Skip to main content
Cybersecurity

Identity Lifecycle Management Struggles to Govern AI Agents

IT staff member stands beside a workstation with a laptop and papers nearby in an office setting.

"Identity lifecycle management was architected around a person with an employment record, a manager, and a departure date." — the guide

The HR‑driven foundation: joiner, mover, leaver

The identity lifecycle management system described in the source rests on a single, deterministic assumption: every identity maps to a human whose organizational status is recorded in HR. Workday, SAP SuccessFactors, or ServiceNow HR act as the authoritative engine. A hire record triggers provisioning into Active Directory or Azure AD and pushes entitlements to downstream applications; a department transfer updates attributes and entitlement sets; a termination triggers deprovisioning. Access certification campaigns route to managers or application owners, separation‑of‑duties controls run, and audit logs tie provisioning back to HR events and approvers. That event‑driven, role‑based model is coherent and auditable for human principals.

How AI agents fall outside the model

The same architecture that works for people collapses at the edges when the principal is an AI agent. Agents do not enter through HR: they appear via developer commits, platform API calls, or orchestrators such as LangChain, AutoGen, or AWS Bedrock Agents. They arrive with credentials attached — service accounts, API keys, or OAuth grants — created inline with deployment rather than by an IGA intake workflow. The result: no authoritative joiner event, no owner record, and no mapped role profile.

Operationally, agents expand scope at runtime. An agent designed to summarize documents can, through tool‑calling or retrieval patterns, call APIs it was not explicitly provisioned for, write to unexpected storage, or chain actions across systems. Agents also fork: parallel instances across clouds, containers, and SaaS surfaces can exist simultaneously, each with distinct credentials and session context. Traditional IGA tooling, the guide notes, sees only a static machine identity — a service account or OAuth client credential — and not the autonomous, authorization‑making principal that performs runtime actions.

Lifecycle events agents never trigger — and why that matters

The guide lays out four specific control failures when agents replace humans in the identity model:

  • No joiner event: deployments and API instantiations bypass IGA, so the identity surface gains principals without an IGA provisioning record or approval chain.
  • No mover event: an agent’s scope can be retooled or extended without an HR attribute change, so entitlement recalculation never occurs.
  • No access review signal: certification routing requires a human owner or manager; many agents carry neither and therefore generate no meaningful attestation history.
  • No leaver event: retiring a workflow or decommissioning compute does not automatically revoke credentials stored in secrets managers or authorization servers, leaving stale keys and grants active.

Each of these missing signals converts what were once deterministic governance transitions into blind spots where credentials, entitlements, and access paths persist without evidence.

Provisioning, reviews, and offboarding — operational risks in three acts

The guide explains how those blind spots play out in day‑to‑day operations. Provisioning flips from a pre‑scoped, role‑centric exercise to an ad hoc, developer‑driven one: engineers grant the least friction they need, and platform defaults (wildcard IAM policies, permissive OAuth scopes, inline service account creation) make over‑permission the default starting point.

Access reviews break down because IGA routing logic expects manager or owner attributes; when reviewers do see agent identities, the IGA record often reflects only the original provisioning state — not the runtime scope the agent has accumulated — making attestations formally complete but operationally meaningless.

Offboarding failures are acute: long‑lived API keys with production database access or OAuth grants can survive after a workload is retired because no HR‑style termination event ever triggered revocation. In environments with many iterative deployments, stale credentials accumulate faster than manual audits can correct.

How to close the gap: discovery, attributes, policy, monitoring, deprecation

The guide argues that extending lifecycle management to agents requires rebuilding governance around how agents are created, how their scope evolves, and how they die. Key elements include:

  • Automated, continuous discovery across cloud IAM, OAuth servers, Kubernetes service accounts, secrets managers, and CI/CD stores so the inventory reflects where agents actually live.
  • Agent‑centric attribute modeling: owning team, documented operational purpose, bounded list of authorized systems, deployment timestamp, expected lifetime, and behavioral attributes (which APIs are called and how often).
  • Policy‑driven provisioning: route credential issuance through access governance so credentials enforce least privilege tied to the documented function rather than being granted inline by deployment pipelines.
  • Continuous behavioral monitoring: substitute periodic certification with real‑time tracking of what each agent actually calls and flag divergence from provisioned entitlements as immediate governance events.
  • Deprecation workflows triggered by operational status: inactivity monitoring and scope‑change detection should drive automatic revocation via secrets managers and vaults instead of relying on manual discovery.

What this means for technologists, development teams, and procurement and compliance leaders

  • Technologists and security teams will need continuous discovery and behavioral monitoring capabilities to see agent identities across cloud IAM, OAuth servers, Kubernetes, and secrets managers rather than relying solely on existing IGA connectors.
  • Development teams must integrate agent provisioning into access governance workflows so credentials are issued through policy‑driven gates and attached to an owning team and documented purpose instead of being created ad hoc in deployment pipelines.
  • Procurement and compliance leaders should expect requests for tools that map identity graphs including agent behavior, credential age, owning team, and observed entitlements — moving audit evidence from HR events to operational telemetry.

The guide concludes with a concrete vendor example: Orchid Security claims to fill this gap by deploying lightweight orchestrators for continuous discovery, building an identity graph that maps principals to authentication flows and observed behavior, and providing guardrails for scoped provisioning, behavioral divergence detection, and deprecation workflows that integrate with existing IAM, PAM, and IGA tooling. In short: governance must shift from HR event semantics to operational signals — discovery, behavior, ownership, and automated deprecation — if enterprises are to close the blind spots agents create.

Original story