Enterprise Security in the Agentic AI Era

AI Agent Identity Architecture

4 min read

AI Agent Identity Architecture

Problem

AI agents need to authenticate and be authorized to access services inside and outside the enterprise. Unlike human users, agents may be ephemeral, numerous, and capable of acting either on behalf of a human (delegated) or entirely autonomously under their own identity. Incumbent IAM/PAM tools were not designed for this scale or dynamism, and existing protocols (OAuth 2.0) do not capture the nuance of who directed an action — the agent or a human.

Two Identity Models

Delegated Access Model

The agent acts on behalf of a human user using that user’s scoped access token. Typical today for copilots and AI coding assistants. Simpler to govern because the human is still the principal of record.

Autonomous Agent Model

The agent has its own unique identity and authenticates independently to carry out tasks. Required for infrastructure agents, RPA-style workflows, and AI-employee scenarios. Harder to govern because identity sprawl is rapid and credentials may be ephemeral.

Trend

Enterprises today lean toward delegated access (productivity use cases), but the balance is expected to shift toward autonomous agents as AI-native workflows mature.

Components

SPIFFE / SPIRE — Workload Identity Foundation

SPIFFE (Secure Production Identity Framework for Everyone) / SPIRE is considered the gold standard for machine-to-machine workload identity inside the enterprise. Provides cryptographically verifiable identities to workloads (agents, orchestrators, vector stores, LLM endpoints) without static secrets. Key role: solving the Credential Zero problem — an agent must authenticate to a vault/IdP in order to retrieve further credentials; SPIFFE/certificates handle this bootstrapping.

Limitation

SPIFFE/SPIRE is authentication only. An authorization layer (e.g., OPA, Cedar, a PAM policy engine) must be added on top to define what an authenticated agent is permitted to do.

Secrets Vault / PAM Layer

For external service access (API keys, JWTs, OAuth tokens), agents retrieve short-lived credentials from a secrets vault or modern PAM vendor. Non-Human Identity (NHI) providers extend PAM for the discovery and lifecycle management of the vast number of machine identities AI deployments create.

Authorization Policy Layer

After authentication, a policy layer enforces scoped permissions. The Warrant primitive — a task-scoped, cryptographically signed, ephemeral authorization that limits blast radius — is the canonical example. See Agent Observability for Cedar policy examples.

Action-to-Identity Trace

A critical gap in current architectures: no standard mechanism captures whether an agent acted under its own agency or in response to a human instruction. This matters for liability attribution. OAuth 2.0 does not model this. An open design problem — likely requires new protocol extensions or an audit-log layer that captures the delegation chain alongside every action.

Data / Control Flow

Human User
    │  (delegates scope or triggers autonomous workflow)
    ▼
Agent Identity (delegated token OR own SPIFFE SVID)
    │
    ├─► Internal services (LLM, vector store, orchestrator)
    │       └─ SPIFFE/SPIRE mTLS, authorized by policy layer
    │
    └─► External services (APIs, SaaS, MCP servers)
            └─ Vault-retrieved API key / JWT / OAuth token
                    └─ NHI governance layer tracks lifecycle

All actions → Action-to-Identity Trace Log (delegation chain)

Trade-offs

AspectDelegated AccessAutonomous Agent
Governance complexityLower (human remains principal)Higher (own identity, ephemeral)
Blast radius if compromisedLimited to that user’s scopeCan be broad if over-provisioned
Suitable forCopilots, coding assistantsInfrastructure agents, AI employees
IAM tooling maturityHigh (existing IAM/PAM)Low-to-medium (NHI vendors emerging)

Real-World Use

  • Enterprises use existing IAM/IGA stack for delegated-access agents (only feasible for digitally mature orgs with healthy security budgets).
  • NHI vendors (e.g., Delinea, Teleport) are seeing early traction for discovering and governing autonomous agent credentials at scale.
  • SPIFFE/SPIRE deployment is common in cloud-native environments but not yet standard in agentic-AI pipelines.

See Also

Graph View

Backlinks