Identity and Access Management for AI Agents
Many companies are starting to experiment with AI agents to automate tasks or support users, but these agents don’t behave like the applications we’re used to securing. They make their own decisions, adjust their actions as they go, and interact with systems in ways that aren’t always predictable. That shift exposes gaps in today’s machine identity and access controls. Before getting into the details, it helps to look at why these agents challenge some of the assumptions in traditional IAM.
The Characteristics of AI Agents
AI agents use advanced algorithms to determine the steps needed to solve a task. They not only use algorithms to resolve required steps dynamically but also feed back results to improve the execution of the algorithms. This allows AI agents to dynamically adapt their behavior, making their execution indeterministic and unpredictable.
AI agents are software systems with the ability to operate autonomously or semi-autonomously, often on behalf of a user, in an indeterministic manner.
The interdeterministic characteristic of AI agents stands in contrast to conventional software, where the steps to solve a task are predefined and execution is deterministic. This contrast highlights a fundamental change in how applications operate. It implies that the assumptions on which many security solutions were built have changed as well.
Authorization Premises Are Changing
Historically, the focus of IAM has been authentication and authorization of human users. The adoption of multi-factor authentication, passwordless login methods, together with identity governance and administration (IGA) processes to, for example, approve access requests for humans serves as proof. IAM for applications (machine IAM) did not follow a comparable evolution.
With applications being indeterministic and issuing unpredictable requests on behalf of users, being able to perform authorization on the correct premises becomes more prevalent. Static entitlement mappings for service accounts are not enough to meet the requirements of the new dynamic in applications. Instead, the identity and entitlements of applications need to play a greater part in access control decisions.
What really becomes important when protecting access to data from AI agents is identity governance and administration for applications. IGA for applications implies that there are processes and tools that allow organizations to assign and enforce access rights for machines which include AI agents. This requires setting up (machine) identities for AI agents.
Identities for AI Agents
AI agents are applications and, as such, fall under the umbrella of machine IAM. The industry has identified that the dynamic characteristics of AI agents require similar approaches for access control to what is typically in place for human users. However, this does not mean that AI agents are human users and should be treated as such. Mixing human and machine identities creates ambiguity that is hard to maintain. Instead, AI agents remain machines and should use existing means of machine identities.
Common forms of machine identities are:
Service accounts + secrets
API keys
JWT-based workload credentials
X509 (client) certificates
As with usernames and passwords for human users, symmetric credentials for applications like secrets and API keys pose security risks. Therefore, whenever possible, use application credentials that are based on asymmetric cryptography, such as JWT-based credentials and X509 certificates. Prefer authentication mechanisms that use key-bound credentials and require a proof-of-control of a private key like X509 certificates with mutual TLS (mTLS). Mutual TLS has been around for many years and is widely supported by various tools in a technology stack.
Since AI agents are applications, you can assign identities as you do for other applications and learn from best practices. For example, for a self-hosted AI agent on the backend, consider workload identities. For public agents, consider self-assigned identities using mechanisms like dynamic client registration, which is a common approach for mobile applications.
An argument for treating AI agents differently than other applications is delegation, the fact that they (autonomously) act on behalf of a user. Any user-facing application performs delegation, actually, and batch applications also run autonomously - sometimes with user identity involved. There are already well-established protocols that solve user delegation to applications: OAuth and OpenID Connect. Apply them to AI agents!
(O)Authorization for AI Agents
The fact that AI agents perform automatic, unpredictable tasks on behalf of users does not mean they need dedicated identities or authentication mechanisms. AI agents are still OAuth clients like other applications. Consequently, the challenges that arise from onboarding public clients are not specific to (public) AI agents and remain similar across various applications. The challenges have just become more prevalent.
In the context of OAuth, AI agents are simply OAuth clients.
Theoretically, AI agents can run the same OAuth flows to retrieve access tokens like other applications. However, you need to adapt how you enforce access control rules for AI agents and applications in general. For example, with AI agents performing unpredictable tasks, it becomes important to keep a human in the loop, such as triggering approval requests where appropriate before granting access. These kinds of processes are typically part of identity governance and administration.
Identity governance and administration for applications means focusing on which application can access what under which circumstances, independently of the operating user. Part of that logic already resides in an application-centric identity server, an authorization server like the Curity Identity Server, that maintains a list of all (registered) OAuth clients and scopes they are allowed to request.
In the long run, and to enforce global policies, APIs and any other policy enforcement points should support integration with external access management systems that maintain access policies and can return access control decisions in real time. In that way, access control decisions can take into account many data points across a system and time. This enables risk-based access control decisions that address the challenges from AI agents.
Reducing AI Security Anxiety
AI agents and any other indeterministic applications change certain premises with regard to API access control. However, while AI agents may significantly change how we interact with machines, they do not rescind the foundations of API access control. OAuth was designed for delegation and continues to be the tool of choice for that purpose. In that context, AI agents are simply OAuth clients.
What you need to update are access control rules beyond OAuth integrations and the enforcement of those rules. This includes identity governance and administration for applications, and OAuth is part of it.
The following capabilities are the new basic requirements for API access controls. You need to
design access control rules targeting applications,
be able to identify and optionally authenticate clients,
add relevant identity information in access tokens and
integrate with external authorization systems to dynamically enforce policies.
There is no need for agentic identities, no magic, just robust API access control with an emphasis on identity governance and administration for applications.
Learn more about how Curity can help you to secure IAM in the age of AI.
And make sure to attend a live webinar - MCP and AI Agents: Identity Strategies for Safe API Access - on December 4. Learn more and register.
