By Ido Shlomo, CTO and Co-Founder, Token Security
Security leaders have spent years hardening identity controls for employees and service accounts. That model is now showing its limits.
A new class of identity is rapidly spreading across enterprise environments, autonomous AI agents. Custom GPTs, copilots, coding agents running MCP servers, and purpose-built AI agents are no longer confined to experimentation. They are running and expanding in production, interacting with sensitive systems and infrastructure, invoking other agents, and making decisions and changes without direct human oversight.
Yet in most organizations, these agents exist almost entirely outside established identity governance. Traditional IAM, PAM, and IGA platforms were not designed for agents that are autonomous, decentralized, and adaptive. The result is a growing identity gap that introduces real security and compliance risk together with efficiency and effectiveness challenges.
Why AI Agents Break Existing Identity Models
Historically, enterprises managed two identity types: humans and machines. Identities whose goal is to serve human access are centrally governed, role-based, and relatively predictable. Machine and workload identities operate at scale but tend to be deterministic, repetitive, performing narrowly defined tasks.
AI agents fit neither and both categories at once.
They are goal-driven,and role-based, capable of adapting behavior based on intent and context, and able to chain actions across multiple systems. At the same time, they operate continuously and at machine speed and scale. This hybrid nature fundamentally alters the risk profile. AI agents inherit the intent-driven actions of human users while retaining the reach and persistence of machine identities.
Treating them as conventional non-human identities creates blind spots. Over-privileging becomes the default. Ownership becomes unclear. Behavior drifts from original intent. These are not theoretical concerns. They are the same conditions that have driven many identity-related breaches in the past, now amplified by autonomy and scale.
The CISO’s Guide to AI Agent Identity Lifecycle Management AI agents create, use, and rotate identities at machine speed—outpacing traditional IAM controls. This guide shows CISOs how to manage the full lifecycle of AI agent identities, reduce risk, and maintain governance and audit readiness. Download it free
... continue reading