"Yes, agentic AI has an identity problem and attackers are starting to take notice," wrote Itamar Apelblat, CEO and co‑founder of Token Security.
What agentic AI is doing inside production environments
Apelblat frames the challenge this way: agentic AI are not passive tools but digital actors that "authenticate, receive permissions, call APIs, write code, trigger workflows, query databases, and take action across production environments." In many organizations, those agents operate with credentials, API tokens, OAuth grants, and cloud roles that "nobody has fully inventoried." That combination—autonomy plus broad, poorly tracked access—creates a new surface for identity risk.
Three critical identity problems: visibility, overprivilege, and prompt injection
The piece separates the risks into three discrete failures security teams must confront.
- Visibility problem. Agents are appearing through a variety of channels—built by internal teams, embedded in SaaS platforms, running locally on endpoints or inside developer environments, and integrating with automation, identity providers, cloud consoles, and ticketing systems. If security teams do not know these agents exist, they cannot map owners, scope, or blast radius.
- Overprivilege problem. During experimentation, developers or business units often grant broad access—embedding secrets into workflows, issuing API tokens, or connecting SaaS accounts with admin rights. These shortcuts create "identity debt" that agentic AI can accumulate at scale and machine speed.
- Prompt injection and indirect manipulation. An attacker does not always need to steal a traditional account if an overprivileged agent can both read untrusted content and take privileged action. In that case, influencing what the agent reads can produce unauthorized actions.
Why traditional least privilege and identity programs fall short
Security teams, Apelblat notes, built identity programs around human behavior—employees who join, move, and leave; managers who attest to needs; and relatively stable baselines for behavior. Machine identities complicated that model, but remained largely deterministic.
Agentic AI breaks the determinism assumption because an agent can interpret goals and choose actions across systems. That flexibility makes static, role‑based least‑privilege approaches inadequate: an agent that summarizes a support ticket does not need the same access as an agent that can issue refunds, modify customer records, or execute commands in production. Similarly, a coding agent in a sandbox differs from one that can open pull requests, access secrets, or deploy infrastructure. Access for agents, the piece argues, should be contextual, intent‑based, time‑bound, and continuously evaluated—controls many enterprises do not yet have.
Identity‑centric governance: essential controls and automated enforcement
Apelblat urges CISOs to anchor agentic AI governance in identity security rather than treating it as a standalone AI program. He lists specific controls he considers foundational: each agent should have a distinct identity (no shared accounts or borrowed human credentials), a named owner, a documented business purpose, an approved scope of action, and a defined lifecycle. Privileges should expire when no longer needed; secrets should be protected, rotated, and removed from places agents can expose them.
Because agents can be created by developers, business users, and SaaS vendors across an enterprise, Apelblat argues manual reviews will not scale. Instead, identity governance must "discover new agents, classify access, detect risky paths, enforce policy, and trigger remediation without waiting for a quarterly review." He also calls for decentralized control with centralized policy so teams can build and adopt agents while maintaining guardrails for identity, access, ownership, logging, and revocation.
How CISOs, developers, and SaaS teams are implicated
- CISOs and security teams: The piece warns they "cannot wait for a separate AI security program to mature in isolation" and must instead adapt identity programs now—establishing discovery, classification, enforcement, and automated remediation tied to agent identities.
- Developers and business units: Apelblat highlights that prototypes and experiments frequently create overprivileged agents—developers "may grant an API token" for a prototype, or application teams may "embed secrets into a workflow" because it is faster than proper delegation, creating identity debt at machine speed.
- SaaS vendors and platform teams: Agents arriving through SaaS platforms can introduce shadow AI into organizations; the recommended model is decentralized adoption paired with centralized policy so SaaS‑delivered agents operate within predefined guardrails.
Apelblat links the challenge to previous technology waves—cloud, SaaS, and DevOps—saying enterprises that succeeded rebuilt controls around how the new technology actually worked rather than forbidding it. He reframes the fundamental security question: stop focusing only on what AI can generate and start focusing on what AI can do. "Today's magnifying risk is an autonomous action taken by an identity nobody governed, using access nobody reviewed, toward an outcome nobody intended," he writes.
The prescription is brisk and immediate: "The time to act is not in six months. It is now." The article closes with a warning familiar in its plainness—delay lets identity debt compound at machine speed, and the longer organizations wait to implement identity‑centric agentic AI governance, "the harder it will be to regain control."
Read the original Token Security commentary at BleepingComputer.
