·5 min read·Cybersecurity & TrustIdentityCybersecurityAI GovernanceTrust ArchitectureAgentic AI

Identity Beyond Humans

Enterprise identity was built for humans, applications, and service accounts. Agents introduce ephemeral, delegated, contextual identity, and demand that every machine action tie back to an accountable principal.

Part of the series The AI-Native Enterprise · Arc III — Cyber Becomes Trust Architecture

By Michael E. Ruiz

Ask an enterprise security team how it manages identity and you will get a mature answer. There are human users, provisioned and de-provisioned through a lifecycle, grouped into roles. There are applications with their own identities. And there are service accounts, the long-lived non-human identities that let systems talk to each other. Identity and access management has spent twenty years refining the governance of these three, and it does it well. All three share a quiet assumption: the actor is stable. It exists for a while, it has a known and relatively fixed set of privileges, and you can reason about it.

Agents break the assumption. An agent is often ephemeral, spun up for a task and gone. Its authority is delegated, handed down from a principal for a specific purpose rather than provisioned as a standing role. And it is contextual: what it should be allowed to do depends on the task it is performing right now, not on a durable job description. A framework built for stable actors strains when the actor is transient, derivative, and situational, and treating an agent like a service account, a permanent identity with a broad standing grant, is precisely the wrong move, because it gives an unstable actor exactly the kind of durable, over-broad authority that is most dangerous when something goes wrong.

A different question

The shift is not that identity matters more. It is that identity has to answer a bigger question. For a human user, who is this is close to sufficient, because the person carries their own accountability and judgment. For an agent, who is this is nearly useless on its own, because the agent is only ever acting as an instrument of some authority. The questions that matter are relational and contextual: on whose behalf is this agent acting, under what authority was it granted, for what purpose, and within what limits.

That is the memorable form of the whole argument. In the agentic enterprise, identity is not just who you are. It is who you are acting for, what you were authorized to do, and why the enterprise should trust the action. An agent's identity that cannot answer those is not an identity in any useful sense. It is a credential with no story attached, and a credential with no story is how consequential machine action becomes untraceable.

In the agentic enterprise, identity is not just who you are. It is who you are acting for, what you were authorized to do, and why the enterprise should trust the action.

Lineage and the accountable principal

Because agents act on delegated authority, and because agents increasingly delegate to other agents, non-human identity needs something human identity rarely bothers with: lineage. It is not enough to know that an agent acted. The enterprise needs to trace the chain of authority that led to the action, from the human or organizational principal who authorized the work, down through any intermediary agents, to the one that finally acted. Each hop should carry a link to its parent, so the whole chain can be reconstructed. When a consequential action happens three delegations deep, the question who authorized this has to have an answer, and the answer has to terminate in an accountable principal, a named human, role, or organization that owns the outcome.

This is the hinge between identity and accountability, and it is why identity is the foundation of the trust architecture rather than one control among many. Accountability is not a policy you write; it is a property the identity system either supports or does not. If every agent action ties back through its lineage to a principal who is answerable for it, accountability is structurally guaranteed. If agent identity is ephemeral and unlinked, accountability evaporates the moment something goes wrong, and no after-the-fact investigation can fully rebuild it. The difference is designed in at the identity layer or it is not available at all.

Authorization that narrows

Two principles follow, and both cut against the habits of standing-privilege IAM. The first is that authorization must become task-specific and context-specific rather than role-durable. An agent should hold the authority its current task requires, for as long as the task runs, and no more. This is the same logic that drives zero-trust thinking for human and network access, never a blanket grant, always the minimum for the specific request, and it applies with more force to agents precisely because they are transient and numerous. A standing broad grant handed to an ephemeral actor is the worst of both worlds.

The second principle is privilege attenuation, and it is the one most easily gotten wrong. When a principal delegates to an agent, and that agent delegates further, authority must narrow at every step. A sub-agent should receive a strict subset of its parent's authority, never an expansion of it, and never simply an inheritance of the parent's full scope because that was easier to implement. Get this wrong and delegation becomes privilege amplification: a deeply nested agent doing a trivial task ends up wielding the broad authority of the human at the top of the chain. Get it right and authority contracts as it flows outward, so that the actors furthest from human oversight hold the least power. That inversion, least authority where there is least supervision, is one of the quiet foundations of a trustworthy agentic system, and it is enforced, or lost, at the identity layer. It also sets up the next essay directly, because autonomy without attenuated, bounded authority is where the real cyber risk of these systems lives.

Continue the Conversation

For identity and security teams, the agentic enterprise is not a bigger IAM rollout. It is a new question: can every machine action be tied to an accountable principal, a bounded authority, and a purpose. That is the identity model worth designing toward.

Start a conversation →

These ideas are available as keynote presentations and executive briefings. Explore speaking topics →