King, But Who’s Watching the Throne? Securing Human and Non-Human Identities with Identity Security Posture Management (ISPM)

ISPM

We’ve talked a lot about putting identity at the center of your security strategy – and for good reason. In a world of disappearing perimeters and exploding numbers of digital interactions, knowing who is accessing what is paramount. But let’s pause for a moment and ask a critical, almost philosophical question: if our identity systems are the gatekeepers, who’s watching the watchers themselves?

It’s a question that has echoed through history, from Plato to Roman satirists, and it’s incredibly relevant to today’s cybersecurity landscape. Your identity infrastructure – the complex web of directories, authentication systems, privileged access management tools, and all the policies holding them together – is the very foundation of your security. If this foundation has cracks, the entire house is at risk. This is precisely why establishing an Identity Security Posture Management (ISPM) strategy isn’t just a good idea; it’s essential.

Think about it. We’re rightly concerned with verifying every user, every device, every application. We’re moving towards a more secure, passwordless future with things like passkeys, and championing an identity-first approach to security. But what if the systems managing these identities are misconfigured, over-privileged, or riddled with dormant accounts? What if the “watchers” themselves are vulnerable?

The Dual Challenge: Human and Non-Human Identities

The complexity multiplies when you consider the sheer diversity of identities we’re now managing. It’s not just about Bob from accounting or Sarah from sales anymore.

  • Human Identities: These are your employees, contractors, partners, and customers. The risks here are well-understood, ranging from weak or stolen credentials to insider threats and social engineering. Ensuring proper lifecycle management, least privilege access, and robust authentication for humans is a constant battle.
  • Non-Human Identities: This is where things get really interesting, and often, much more alarming. We’re talking about service accounts, API keys, machine identities, application credentials, and identities for IoT devices and RPA bots. These non-human identities often outnumber human ones by a significant margin. They typically have broad, often excessive, permissions and are frequently overlooked or poorly managed. A compromised machine identity can be a golden ticket for an attacker, allowing them to move laterally, access sensitive data, and deploy malware, often completely undetected because, well, who’s closely watching the machines’ credentials?

If the systems governing these human and non-human identities are not meticulously secured, monitored, and managed, they become prime targets. Attackers are smart; they know that compromising the identity infrastructure itself provides the ultimate skeleton key to your kingdom.

Why Your Current Approach Might Not Be Enough

Many organizations have invested heavily in identity and access management (IAM) solutions, and that’s great. But IAM tools are primarily focused on enabling access and enforcing policies. ISPM, on the other hand, is about continuously assessing the security posture of your entire identity fabric. It’s about proactively identifying and remediating the hidden risks, misconfigurations, and vulnerabilities within your identity systems themselves.

Without a dedicated ISPM strategy, you’re likely flying blind to critical issues like:

  • Privilege Creep: Permissions that accumulate over time, far exceeding what’s necessary.
  • Dormant Accounts: Forgotten accounts that are ripe for takeover.
  • Misconfigured Policies: Settings that inadvertently create security gaps.
  • Over-Privileged Service Accounts: Non-human identities with excessive access rights.
  • Weak Authentication for Infrastructure Components: The identity systems themselves not being properly secured.
  • Lack of Visibility: Not knowing the full extent of all identity types and their entitlements.

Enter Identity Security Posture Management (ISPM)

ISPM provides the “watcher for your watchers.” It offers a dedicated layer of security focused on the integrity and resilience of your identity infrastructure. A robust ISPM strategy typically involves:

  1. Comprehensive Discovery: Continuously identifying all human and non-human identities and their entitlements across your entire hybrid and multi-cloud environment.
  2. Risk Assessment & Prioritization: Analyzing identities and configurations for vulnerabilities, misconfigurations, and risky permissions, then prioritizing them based on potential impact.
  3. Automated Detection: Using analytics and machine learning to detect anomalies, policy violations, and emerging threats within the identity infrastructure.
  4. Guided Remediation: Providing clear, actionable steps to fix identified issues, often with automation capabilities.
  5. Continuous Monitoring & Governance: Ensuring that your identity security posture remains strong over time through ongoing monitoring, reporting, and adherence to defined governance policies.

It’s Time to Secure the Foundation

Just like we wouldn’t build a fortress on shaky ground, we can’t afford to have an identity-first security strategy reliant on an insecure identity infrastructure. The principle of “quis custodiet ipsos custodes?” isn’t about fostering distrust; it’s about implementing robust checks and balances.

By adopting an ISPM strategy, you’re not just adding another layer of security; you’re reinforcing the very core of your defenses. You’re ensuring that the systems responsible for authenticating and authorizing every access request are themselves secure, resilient, and trustworthy.

So, as you continue your journey towards a stronger, identity-centric security model, take a moment to consider who, or rather what, is watching your watchers. The answer should be a comprehensive Identity Security Posture Management strategy.

May 21, 2025 by identity security 0

Identity is core to any good security strategy!

Technology is changing at a rapid pace, with the adoption of cloud, digital transformation and a hybrid work environment, users are accessing data and resources from anywhere at anytime and expect a seamless access experience while ensuring their data is protected against cyberthreats. The traditional perimeter based network security can no longer work to secure access to resources in the public and private cloud environments. Identity has become the new security perimeter.

The concept of identity-based threats has become increasingly prevalent in today’s digital era, encompassing a range of malicious activities designed to compromise personal or organizational information. Among the most common manifestations of these identity-based threats are phishing, social engineering, and credential theft. Phishing, for instance, involves deceiving individuals into revealing sensitive data, typically through emails or SMS that appear to come from trustworthy sources. Social engineering exploits psychological manipulation and analyzing publicly available information on social networks and other public sites to gain unauthorized access, while credential theft involves stealing login details either through an attack or by purchasing them on the dark web from a previous breach.

In fact, bad actors have also shifted focus to utilizing identity as the initial attack vector in majority of breaches. Phishing and credential compromise rate as the top 2 initial attack vectors according to a recent Cost of a Data Breach Report by IBM and Ponemon.

While organizations have shifted to implementing multi-factor authentication (MFA) and Passwordless authentication, attackers have also evolved to develop ways to bypass MFA and launch account take over (ATO) attacks such as MFA prompt bombing, SIM swapping, Adversary in the Middle, etc. In addition the evolution of gen AI and a dark web marketplace offering services such as phishing-as-a-service has made it easier for attackers to launch targeted attacks against organizations of all sizes.

Building a Resilient Identity Security Framework

Creating a resilient identity security framework is essential for organizations to safeguard their data and resources against the ever-evolving identity threats landscape. Developing comprehensive security policies to secure identities forms the foundation of such a framework. These policies should address various facets of identity security, from user authentication protocols to access control measures across users by tying in contextual access information across non-human entities such as workloads, SaaS applications, virtual machines, APIs, containers, chatbots and more. Ensuring that these policies are deeply embedded within the organization’s operational procedures is critical for their efficacy.

Continuous security audits to understand the organization’s identity security posture and risk play a pivotal role in identifying potential vulnerabilities and gaps that could be exploited by malicious actors. By proactively reviewing and updating security measures, organizations can actively mitigate risks associated with identity threats.

Another crucial element in building a resilient identity security framework is the integration of continuous monitoring systems in order to understand the overall risk posture as it changes over time. These systems should provide real-time visibility into user activities, their risk profile based on how their user profile has been configured, their role and access to various resources as well as understanding how to prioritize high risk users based on potential attack paths that can lead to a breach. Leveraging advanced technologies such as artificial intelligence and machine learning can substantially improve the accuracy and efficiency of these monitoring efforts.

By staying informed and actively monitoring their identity security risk posture, and proactively responding to issues by remediating user identity configuration issues such as ineffective MFA, least privilege access violations, organizations can adapt their security strategies to counter new and sophisticated attack vectors effectively.

May 19, 2025 by identity security 0