The enterprise rush into agentic AI has reversed the order in which the hard problems should be solved. Software is being granted the authority to plan, invoke tools, query sensitive data, and act across systems, and that authority is being layered onto an identity stack built for two kinds of actor: human users and the static service accounts that stand in for machines. An autonomous agent is neither. It is a third class of actor, and the machinery that answers who is acting, what they are permitted to do, and who is accountable when something goes wrong was never designed to name it. Autonomy is arriving first. Identity is arriving late.
The gap is not theoretical. Keeper Security used the April 2026 RSA Conference to report that non-human identities and automated system-to-system interactions have become the leading security risk for enterprises this year. Adoption data tells the same story from the other side: nearly all organizations already run AI agents, while only about one in ten has a developed strategy for governing the non-human identities those agents create. These are not tooling gaps. They are identity gaps, and they widen every time an agent is deployed without an answer to the question of who it is.
The Service Account Assumption
The default enterprise response treats an agent as a faster service account. Provision a credential, scope it to a system, log what it touches, review the logs on a quarterly cadence. That model held when machine identities were static and narrowly bound to a single task. It does not hold for software that reasons, delegates, and acts across domains in real time. A service account does one thing on behalf of one system. An agent does many things, on behalf of a chain of other agents and the human who set the chain in motion, and it changes what it is as it goes.
The clearest statement of the problem this year came from inside the security industry itself. Announcing Cyera’s acquisition of Ryft, an automated data lake built for AI agents, co-founder and CTO Tamar Bar-Ilan described the behavior that breaks the old model: “Agents act differently. They shift identity based on the task, tools, and the chain of delegation from other agents. That’s why tracing and securing Agentic data use needs a different approach and infrastructure.” The phrase worth sitting with is shift identity. An identity that changes with the task is not an identity in the sense IAM has ever meant the word. It is closer to a session that must be re-established, re-scoped, and re-attributed at every step.
That is why agent identity has to be treated as a first-class control surface rather than a provisioning afterthought. Call it identity-first autonomy: the principle that an agent’s right to act is established, scoped, and revocable before the agent is allowed to do anything, and re-checked while it acts rather than rubber-stamped once at registration.
Three Classes of Actor, One Set of Controls
Three classes of actor now share enterprise systems, and they do not reduce to one another. Human identities are authenticated through credentials, MFA, and single sign-on, governed by onboarding and periodic review, accountable to a named person. Traditional non-human identities are service accounts, API keys, and OAuth tokens, static and narrowly scoped, tied to a system rather than a decision. Agentic identities are dynamic actors that plan, delegate, and act across systems, assuming and shedding scope as a task unfolds, often operating on behalf of other agents.
The third class is the one the stack was not built for. Apply the controls designed for the first two and the result is an actor that is governed in name only.
Where the Old Model Breaks
The breakage shows up in three places. Delegation chains turn a single human authorization into a cascade of agent-to-agent handoffs, and the further down the chain an action occurs, the harder it becomes to trace back to the person who is answerable for it. Cross-domain reach compounds the problem, because native identity controls tend to stop at the boundary of the cloud or platform that issued them, which leaves agent interactions that cross those boundaries effectively ungoverned. Ephemerality defeats periodic review outright, since an agent identity that exists only for the duration of a task is gone long before the quarterly attestation that was supposed to catch it. Static credentials and rubber-stamp attestation were never built for actors that appear, act, and vanish inside a single workflow.
Identity Before Autonomy
The corrective is not a new product category. It is a sequence. An agent’s identity should be provisioned just in time, bound to a specific purpose and a finite lifetime, and should carry the context of its delegation so that every action it takes can be attributed to the human or system that authorized the chain. Authorization should be evaluated at runtime, on each action, rather than granted once at registration and assumed thereafter. The evidence of who did what, and on whose behalf, has to be produced as the system runs, not reconstructed from logs after an incident. At Cyera’s DataSecAI summit this spring, the convergence on display was exactly this: posture, governance, and runtime control tied to the specific data each agent and identity can reach.
The standards are beginning to form around the same requirements. The federal CAISI agent-standards initiative names agent authentication, zero-trust authorization, and non-repudiation among its focus areas, NIST has opened the question of how AI agent systems should be securely developed and deployed, and the working primitives the market keeps returning to are OAuth 2.1, MCP, and A2A.
This is where building and securing stop being separate activities. The control plane that routes an agent’s actions, the identity that names the agent, and the authorization that gates each step are the same infrastructure seen from two angles. Engineered well, that infrastructure is what lets an enterprise hand real autonomy to software. Left implicit, it is the largest ungoverned attack surface in the building. The boundary between building agentic systems and securing them does not exist in practice.
Cyera framed its agent work as the foundation of a unified control plane for adopting agentic AI safely and at speed, and the sequence inside that phrase is the whole argument. Safely comes before at speed. The organizations that will scale agents without losing control of them are the ones treating identity as the precondition for autonomy, not a feature to bolt on once the agents are already loose in production. Autonomy is a capability. Identity is the permission to use it.
Listening for the rhythm is the right test on this one. If the close lands flat when you hear it, the inversion needs sharpening before the CAISI fact-check is even worth doing.
