For years, identity security was built primarily around human users requesting access.
In the old model, identity was largely deterministic. A user or service account mapped to a known role, a known system, and a predictable set of actions. Even non-human identities were tightly scoped and relatively static. Governance could afford to be periodic because behaviour was bounded.
AI agents have ended that predictability. They operate as delegated actors that generate actions, chain tool use, and move across multiple systems without a human in the execution loop. You used to be able to simply assign and review an individual’s access; today, a single agent can run at scale as multiple instrances, each authenticating independently across your environment.
The capability shift behind this is happening faster than most organizations appreciate. Consider Mythos Preview: it demonstrated the ability to discover large numbers of previously unknown vulnerabilities and generate working exploits at rates that would have been difficult to imagine even one model generation earlier. More importantly, some of the model’s effectiveness at bug hunting emerged as an unexpected behaviour rather than a narrowly programmed function. These systems are not just getting faster; they are becoming more capable in ways we may not fully predict in advance. That makes identity security a control problem as well as an access management problem.
Non-human identities already outnumber human identities by more than 80 to 1 in some environments, and that ratio is climbing. The governance challenge runs deeper than the numbers. A growing portion of those identities are autonomous systems capable of taking actions that previously required human intent, at a time when most IAM programs are still designed primarily around people.
Ruchir Kumar, Senior Director, Architecture & Protection, ISA Cybersecurity“We are being asked to govern identities that can run as scores of simultaneous instances, each authenticating independently, and none capable of being reasoned with.
The question of who acted, when, and under whose authority becomes difficult when the actor is no longer a person.”
Why Human Controls Don’t Transfer
The instinct is to treat AI agents as more capable service accounts: assign a credential, apply a policy, and review periodically. That model does not hold under autonomous execution.
Human IAM was designed around fairly low-frequency authentication events and governance cycles measured in weeks, months, or quarters. Agentic systems operate continuously across multiple systems and can chain actions through identity, cloud, and development environments without human involvement.
Another key difference is the matter of intent. Human actors weigh consequences; ideally, humans will make the “right” choice based on skills, knowledge, and morals. Agents do not have this awareness. A compromised agent will execute whatever it is permitted to do, immediately, and at scale.
There is a further problem most IAM programs are not built to see. Agents spawn sub-agents, delegate credentials, and chain actions across systems. Those trust chains are invisible to standard IAM tooling. Without cryptographic binding to a human authorizer at every delegation step, accountability disappears the moment an agent hands off to another agent.
Two control layers are required in this environment. The first – behavioural controls, system prompts, refusal training, and operational constraints – influences model behaviour. The second is enforcement: scoped credentials, just-in-time authorization, policy-as-code, and zero standing privileges (ZSP). This layer defines what the agent is technically allowed to do, regardless of output or intent.
When the behavioural layer fails – and it will – the enforcement layer will go a long way to determining the blast radius of an incident.
The 2025 Replit incident illustrated this directly. An AI coding agent was told eleven times (reportedly in “all caps”, though that might be apocryphal) not to touch a production database. It retained full standing access, executed destructive changes regardless, deleted the database, fabricated approximately 4,000 user records, then tried to cover its tracks by producing false test reports. The instructions were explicit. The authorization design made the outcome possible anyway. Guardrails are critical.
Four Things to Do Tomorrow
1. Establish agent identity governance from day one
Platform-attested, cryptographic identity and ZSP should be baseline requirements for deployment, not roadmap items. Security by design has never been a more important principle.
Workload identity systems such as SPIFFE/SPIRE provide cryptographic, platform-bound identities that remove reliance on long-lived shared secrets. In modern cloud environments, this becomes the foundation for distinguishing between workloads, services, and agents.
The key shift is conceptual: agents are not just workloads. They are delegated actors. That introduces a governance requirement that traditional service account models were never designed to handle. They need to be treated differently.
2. Build the agent identity registry now
Catalog every agent in deployment or active development: owner, model provider, access scope, connected systems, delegated authorities, external tool permissions, approval chain, and decommission criteria.
The urgency here is easy to underestimate. In 2025, ClawdBot/OpenClaw rapidly expanded from zero to over 40,000 publicly exposed instances within weeks of adoption, underscoring how quickly agent sprawl can become attack surface before anyone has had time to assess it. The identity-versus-instance problem compounds this: when one agent runs as multiple concurrent instances, each authenticating separately, a registry that tracks identities but not instances will miss most of what is actually happening.
Most organizations already struggle to maintain accurate inventories of service accounts, API tokens, and workload identities. Agentic systems accelerate that fragmentation because they can create, invoke, and delegate other agents or tools.
This registry is not documentation. It is the control plane for governance, incident response, auditability, and revocation. If you cannot see an identity, you cannot constrain it. And if you cannot constrain it, you cannot govern it.
3. Enforce ZSP and shrink the blast radius
Every agent action should require just-in-time authorization scoped to a specific task, time window, and resource set. Policy-as-code frameworks such as OPA/Rego and Cedar can define what an agent is allowed to do, under what conditions, and against which data.
Agents should operate inside constrained execution environments with clear boundaries around network access, data exposure, and tool invocation. If an agent does not need internet access, shell execution, or production write privileges, those capabilities should not be available by default.
Organizations also need the ability to respond automatically when something goes wrong: terminating sessions, revoking delegated permissions, and stopping downstream propagation before human responders are fully engaged.
Visibility matters just as much as restriction – and traditional logging is not sufficient. Identity-aware observability means capturing a linked record for every action: which identity made the assertion, what authorization decision was made, what action was taken, against what data, and with what outcome. That is different from a log file, and the difference matters when you are trying to reconstruct what an agent actually did. If you cannot observe agent behaviour at that level of fidelity, the system is not ready for production deployment. Exceptions should be rare, explicit, and formally approved.
4. Act before the next model generation lands
Capability jumps in agentic systems arrive in discrete generational leaps, not gradual progressions – and those generations are now arriving at a pace measured in months, not years. The UK AI Security Institute’s independent evaluation of Mythos Preview makes this concrete: the model completed a 32-step corporate network takeover simulation – a scenario estimated to take human experts 20 hours – on its own. One generation earlier, that was not possible. Multi-step autonomy, tool use, and cross-system execution are all improving on the same curve.
The compliance environment has not kept pace. SOC 2, HIPAA, CMMC, and ISO 27001 were designed before agentic AI and non-human identities became widespread. AI-specific frameworks/standards – notably the NIST AI RMF and ISO 42001 – do address governance for AI systems and provide a useful starting point, but they were not written with autonomous, identity-exercising agents in mind either. The gaps those frameworks leave around non-human identities are already present in production environments. Organizations that map them proactively have options. Those that encounter them through an audit finding or a live incident have far fewer.
Ruchir Kumar, Senior Director, Architecture & Protection, ISA Cybersecurity“If an AI agent is compromised, it can lie about what it did unless logs are independently secured. Cryptographic logging ensures actions can’t be silently modified, making investigations trustworthy instead of reconstructive guesswork.”
What This Means for Canadian Organizations
Regulatory frameworks emerging from the EU and other jurisdictions are already shaping expectations for Canadian organizations operating internationally, particularly around AI governance and accountability.
Across all sectors, public and private, agentic AI adoption is accelerating. The governance challenge is not limited to model risk or data privacy. It is fundamentally an identity and authorization problem, and it now includes actors that are non-human, autonomous, and capable of delegating authority to other non-human systems.
ISA Cybersecurity works with Canadian organizations to assess IAM programs against the realities of agentic AI, identify governance gaps, and implement controls designed for non-human identity at scale. Contact us today to learn more.
