Introduction
The proliferation of AI agents—autonomous systems capable of making decisions, executing tasks, and provisioning resources without human intervention—represents the most significant shift in enterprise identity governance since the rise of cloud computing. Unlike traditional software that requires explicit human authorization for each action, AI agents operate with delegated authority, making thousands of decisions per day based on learned patterns and trained objectives.
This fundamental shift exposes a critical weakness in modern identity governance frameworks: they were not designed for entities that act autonomously, at scale, without human checkpoints. Enterprise identity governance and administration (IGA) systems must evolve to address this reality or organisations will face unprecedented security and compliance risks.
The Problem: AI Agents Operate Outside Traditional Identity Governance
Identity governance systems work by establishing role-based access control (RBAC), defining what permissions are appropriate for each human role, and periodically reviewing whether users still need those permissions. This model assumes relatively stable, infrequent permission changes and human accountability for actions taken.
AI agents shatter these assumptions. An agent deployed to handle customer onboarding might dynamically provision accounts, assign roles, and grant permissions based on customer attributes—making access decisions that would normally require human review and approval. The decisions are correct 99% of the time, but the 1% of errors might grant a customer access to systems they shouldn’t have, or fail to revoke access for terminated customers.
The governance gap becomes even more acute when agents are chained together. Agent A triggers actions that invoke Agent B, which provisioning resources that Agent C monitors. Where is the identity governance checkpoint? How does the organisation enforce segregation of duties when agents interact autonomously? How are these actions audited for compliance?
Furthermore, agents often don’t operate as traditional users. They may not have persistent identities. They may spawn dynamically, operate for hours or minutes, and then terminate. Traditional provisioning workflows designed for human employees don’t apply. And when an agent’s behaviour deviates from expectations—acting too broadly, accessing unexpected systems, or violating policy—there is no human user to terminate or retrain.
Key Points: Modern IGA for the Agent Era
1. Agent Identity Lifecycle Management
Identity governance systems must implement agent-specific lifecycle stages: instantiation (when an agent is created), activation (when it begins operating), behaviour verification (confirming it operates within expected parameters), and termination (when it no longer has authority). This is distinct from traditional user provisioning but equally critical.
2. Real-Time Governance Decision Enforcement
Rather than reviewing agent actions after the fact, identity governance platforms should enforce governance decisions in real time. Before an agent can perform a privileged action—provision a user, grant permissions, execute a financial transaction—the IGA system should verify that the action aligns with the agent’s defined authority. This prevents governance violations from occurring in the first place.
3. Behaviour Analytics and Anomaly Detection
Identity governance systems should establish baseline behavioural profiles for each agent: what actions it typically performs, what systems it accesses, how much data it processes. Deviations from this baseline should trigger alerting and potentially automatic action suspension, allowing human operators to investigate whether the agent has been compromised or has drifted from its intended function.
4. Supply Chain Governance for AI Model Risk
Since AI agents are typically trained on external models or APIs, identity governance must extend to managing the identity and trustworthiness of those upstream sources. Before an agent is deployed, the organisation should attest to the security posture of the underlying model, the data provenance used for training, and the monitoring mechanisms ensuring the model hasn’t been compromised or fine-tuned to behave maliciously.