GoKawiilBy Itamar Apelblat, CEO and co-founder, Token Security
The New Frontier of Security Challenges
Every major technology wave creates the same uncomfortable moment for security leaders. Oftentimes, the business moves first and security is asked to make it safe afterward. We saw this pattern with Cloud, SaaS, and DevOps adoptions. Now, agentic AI is doing it again.
The difference is that AI agents are not just another service or application category. They are digital actors that authenticate, receive permissions, call APIs, write code, trigger workflows, query databases, and take action across production environments. In many organizations, they are already doing this with credentials, API tokens, OAuth grants, and cloud roles that nobody has fully inventoried.
This makes the central security question bigger than "what can the model say?" The real questions that need to be answered are: Who is this agent, what is it allowed to do, who is responsible for its actions, and can we revoke or constrain it when something changes?
Yes, agentic AI has an identity problem and attackers are starting to take notice.
Why Traditional Identity Programs Fall Short
The Human-to-Machine Identity Shift
Security teams have spent years building identity programs around humans. Employees join, move, and leave. Access can be reviewed, managers can attest to what people need, and behavior can be monitored against a relatively stable baseline.
Machine identities strained that model. Service accounts, secrets, certificates, workload identities, and API keys multiplied across cloud and DevOps environments. Many were overprivileged, poorly owned, and rarely reviewed. Still, most machine identities were deterministic and performed defined tasks in predictable ways.
... continue reading