In today’s enterprise world, AI no longer just answers questions or writes emails, but it takes action. From copilots booking travel to intelligent agents updating systems and coordinating with other bots, we’re stepping into a world where software can reason, plan, and operate with increasing autonomy.
This shift brings immense promise and significant risk. The identity and access management (IAM) infrastructures that we rely upon today were built for people and fixed service accounts. They weren’t designed to manage self-directing, dynamic digital agents. And yet that’s what Agentic AI demands.
These computer programs are autonomous, can make decisions, and even spawn other agents to help in getting the work done. They do not operate in the form of set roles or fixed sessions. They may be available for minutes or seconds to carry out a specific task and then just disappear after work has been completed. They can act on behalf of others or on behalf of other agents, eliciting profound, nested delegation chains. This makes them fundamentally different from traditional applications or service accounts. Agentic AI is an identity and policy challenge, not just a compute one.
Where Current IAM Falls Short
Existing IAM frameworks, including widely used protocols like OAuth 2.0, OpenID Connect (OIDC), and SAML, were designed for a more deterministic digital era. They presume predictable application behavior and a single authenticated principal, human or static machine identity. Agentic AI simply violates those assumptions:
- Coarse-Grained and Static Permissions: Legacy IAM relies on pre-existing scopes or roles that are too coarse-grained and static to handle the dynamic operational requirements of AI agents. Agents may require fine-grained, task-specific permissions that dynamically change based on context, mission parameters, or in-real-time data evaluation. Issuing coarse, long-lived tokens is an open invitation to catastrophic abuse.
- Single-Entity Model vs. Multi-Entity Delegations: Current protocols struggle to represent and secure intricate sequences of delegations, in which an agent might establish sub-agents or stand for multiple principals concurrently. This compromises accountability by making traceability to the initial delegator ambiguous.
- Limited Context Awareness: Static scopes or roles, barely make use of runtime context, agent intent, or risk level. Access is provided at the beginning of a session and continues to exist regardless of altered situations.
- Scalability Issues with Token/Session Management: Scaling transient agents in hundreds or thousands of numbers, with each talking to several services, can put pressure on traditional IAM infrastructure. Issuance, validation, and more importantly, revocation of an enormous number of temporary tokens can become a headache for operations.
- Dynamic Trust Models & Inter-Agent Authentication: Agents often need to authenticate and authorize each other, perhaps across organizational borders, without the presence of a universal, pre-existing trust fabric. OAuth and SAML are based on hierarchical trust model assumptions, which are ill-suited to peer-to-peer trust establishment between independent agents.
- Non-Human Identity (NHI) Proliferation: Each autonomous actor may have NHIs for numerous APIs, databases, and services, leading to a multiplicative factor in secrets that need to be securely stored, rotated, and kept. This “secret sprawl” exponentially increases the attack surface.
- Global Logout/Revocation Complexity: If an agent has been compromised or completed its task, revoking its access rights and sessions immediately and totally on all systems it talks to is a huge issue. Disconnected revocation systems can lead to lingering access.
The underlying problem is a basic mismatch: we are attempting to safeguard dynamic, independent agents with security techniques optimized for human-operated, single-purpose programs.
Promising IAM Frameworks for Agentic AI
To address the authorization crisis of the AI agent era, an engaged, design-intentional architecture will be required. Two compelling avenues are being researched to address these challenges:
- Zero-Trust Identity Framework with Decentralized Identifiers (DIDs) and Verifiable Credentials (VCs)
This vision presumes the need for a new Agentic AI IAM system based on high-fidelity, verifiable Agent Identities (IDs). This paradigm leverages decentralized technologies to redefine agent identity and provide fine-grained, dynamic access control. It consists of the following:
Decentralized Identifiers (DIDs) and Verifiable Credentials (VCs): DIDs allow globally unique, persistent, cryptographically verifiable identifiers in control of agent or its controller to accommodate self-sovereign identity necessary for decentralized and cross-organizational Multi-Agent Systems (MAS). VCs are digitally signed attestations about an agent that allow for granular and dynamic expression of attributes, capabilities, or rights. These technologies are particularly suited to model Non-Human Identities.
Agent Naming Service (ANS): The architecture includes an Agent Naming Service for capability-aware and secure agent discovery. An ANS resolver resolves against an Agent Registry, which holds registered agent data, i.e., ANS Names, DIDs, PKI certificates, and protocol extensions declaring their capabilities and associated VCs.
Zero-Knowledge Proofs (ZKPs): ZKPs enable privacy-preserving attribute disclosure and policy compliance verifiability, where an agent can prove it meets specified requirements without disclosing confidential underlying data.
Unified Global Session Management and Policy Enforcement Layer: This layer in particular addresses the issue of uniform security posture management across heterogeneous MAS with agents running over different communication protocols. It is a “security and session management backplane” that ensures policy decisions or revocation propagate instantly and uniformly to every point of interaction.
This multi-layered architectural pattern enables high-fidelity dynamic access control controls in accordance with Zero Trust principles by continuously confirming agent trust.
- ARIA: Agent Relationship-Based Identity & Authorization
ARIA (Agent Relationship-Based Identity & Authorization) offers an integrated model to safeguard enterprise self-sovereign AI agents by dealing with delegation relationships and constraints as first-class security abstractions. This model integrates and extends existing open standards:
OAuth 2.0 Rich Authorization Requests (RAR): Enables agents to express precisely what they need in business language, with extremely detailed permission requests.
OAuth 2.0 Token Exchange (On-Behalf-Of Profile): Cryptographically binds an actor (the agent) to a delegator (service or human granting permissions), preserving the chain of responsibility over many hops.
OpenID AuthZEN: Evaluate fine-grained, context-aware policies without abandoning installed base OAuth infrastructure, putting on constraints (e.g., geo-fences, budget thresholds) and requirements (e.g., audit trails, notifications).
Model Context Protocol (MCP): Brings the power of authorization into AI tool chains directly, allowing agents to learn about and comply with organizational policies during workflow authoring. MCP allows information owners to securely expose information to AI agents in a controlled, structured environment.
Graph-Native Relationships: ARIA’s primary innovation is that it is graph-native, i.e., delegation paths are declarative, directly traceable, and surgically revocable. This is necessary to terminate an AI agent’s authority without interfering with other activity.
Dual Enforcement Model: Separates synchronous constraints (prohibiting malicious actions) from asynchronous obligations (checking compliance, e.g., audit logging), compromising security against performance.
Agent-to-Agent (A2A) Communication: This novel open standard promotes secure inter-agent communication, allowing many agents (maybe from different vendors or platforms) to discover each other, exchange data, and divide up work safely. A2A enables agents to transmit cryptographically signed messages with verifiable presentations establishing authorization for specific communications.
A Call for More Work
The road to a comprehensive and internationally accessible Agentic AI IAM framework is a daunting task. The rapid pace of AI development demands accelerated IAM security guidance, especially for heavily regulated sectors. Continued research, continued development of standards, and rigorous interoperability are required to prevent fragmentation into incompatible identity silos. We must also address the ethical issues, such as bias detection and mitigation in credentials, and offer transparency and explainability of IAM decisions. Installation and regulation of a potentially global, federated, or decentralized IAM infrastructure is a huge task that will require an effort of several stakeholders, potentially involving industry self-regulation, standards development, and government regulation.
The stakes are high. Without a comprehensive plan for managing these agents—one that tracks who they are, what they can perceive, and when their permissions expire—we risk disaster through way of complexity and compromise. Identity remains the foundation of enterprise security, and its scope must reach rapidly to shield the autonomous revolution.
References:
- Huang, K., Narajala, V. S., Yeoh, J., et al. (2025). A Novel Zero-Trust Identity Framework for Agentic AI: Decentralized Authentication and Fine-Grained Access Control. arXiv preprint arXiv:2505.19301.
- “ARIA: Agent Relationship-Based Identity & Authorization – A Unified Framework for Securing Autonomous AI Agents in the Enterprise.” (2025). Early Draft White Paper v0.1.
- Cloud Security Alliance. (2025, March 11). Agentic AI Identity Management Approach.
- Hoffman, K. “Pepper”. (2025, June 13). A New Identity: Agentic AI boom risks busting IAM norms. SC Media.
