Agentic rollout creates new identity security challenge
Mon, 13th Jul 2026 (Yesterday)
Organisations racing to deploy AI agents are creating a new identity security challenge that many have yet to fully recognise, as they struggle to govern autonomous software acting on behalf of employees.
AI agents are being created at an increasingly rapid pace, but many projects are still failing to reach production because organisations lack the governance frameworks needed to safely deploy them.
Businesses are increasingly using agents to improve productivity, automate workflows and extend their workforces, with organisations deploying potentially hundreds for every human employee in their teams.
While adoption is accelerating, appropriate governance has become one of the primary obstacles preventing broader agentic rollout, according to Field CTO at SailPoint, Dana Reed.
"The reason (the agents) are not making it to production is because of the AI governance hurdle all these agents have to get over, in order for the company to feel safe in allowing them to operate in their production environments," Reed explained.
Enterprises need a governance platform capable of enforcing policies over autonomous agents, monitoring their behaviour and preventing them from operating outside approved boundaries.
What happens when agents aren't governed properly?
It's fundamentally clear that the risks are no longer theoretical.
Reed cited an example in the aviation industry, where an airline used AI agents to handle frontline customer complaints.
Designed to boost customer satisfaction results, the agents instead went rogue.
The quite generous AI began offering free plane tickets to resolve disputes.
While that may seem like standard operating procedure for customer service for an airline, in this particular case there was only one problem: the agents had not been specifically instructed to provide free tickets, and it became a costly mess.
When customers attempted to redeem the tickets promised to them by the autonomous agents, they were refused.
"What happened was when the folks who received those tickets were told 'no,' they took them to court," Reed said.
"The airline was then told that the agents were acting on behalf of that business. Therefore, they were responsible to honour that."
The incident illustrates the shift from simply owning AI systems to maintaining 'custody' over them.
The emergence of AI agents is also reshaping how identity itself is defined within cybersecurity.
Traditionally, identity platforms have focused on managing human users and their access to enterprise resources. Agents should now be treated as identities in their own right because they consume resources, access applications and perform work on behalf of employees.
Unlike people, however, AI agents have no judgement or human empathy. They pursue objectives using whatever resources are available to them, making governance even more important.
"These agents have no conscience. They have no feelings. They're goal-oriented. They will utilise whatever resources are available to them to achieve whatever goal they need," Reed said.
As they become capable of completing increasingly long and complex workflows, the statistical likelihood of errors also grows rapidly.
An individual action performed with 95 per cent accuracy may appear reliable, but across dozens of decisions the probability of completing an entire workflow successfully declines significantly, reinforcing the need for stronger oversight.
Rethinking identity security
The shift is also changing how identity security platforms operate.
While human users typically authenticate through browsers and conventional login methods, AI agents rely on API keys, certificates, tokens and machine credentials to access enterprise systems.
Managing these non-human identities is becoming an increasingly important security priority.
SailPoint's acquisition of Entro Security was intended to improve visibility into these machine credentials and provide organisations with greater control over how AI agents access corporate resources.
Beyond AI, identity security is becoming the central layer of modern cybersecurity architecture.
The industry is moving beyond traditional zero trust authentication models towards continuous, context-aware authorisation, where decisions are based not only on who a user is, but also on the circumstances surrounding every request.
That evolution is being supported by greater collaboration between cybersecurity vendors through emerging shared signal frameworks, allowing security platforms to exchange real-time threat intelligence and automate responses across multiple systems.
Identity information remains the missing ingredient.
While endpoint security platforms may detect suspicious activity, they often lack sufficient context about the user, their accounts or the AI agents operating on their behalf to determine the appropriate response.
"It's much more important than people actually think," Reed said of identity's role within enterprise security architectures.
The rise of AI agents is also prompting SailPoint to rethink traditional access management.
Instead of granting users or agents permanent privileges, organisations should increasingly adopt 'just-in-time' access models, where permissions are granted only when required, before being removed again.
Because agents inherit the permissions of the employees they represent, overly broad user access can significantly increase organisational risk.
Reducing standing privileges limits the potential damage an agent can cause, while generating valuable usage data showing precisely which resources employees and agents genuinely require.
Over time, this behavioural data will underpin increasingly autonomous identity management systems capable of making intelligent access decisions without human intervention.
Reed described agentic AI as the most significant transformation he has observed over his considerable time with the company.
"I've been at SailPoint for 15 years in identity management and identity security for probably 20. Agentic AI undoubtedly is now the next big technical advancement and transformation that I've seen in the market today."
As enterprise adoption accelerates, organisations that fail to establish governance around AI identities risk exposing themselves not only to cybersecurity threats but also to legal liability, while those capable of managing human and non-human identities through a unified platform will be best positioned to safely scale autonomous AI across their businesses.