{"id":16147,"date":"2026-04-28T09:05:54","date_gmt":"2026-04-28T09:05:54","guid":{"rendered":"https:\/\/newestek.com\/?p=16147"},"modified":"2026-04-28T09:05:54","modified_gmt":"2026-04-28T09:05:54","slug":"what-cisos-need-to-get-right-as-identity-enters-the-agentic-era","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=16147","title":{"rendered":"What CISOs need to get right as identity enters the agentic era"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

Identity has always been central to security, but the proliferation of AI agents<\/a> is rapidly changing the challenge of managing and securing identity, spurring CISOs to rethink their identity strategies<\/a> \u2014 even how it is defined.<\/p>\n

\u201cIdentity is now both a control surface and an attack surface. We\u2019ve had non-human identities as API keys, tokens, service accounts, but now we have agents, and that\u2019s a new class,\u201d says Dustin Wilcox<\/a>, senior VP and CISO at S&P Global.<\/p>\n

The challenge is attributing actions to non-human identities<\/a> because the typical signals don\u2019t apply. \u201cThe techniques to identify a person, like the telemetry of how they use the keyboard, we won\u2019t be able to do that when it\u2019s an agent that\u2019s working entirely digitally,\u201d Wilcox tells CSO.<\/p>\n

And as agents proliferate, it becomes difficult for CISOs to maintain a complete picture of how many exist<\/a>, what they\u2019re used for, and what they\u2019re authorized to do.<\/p>\n

\u201cWith a human identity, you can validate access needs directly. With service accounts, and now with\u00a0agents, that clarity is harder to achieve,\u201d says Docusign CISO Michael Adams<\/a>.<\/p>\n

\u201cTreating them as if they fit existing models can create gaps in visibility and control. At the same time, AI systems are contributing to rapid growth in non-human identities, including the creation of new credentials and tokens, which many inventory processes weren\u2019t designed to track,\u201d he adds.<\/p>\n

\u201cAnd on the human side, generative AI is making social engineering more convincing, eroding some of the behavioral signals defenders have historically relied\u00a0on. The result is an expanding attack surface at the same moment traditional indicators are becoming less reliable,\u201d Adams tells CSO.<\/p>\n

The advice for CISOs is to adopt an\u00a0identity-first security model that treats identity as the foundational layer of the security architecture.<\/p>\n

\u201cEvery access decision flows through identity and is continuously verified, not just checked at the door,\u201d says Adams.<\/p>\n

Identity becomes the primary control plane<\/h2>\n

CISOs are now managing a new class of identities that includes copilots, autonomous agents, and AI-powered workflows that don\u2019t fit neatly into existing frameworks. And they can access systems, take actions, and make decisions at machine speed.<\/p>\n

Wilcox and Adams are speaking at the CSO Cybersecurity Awards & Conference, May 11\u201313.\u00a0<\/em>Reserve your place<\/em><\/strong><\/a>.<\/em><\/strong><\/p>\n

As a result, Adams says CISOs will increasingly need to adopt an identity-centric security architecture and there are several key tenets to consider.<\/p>\n

Build a strong foundation before layering on complexity.<\/strong> The instinct when modernizing an identity program, says Adams, is to reach for sophisticated tooling. Instead, his advice is to get the fundamentals in place \u2014 clean directories, enforced least privilege, and reliable\u00a0offboarding processes.<\/p>\n

\u201cOrganizations that jump to continuous verification without establishing basic identity hygiene may find themselves building on an unstable foundation,\u201d he says.<\/p>\n

Design for the new class of identities. <\/strong>When designing\u00a0role models and access policies, the temptation is to mirror existing structures.<\/p>\n

\u201cThat often carries years of permission creep into a\u00a0new architecture. Starting from least privilege rather than from legacy helps ensure\u00a0users receive only the access required for their job functions,\u201d he says. \u201cIt\u2019s important to challenge \u2018it\u2019s always been done this way\u2019 where appropriate.\u201d<\/p>\n

Get your non-human identity inventory in order.<\/strong> Build a full inventory of non-human identities and include who is responsible for each identity, and what each one is authorized to do. Do this before any more agents are operating.<\/p>\n

\u201cThis is as much a governance challenge as a technology one,\u201d he notes.<\/p>\n

Treat MFA as a starting point, not a destination.<\/strong> The identity roadmap needs to include phishing-resistant alternatives to SMS or push-based MFA. Least privilege, micro-segmentation, and continuous monitoring are part of the playbook.<\/p>\n

\u201cAssume credentials may\u00a0be compromised and architect accordingly,\u201d Adams advises.<\/p>\n

AI and the shifting security balance<\/h2>\n

Identity systems have long been targets for attack. But as identity becomes the primary control plane, the risk becomes more concentrated and requires a different approach.<\/p>\n

\u201cI\u2019d encourage\u00a0every CISO to think deeply about the intersection of identity and AI,\u201d says Adams, adding that systems need to be redesigned around the principle of intent instead of actual behavior to ensure agents operate within appropriate boundaries.<\/p>\n

\u201cThat requires behavioral monitoring and real-time access evaluation \u2014 capabilities many organizations are still building toward,\u201d he notes. \u201cThat\u2019s the work ahead.\u201d<\/p>\n

Wilcox is ultimately optimistic that AI offers security practitioners more tools to combat malicious actors. If CISOs can get this right, it\u2019s a way to level the playing field with the attackers in a way not previously available.<\/p>\n

\u201cWe\u2019ve had this asymmetric playing field where they\u2019ve had the advantage for as long as I can remember. Now we can use AI both strategically and tactically to improve our defenses,\u201d he says.<\/p>\n

Agentic AI is rewriting the identity security playbook in real-time, and your peers are already adapting. Hear Dustin Wilcox, Michael Adams, Renee Guttmann, and other leading CISOs share what\u2019s actually working at the CSO Cybersecurity Awards & Conference, May 11\u201313.\u00a0Secure your seat before it fills up<\/strong><\/a>.<\/em><\/em><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

Identity has always been central to security, but the proliferation of AI agents is rapidly changing the challenge of managing and securing identity, spurring CISOs to rethink their identity strategies \u2014 even how it is defined. \u201cIdentity is now both a control surface and an attack surface. We\u2019ve had non-human identities as API keys, tokens, service accounts, but now we have agents, and that\u2019s a… <\/p>\n

Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-16147","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/16147","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=16147"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/16147\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=16147"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=16147"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=16147"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}