The race to deploy agentic AI is on. Across the enterprise, systems that can plan, take actions and collaborate across business applications promise unprecedented efficiency. But in the rush to automate, a critical component is being overlooked: Scalable security. We are building a workforce of digital employees without giving them a secure way to log in, access data and do their jobs without creating catastrophic risk.
Think about it: digital workers, outnumbering humans perhaps ten to one, all needing access. But the old ways of managing identity and access – IAM, in the jargon – just weren’t built for this. Static roles, long-lived passwords? They crumble at agentic scale. What happens when a single over-permissioned agent starts exfiltrating data at machine speed? No one knows until it’s too late.
“The fastest path to responsible AI is to avoid real data. Use synthetic data to prove value, then earn the right to touch the real thing,” says Shawn Kanungo, innovation strategist and author of ‘The Bold Ones’. It’s a mantra worth repeating as companies rush headlong into deployment.
The core problem? Legacy IAM is static. You can’t pre-define a fixed role for an agent whose tasks might change daily. That means access decisions need to move from a one-time grant to a continuous, runtime evaluation. Each AI agent must be treated as a first-class citizen within your identity ecosystem.
Michelle Buckner, a former NASA Information System Security Officer (ISSO), emphasizes the need for unique, verifiable identities for each agent. Not just a technical ID, but a link to a human owner, a specific business use case, and a software bill of materials (SBOM). Shared service accounts? Those days are over. They’re like giving a master key to a faceless crowd.
Instead, replace set-and-forget roles with session-based, risk-aware permissions. Access should be granted just in time, scoped to the immediate task and the minimum necessary dataset, then automatically revoked when the job is complete. Think of it as giving an agent a key to a single room for one meeting, not the master key to the entire building.
The ideal architecture has three pillars. Context-aware authorization at the core. Authorization can no longer be a simple yes or no at the door. It must be a continuous conversation. Systems should evaluate context in real time. Is the agent’s digital posture attested? Is it requesting data typical for its purpose? Is this access occurring during a normal operational window? This dynamic evaluation enables both security and speed.
Purpose-bound data access at the edge. The final line of defense is the data layer itself. By embedding policy enforcement directly into the data query engine, you can enforce row-level and column-level security based on the agent’s declared purpose. A customer service agent should be automatically blocked from running a query that appears designed for financial analysis. Purpose binding ensures data is used as intended, not merely accessed by an authorized identity.
Tamper-evident evidence by default. In a world of autonomous actions, auditability is non-negotiable. Every access decision, data query and API call should be immutably logged, capturing the who, what, where and why. Link logs so they are tamper evident and replayable for auditors or incident responders, providing a clear narrative of every agent’s activities.
So, where to start? Catalog all non-human identities and service accounts. Pilot a just-in-time access platform. Mandate short-lived credentials – tokens that expire in minutes, not months. And stand up that synthetic data sandbox. Validate agent workflows there, before touching real data.
It’s not just about security. It’s about building trust. About knowing who – or what – is doing what, and why. It’s about moving beyond human-era identity tools, toward a future where identity is the central nervous system for AI operations. Where authorization happens at runtime, data access is bound to purpose, and every action leaves a clear, auditable trace. Only then can we scale to a million agents without scaling our breach risk.
About the Author
