{"id":16236,"date":"2026-05-18T02:25:55","date_gmt":"2026-05-18T02:25:55","guid":{"rendered":"https:\/\/newestek.com\/?p=16236"},"modified":"2026-05-18T02:25:55","modified_gmt":"2026-05-18T02:25:55","slug":"the-iam-stack-was-built-for-humans-ai-agents-are-breaking-it","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=16236","title":{"rendered":"The IAM Stack Was Built for Humans. AI Agents Are Breaking It."},"content":{"rendered":"<div>\n<p class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\" style=\"text-align: justify;\"><em><strong>The proliferation of non-human identities in enterprise environments isn\u2019t a problem for the future. It\u2019s the current state of the field, and most of the IAM stack is underprepared for it.<\/strong><\/em><\/p>\n<p class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\" style=\"text-align: justify;\">The traditional <a href=\"https:\/\/solutionsreview.com\/identity-management\/best-identity-and-access-management-providers\/\" target=\"_blank\" rel=\"noopener\">identity and access management (IAM)<\/a> stack was built around a simple premise: humans authenticate, systems authorize, and the policy enforces whatever the governance team drew on a whiteboard. That model held up for roughly three decades. Agentic AI has broken it. Not gradually, but structurally. The protocols, architectures, and assumptions underlying IAM were never designed to handle identities that spawn dynamically, cross system boundaries, execute recursive workflows without human intervention, and then disappear. The field is now contending with what that gap actually means <a href=\"https:\/\/solutionsreview.com\/identity-management\/strategies-for-improving-ai-readiness-in-identity-security\/\" target=\"_blank\" rel=\"noopener\">in practice<\/a>.<\/p>\n<hr>\n<ul class=\"[li_&amp;]:mb-0 [li_&amp;]:mt-1 [li_&amp;]:gap-1 [&amp;:not(:last-child)_ul]:pb-1 [&amp;:not(:last-child)_ol]:pb-1 list-disc flex flex-col gap-1 pl-8 mb-3\" style=\"text-align: justify;\">\n<li class=\"whitespace-normal break-words pl-2\">Non-human identities now outnumber human users in enterprise environments at a ratio of up to 144 to 1, <a href=\"https:\/\/entro.security\/blog\/takeaways-nhi-secrets-risk-report\/\" target=\"_blank\" rel=\"noopener\">according to Entro Security<\/a>.<\/li>\n<li class=\"whitespace-normal break-words pl-2\">The traditional IAM stack was designed for static machine identities and human authentication flows, not ephemeral agent sessions.<\/li>\n<li>The Model Context Protocol (MCP) is emerging as a standard for defining how AI agents interact with data services at the API layer and below, which is where identity enforcement must now operate. However, these protocols are not secure by default.<\/li>\n<li>A <a href=\"https:\/\/cloudsecurityalliance.org\/artifacts\/state-of-nhi-and-ai-security-survey-report\" target=\"_blank\" rel=\"noopener\">2026 report from Cloud Security Alliance<\/a> found that only 25 percent of organizations had documented, formally adopted policies for creating or removing AI identities.<\/li>\n<\/ul>\n<hr class=\"border-border-200 border-t-0.5 my-3 mx-1.5\">\n<h3 class=\"text-text-100 mt-3 -mb-1 text-[1.125rem] font-bold\" style=\"text-align: justify;\"><strong>What \u201cIdentity\u201d Actually Means for an AI Agent<\/strong><\/h3>\n<p class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\" style=\"text-align: justify;\">When security teams talk about identity for a human user, they mean a persistent, authenticated entity with roles that map to access entitlements. That entity changes slowly. Roles get added or removed through a governed process. Behavior is largely predictable.<\/p>\n<p class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\" style=\"text-align: justify;\">An <a href=\"https:\/\/solutionsreview.com\/identity-management\/ai-agents-zero-trust-and-the-new-identity-paradigm\/\" target=\"_blank\" rel=\"noopener\"><strong>AI agent identity<\/strong><\/a> looks nothing like that. An agent may be instantiated in response to a user prompt, acquire a set of session-scoped permissions, traverse multiple data systems, generate outputs, and terminate. That lifecycle can happen in seconds. In a multi-agent architecture, one orchestrating agent may spawn several sub-agents, each requiring its own ephemeral identity with scoped entitlements. Attribution in that chain is difficult under current logging paradigms. Most SIEM and UEBA tools are looking for human behavioral anomalies. They are not instrumented for agent session forensics.<\/p>\n<p class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\" style=\"text-align: justify;\">This is where the growing divide between human and non-human identities becomes more than a striking statistic. It describes a governance deficit. If your IAM stack was designed to manage the identities of 500 employees, and your AI deployment has introduced 40,000 non-human identities operating across your data estate, the coverage gap isn\u2019t incremental. It\u2019s categorical.<\/p>\n<h3 class=\"text-text-100 mt-3 -mb-1 text-[1.125rem] font-bold\" style=\"text-align: justify;\"><strong>Three Stages of AI Identity Risk<\/strong><\/h3>\n<p class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\" style=\"text-align: justify;\">Not all AI deployments carry the same identity risk. Thinking about this in layers is useful for triage.<\/p>\n<p class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\" style=\"text-align: justify;\"><strong>The first stage covers analytics agents<\/strong>: systems that ingest data, correlate it, and surface insights. These agents need read access to potentially broad data sets, which creates data sovereignty and least-privilege challenges. But their behavior is largely deterministic relative to their training scope. The entitlement model for this use case can be solved with current tooling if organizations are willing to instrument it at the data service layer rather than just at the application layer.<\/p>\n<p class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\" style=\"text-align: justify;\"><strong>The second stage is generative AI<\/strong>. Here, the identity challenge bifurcates. The model itself carries an identity with the training data it has \u201cseen,\u201d some of which may be access-controlled. When a user prompts the model, the output depends on both the user\u2019s identity and the model\u2019s. If the model was trained on data that the user doesn\u2019t have the right to access, the response may constitute an unauthorized disclosure, even if the user had no malicious intent. This is a policy and architecture problem as much as a technology one. Retrieval-Augmented Generation with access-controlled knowledge bases is one partial mitigation, but it requires governance infrastructure that most organizations don\u2019t yet have in place.<\/p>\n<p class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\" style=\"text-align: justify;\"><strong>The third stage, agentic workflows<\/strong>, is where the field is genuinely unsolved. An autonomous agent operating across multiple systems, executing complex multi-step tasks on behalf of one or more human principals, needs a dynamic identity model that doesn\u2019t currently exist in production-grade form. The agent may need to:<\/p>\n<ul class=\"[li_&amp;]:mb-0 [li_&amp;]:mt-1 [li_&amp;]:gap-1 [&amp;:not(:last-child)_ul]:pb-1 [&amp;:not(:last-child)_ol]:pb-1 list-disc flex flex-col gap-1 pl-8 mb-3\" style=\"text-align: justify;\">\n<li class=\"whitespace-normal break-words pl-2\">Assume a subset of rights from a requesting human identity<\/li>\n<li class=\"whitespace-normal break-words pl-2\">Create child identities for sub-tasks and retire them upon completion<\/li>\n<li class=\"whitespace-normal break-words pl-2\">Enforce least-privilege at each step, even as the scope expands during execution<\/li>\n<li class=\"whitespace-normal break-words pl-2\">Log every action in a way that supports post-hoc attribution<\/li>\n<\/ul>\n<p class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\" style=\"text-align: justify;\">None of the dominant IAM platforms handle this natively today. The innovation is happening at the protocol layer, with MCP being the most credible current candidate for defining how agent identity and authorization should work at the data service edge.<\/p>\n<h3 class=\"text-text-100 mt-3 -mb-1 text-[1.125rem] font-bold\" style=\"text-align: justify;\"><strong>The Privilege Escalation Problem Is Worse Than It Looks<\/strong><\/h3>\n<p class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\" style=\"text-align: justify;\">Privilege escalation in traditional environments is well-understood: a compromised credential gains elevated access; detection heuristics exist; response playbooks exist; and, with agentic systems, privilege escalation becomes harder to detect for two reasons.<\/p>\n<p style=\"text-align: center;\"><iframe loading=\"lazy\" title=\"YouTube video player\" src=\"https:\/\/www.youtube.com\/embed\/LfvoUHzVpeg?si=6naGI-QBOgUMS1b6\" width=\"560\" height=\"315\" frameborder=\"0\" allowfullscreen=\"allowfullscreen\"><\/iframe><\/p>\n<p class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\" style=\"text-align: justify;\">First, agents operating under broad mandates may legitimately need to escalate access as a task evolves. Distinguishing malicious escalation from legitimate workflow expansion requires behavioral baselining of agent activity, which is still nascent. Second, cross-agent communication introduces an attack surface that has no analog in the human identity model or traditional IAM stack. If Agent A can instruct Agent B to take an action, and Agent B has elevated permissions that Agent A does not, you have a privilege escalation vector that looks like normal inter-agent collaboration.<\/p>\n<p class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\" style=\"text-align: justify;\">This is not a theoretical concern. Red teams are already exploring prompt injection as an attack vector against agentic systems, in which adversarial content embedded in a data source instructs an agent to behave in ways the deploying organization didn\u2019t intend. Identity controls at the data service layer are a partial defense, but over-scoped permissions dramatically expand the blast radius when these attacks succeed.<\/p>\n<h3 class=\"text-text-100 mt-3 -mb-1 text-[1.125rem] font-bold\" style=\"text-align: justify;\"><strong>Ephemerality Is the Attribution Problem Nobody Is Talking About Loudly Enough<\/strong><\/h3>\n<p class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\" style=\"text-align: justify;\">One of the more underappreciated consequences of ephemeral agent identities is what it does to forensics. Attribution is a cornerstone of security operations. When something goes wrong, the investigation starts with: who did what, when, and from where. That chain of custody is legally and operationally significant.<\/p>\n<p class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\" style=\"text-align: justify;\">Ephemeral identities that spin up and terminate within a workflow cycle leave forensic artifacts that are difficult to reconstruct without deliberate logging instrumentation. This is not insurmountable, but it requires organizations to rethink what a security log looks like in an agentic environment. The unit of analysis shifts from \u201cuser session\u201d to \u201cagent execution context,\u201d and the logging infrastructure must capture agent lineage, the human principals who initiated the chain, and the specific data accesses made at each node.<\/p>\n<h3 class=\"text-text-100 mt-3 -mb-1 text-[1.125rem] font-bold\" style=\"text-align: justify;\"><strong>Defense Has to Be Agentic Too<\/strong><\/h3>\n<p class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\" style=\"text-align: justify;\">The offensive security community has moved faster to adopt AI than most enterprise security teams. Adversaries are already using agentic approaches to automate reconnaissance, generate targeted phishing content, and identify vulnerability patterns at scale. The response cannot be to slow AI adoption on the defensive side in the name of governance. That is a losing position.<\/p>\n<p class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\" style=\"text-align: justify;\">The organizations getting this right are thinking about <strong><a href=\"https:\/\/solutionsreview.com\/identity-management\/the-ai-native-identity-security-stack-is-already-displacing-its-predecessors\/\" target=\"_blank\" rel=\"noopener\">agentic AI for security operations<\/a><\/strong>, not as a replacement for human analysts, but as a force multiplier that extends analyst capacity into areas previously impossible to cover continuously. Threat hunting, alert triage, and identity anomaly detection are natural candidates. The governance challenge is ensuring those defensive agents are themselves governed by the identity and access controls being discussed here. A defensive agent with overly broad entitlements is a liability as well as an asset.<\/p>\n<h3 class=\"text-text-100 mt-3 -mb-1 text-[1.125rem] font-bold\" style=\"text-align: justify;\">The Path Forward Is Incremental and Must Be<\/h3>\n<p class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\" style=\"text-align: justify;\">There is an instinct in enterprise technology to wait for a complete solution before committing to a direction. That instinct is particularly counterproductive here. Waiting for a fully mature agentic IAM stack before deploying AI at scale means ceding ground to competitors and, more urgently, to attackers who have no such hesitation.<\/p>\n<p class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\" style=\"text-align: justify;\">The more viable approach is staged adoption with deliberate governance checkpoints. Start with agents executing well-defined, bounded tasks with deterministic, verifiable outcomes. Instrument those deployments thoroughly. Build behavioral baselines. As confidence accumulates and tooling matures, expand agent autonomy incrementally. This mirrors how trust is built with any new resource in an organization, human or otherwise.<\/p>\n<p class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\" style=\"text-align: justify;\">The identity problem in agentic AI is not a reason to slow down AI deployment. It is a reason to deploy with governance embedded from the start rather than retrofitted later. The teams that treat non-human identity as a first-class concern now will be the ones who can scale confidently when the tooling catches up to the ambition.<\/p>\n<hr>\n<h4 class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\" style=\"text-align: justify;\"><strong>FAQ<\/strong><\/h4>\n<p class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\" style=\"text-align: justify;\"><strong>What is a non-human identity in cybersecurity?<\/strong> A non-human identity is any system, service, agent, or automated process that authenticates and operates within an environment independently of direct human action. This includes service accounts, API keys, bots, authentication tokens, and AI agents.<\/p>\n<p class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\" style=\"text-align: justify;\"><strong>Why are AI agents a unique identity management challenge?<\/strong> Unlike static service accounts, AI agents are often ephemeral, can spawn child identities, operate across system boundaries, and take actions that weren\u2019t explicitly pre-programmed. A standard IAM stack isn\u2019t built to handle dynamic, recursive, short-lived identities at this scale.<\/p>\n<p class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\" style=\"text-align: justify;\"><strong>What is the <a href=\"https:\/\/solutionsreview.com\/data-management\/model-context-protocol-explained-insights-from-dremio-cto-rahim-bhojani\/\" target=\"_blank\" rel=\"noopener\">Model Context Protocol (MCP)<\/a>?<\/strong> MCP is an emerging standard for defining how AI agents interact with data services and APIs. It provides a more granular layer for identity and authorization enforcement than traditional API interfaces, which is where many security practitioners believe agent governance must operate.<\/p>\n<p class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\" style=\"text-align: justify;\"><strong>What is prompt injection in the context of agentic AI?<\/strong> Prompt injection is an attack in which adversarial content embedded in data that an agent reads is designed to alter the agent\u2019s behavior. It is analogous to SQL injection but targets the agent\u2019s language model rather than a database query parser.<\/p>\n<p class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\" style=\"text-align: justify;\"><strong>How should organizations start governing non-human identities today?<\/strong> Inventory existing non-human identities across all environments. Apply least-privilege principles at the data service layer. Instrument agent execution logging for attribution. Start AI deployments with bounded, deterministic use cases and expand scope as governance matures.<\/p>\n<hr>\n<p>The post <a href=\"https:\/\/solutionsreview.com\/identity-management\/the-iam-stack-was-built-for-humans-ai-agents-are-breaking-it\/\">The IAM Stack Was Built for Humans. AI Agents Are Breaking It.<\/a> appeared first on <a href=\"https:\/\/solutionsreview.com\/identity-management\">Best Identity Access Management (IAM) Software, Tools, Vendors, Solutions, &amp; Services<\/a>.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>The proliferation of non-human identities in enterprise environments isn\u2019t a problem for the future. It\u2019s the current state of the field, and most of the IAM stack is underprepared for it. The traditional identity and access management (IAM) stack was built around a simple premise: humans authenticate, systems authorize, and the policy enforces whatever the governance team drew on a whiteboard. That model held up&#8230; <\/p>\n<p class=\"more\"><a class=\"more-link\" href=\"https:\/\/newestek.com\/?p=16236\">Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-16236","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/16236","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=16236"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/16236\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=16236"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=16236"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=16236"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}