Traditional identities follow scripts. AI agents improvise. That gap is your next governance blind spot.
The determinism assumption
Every IAM model built over the last two decades assumes the same thing: a known actor will attempt a known action on a known resource at a predictable time. A service account calls the same API at a scheduled time. A user clicks the same menu to access the same report. Identity governance works precisely because behavior is predictable enough to be modeled, attested, and enforced.
AI agents break this assumption at the foundation.
The Core Problem
Agentic systems don’t execute scripts — they plan. The sequence of permissions an agent needs to accomplish a goal is determined at runtime, not design time. You cannot fully enumerate what an agent will request before it runs.
What “non-deterministic” actually means in IAM
Non-determinism in the identity context doesn’t mean random. It means the access path from goal to completion is resolved dynamically, shaped by context, intermediate results, and reasoning and not a fixed workflow.
The four failure modes unique to agentic identity
Privilege accumulation
An agent acquires permissions incrementally across a long-running task. Each individual grant looks like the least privilege. The combined effective access does not.
Context poisoning
External content ingested mid-task (emails, web pages, documents) can alter agent reasoning and redirect which resources it accesses next, prompting injection as an IAM vector.
Ghost delegation
Orchestrator agents create sub-agents and pass along credential context without an explicit governance event. The downstream identity has no auditable entitlement record.
Identity ambiguity
When an agent acts, is it acting as itself, as the user who invoked it, or as the application that deployed it? Most platforms have no answer. Enforcement defaults to whichever identity has the least friction.
What makes this structurally different from service accounts
The instinct is to treat AI agents like privileged service accounts — provision them with a fixed set of permissions and monitor usage. This misses the structural difference.
A service account calls a specific endpoint on a defined schedule. Its behavior is determined by code, which is auditable and static across deployments. An AI agent’s behavior is determined by a language model interacting with runtime inputs. The same agent invoked with a different context produces different access sequences — even with identical starting permissions.
Governance principles that hold for non-deterministic identities
Just-enough access, just-in-time
Grant permissions at task invocation, not at provisioning time. Revoke when the task completes. Agents should not carry standing entitlements between runs.
Explicit delegation boundaries
Every agent-to-agent credential pass must produce an auditable governance event. Sub-agents cannot inherit scope implicitly — scope must be explicitly constrained at each delegation hop.
Runtime behavioral monitoring
Entitlement reviews cannot replace real-time behavioral detection. Monitor for anomalous tool call sequences, unexpected resource access, and scope drift mid-task.
Immutable task context binding
Bind agent sessions to a declared task scope at invocation. Access requests outside that declared scope require a new authorization event, not an implicit extension.
Tri-party identity attribution
Every agentic action must include three identity attributes: the human who invokes it, the agent that orchestrates it, and the sub-agent or tool that executes it. All three must appear in the audit record.
Deny by default on ambiguity
When the agent’s declared scope doesn’t clearly cover a resource request, default to deny and surface the decision for human review — not silent approval.
Your IAM stack is ready for agentic identity when you can answer three questions about any in-flight agent session: what is its current effective access, what human authorized this scope, and what happens to the credentials when the task ends. If any of these are unanswerable in real time, the governance gap is open.
Gabriel Magarino
Gabriel Magarino – Senior Security Manager | IAM Evangelist - Experienced leader with over 20 years in the IT and cybersecurity industry, specializing in Identity & Access Management. Expert in Okta, One Identity, SailPoint (IdentityIQ & IdentityNow), OneLogin, Delinea, and CyberArk. Passionate about exploring IAM and emerging technologies, coaching, and training IAM teams. Holds a Master’s in Computer Science and multiple certifications, including Okta Professional & Administration, One Identity Architect & Instructor, SailPoint Identity Now, ITIL, Scrum Master, among others. Currently pursuing a PhD with a focus on Computer Science and Artificial Intelligence.