{"id":233,"date":"2026-05-31T16:00:10","date_gmt":"2026-05-31T16:00:10","guid":{"rendered":"https:\/\/sme-access.com\/?p=233"},"modified":"2026-06-28T16:28:28","modified_gmt":"2026-06-28T16:28:28","slug":"my-iam-thoughts-about-agentic-ai-part-1","status":"publish","type":"post","link":"https:\/\/sme-access.com\/?p=233","title":{"rendered":"My IAM thoughts about Agentic AI &#8211; Part 1"},"content":{"rendered":"<p><!--\n  JSON-LD Structured Data\n--><br \/>\n<script type=\"application\/ld+json\"><br \/>\n{<br \/>\n  \"@context\": \"https:\/\/schema.org\",<br \/>\n  \"@type\": \"BlogPosting\",<br \/>\n  \"headline\": \"My IAM thoughts about Agentic AI \u2013 Part 1\",<br \/>\n  \"description\": \"A practical guide on how to manage and secure the identity of Agentic AI \u2014 from the foundations of delegation and token exchange to Zero Trust controls for autonomous AI workflows.\",<br \/>\n  \"author\": {<br \/>\n    \"@type\": \"Person\",<br \/>\n    \"name\": \"Elmehdi Aabad\",<br \/>\n    \"jobTitle\": \"Senior Solution Engineer \u2013 Identity Security\",<br \/>\n  },<br \/>\n  \"datePublished\": \"2026-05-23\",<br \/>\n  \"keywords\": [\"Agentic AI\", \"AI Agent Identity\", \"Non-Human Identity\", \"IAM\", \"Zero Trust\", \"OAuth Token Exchange\", \"RFC 8693\", \"NHI Security\"],<br \/>\n  \"mainEntityOfPage\": {<br \/>\n    \"@type\": \"WebPage\"<br \/>\n  },<br \/>\n  \"articleSection\": \"Identity Security\",<br \/>\n  \"about\": [<br \/>\n    {<br \/>\n      \"@type\": \"Thing\",<br \/>\n      \"name\": \"Agentic AI Security\"<br \/>\n    },<br \/>\n    {<br \/>\n      \"@type\": \"Thing\",<br \/>\n      \"name\": \"Non-Human Identity\"<br \/>\n    },<br \/>\n    {<br \/>\n      \"@type\": \"Thing\",<br \/>\n      \"name\": \"OAuth 2.0 Token Exchange\"<br \/>\n    }<br \/>\n  ]<br \/>\n}<br \/>\n<\/script><\/p>\n\n\n<p class=\"wp-block-paragraph\">The noise around Agentic AI security is hard to ignore. I&#8217;ve been watching identity challenges evolve for over 10 years, and what&#8217;s happening today feels different. We went from managing hundreds or thousands of Active Directory accounts to federating millions of consumer identities, to wrestling with the explosion of service accounts, API keys, and certificates that DevOps and cloud-native architectures threw at us. Each wave pushed us to rethink what &#8220;IDENTITY&#8221; actually means.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">And just when Non-Human Identity (NHI) was starting to feel like a solved problem, Agentic AI walked in and completely broke the mental model.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This post is the first in a two-part series based on my recent research, hands-on experimentation, and conversations in the field. Part one is theoretical and it&#8217;s about how we should think about IAM for Agentic AI? Part two is practical, a demo application that brings these concepts to life, covering OAuth 2 token exchange, Security Token Service (STS), Workload Identity Federation and more.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Let&#8217;s dig in&#8230;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Consider what&#8217;s already happening in enterprises today (Gov sector &#8211; fictitious scenario): An <strong>applicant<\/strong> submits a housing benefit claim through a government portal. An <strong>orchestration agent<\/strong> receives the request and hands off to a <strong>verification agent<\/strong>, which checks identity against the national ID database, cross-references income records with the tax authority, and validates residency through municipal registries. Once it returns a consolidated eligibility verdict, a <strong>third agent reviews<\/strong> the outcome, approves the claim, and triggers the payment. The applicant receives their benefit.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong><em><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-orange-color\">No human reviewed the decision!<\/mark><\/em><\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Here&#8217;s what that broken state looks like, visually:<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"469\" src=\"https:\/\/sme-access.com\/wp-content\/uploads\/2026\/05\/Housing-Benefit-Claim-\u2013-Agent-Chain-Payment-Attribution-Gap-1024x469.png\" alt=\"\" class=\"wp-image-277\" style=\"width:1100px;height:auto\" srcset=\"https:\/\/sme-access.com\/wp-content\/uploads\/2026\/05\/Housing-Benefit-Claim-\u2013-Agent-Chain-Payment-Attribution-Gap-1024x469.png 1024w, https:\/\/sme-access.com\/wp-content\/uploads\/2026\/05\/Housing-Benefit-Claim-\u2013-Agent-Chain-Payment-Attribution-Gap-300x137.png 300w, https:\/\/sme-access.com\/wp-content\/uploads\/2026\/05\/Housing-Benefit-Claim-\u2013-Agent-Chain-Payment-Attribution-Gap-768x352.png 768w, https:\/\/sme-access.com\/wp-content\/uploads\/2026\/05\/Housing-Benefit-Claim-\u2013-Agent-Chain-Payment-Attribution-Gap-1536x704.png 1536w, https:\/\/sme-access.com\/wp-content\/uploads\/2026\/05\/Housing-Benefit-Claim-\u2013-Agent-Chain-Payment-Attribution-Gap-2048x939.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><em><strong>Every arrow hides the origin<\/strong><\/em><strong><em>al identity or actor<\/em><\/strong><em><strong>. By the time the action reaches its destination, Adam is gone.<\/strong><\/em><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">What Makes Agentic AI Different from Other NHI<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">We all spend a lot of time talking about Non-Human Identity. Service accounts, RPA, API tokens, workload credentials, these are all entities we\u2019ve learned (sometimes painfully) to manage. But AI agents are a different beast.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Traditional NHI is mostly deterministic. A service account runs a scheduled job. An API key calls a specific endpoint. You can define what it does, scope it tightly, and monitor for deviations. It\u2019s not \u201cSMART\u201d it just executes.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">An AI agent is <strong><span style=\"text-decoration: underline;\">autonomous<\/span><\/strong> and <strong><span style=\"text-decoration: underline;\">compositional<\/span><\/strong>. It plans. It delegates. It adapts its steps based on intermediate results. It can spawn other agents, call multiple tools, interact with sensitive systems, all in pursuit of a goal that a human set at the start of a session. By the time it reaches the fifth hop of a multi-agent workflow, that original human context may be completely invisible to the downstream systems receiving the requests.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This creates what I\u2019d call the three core identity problems with Agentic AI:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-orange-color\">Problem 1: Agents don\u2019t have a native identity concept.<\/mark><\/em> Today\u2019s IAM infrastructure was built for two kinds of principals: humans and machines executing defined workloads. An agent that \u201c<strong>acts on behalf of a human<\/strong>\u201d sits in an uncomfortable middle ground that our systems don\u2019t know how to represent.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-orange-color\">Problem 2: Delegation chains collapse.<\/mark><\/em> When Agent A calls Agent B which calls API C, the downstream system sees only the immediate caller. The human who initiated the session, and every intermediate agent, disappears. We lose <strong>provenance<\/strong> and <strong>accountability<\/strong>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-orange-color\">Problem 3: Static credentials don\u2019t fit dynamic behavior.<\/mark><\/em> An agent might need read access to logs at one moment, write access to a config at the next, and query access to a database after that, within a single session. <strong>Long-lived, broad credentials are a security disaster waiting to happen.<\/strong><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">The Protocol Foundation: Let\u2019s Talk About the RFC 8693<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">When I dug into how forward-thinking engineering teams are solving the agentic AI identity challenges, I kept coming back to a relatively old RFC:&nbsp;<strong>RFC 8693, OAuth 2.0 Token Exchange<\/strong>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This protocol, published in 2020, was originally designed for scenarios where a resource server needed to trade an access token for a different token to call a backend service. The classic microservices delegation pattern. But its core concept, a Security Token Service (STS) that can validate an existing credential and issue a new, scoped token for a specific purpose, turns out to be exactly the right foundation for agent identity.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Here\u2019s why it matters for agentic workflows:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">RFC 8693 introduces two key concepts that map directly onto the agent problem. First,&nbsp;<strong>delegation semantics<\/strong>: the idea that Principal A can act&nbsp;<em>on behalf of<\/em>&nbsp;Principal B, while still maintaining its own separate identity. The issued token carries information about both the subject (who authorized the action) and the actor (who is performing it). Second, the&nbsp;<strong>&#8220;act&#8221;&nbsp;claim in JWTs<\/strong>: a structured way to express and chain delegation in a token, creating a verifiable history of who delegated to whom.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Think of it like a chain of authorization letters. When the citizen submits their claim, it\u2019s like signing a letter saying, \u201cI authorize the Orchestration Agent to process this benefit request on my behalf.\u201d When the Orchestration Agent delegates to the Verification Agent, that agent gets a new letter that says \u201cAuthorized by the Verification Agent, acting on behalf of the Orchestration Agent, who was authorized by citizen Adam.\u201d Every hop in the chain is recorded, cryptographically.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>The RFC 8693 token exchange flow with full provenance preserved at every step:<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"745\" src=\"https:\/\/sme-access.com\/wp-content\/uploads\/2026\/05\/Blank-diagram-1-1024x745.png\" alt=\"\" class=\"wp-image-283\" style=\"width:1058px;height:auto\" srcset=\"https:\/\/sme-access.com\/wp-content\/uploads\/2026\/05\/Blank-diagram-1-1024x745.png 1024w, https:\/\/sme-access.com\/wp-content\/uploads\/2026\/05\/Blank-diagram-1-300x218.png 300w, https:\/\/sme-access.com\/wp-content\/uploads\/2026\/05\/Blank-diagram-1-768x559.png 768w, https:\/\/sme-access.com\/wp-content\/uploads\/2026\/05\/Blank-diagram-1-1536x1117.png 1536w, https:\/\/sme-access.com\/wp-content\/uploads\/2026\/05\/Blank-diagram-1-2048x1490.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">The practical implementation of this looks like what organisations should build\/adopt: a Security Token Service that issues&nbsp;<strong>short-lived, single-hop JWTs<\/strong>. Each agent, before calling another agent or system, presents its current token and its target audience to the STS, which validates the chain and mints a fresh token scoped only for that next hop. A token issued for Agent A to call Agent B is useless if intercepted; it can\u2019t be replayed against any other service.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>What the&nbsp;<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-orange-color\">act<\/mark>&nbsp;claim looks like inside a JWT at the final hop:<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"508\" height=\"208\" src=\"https:\/\/sme-access.com\/wp-content\/uploads\/2026\/05\/image-11.png\" alt=\"\" class=\"wp-image-303\" style=\"aspect-ratio:2.4424160468785217;width:590px;height:auto\" srcset=\"https:\/\/sme-access.com\/wp-content\/uploads\/2026\/05\/image-11.png 508w, https:\/\/sme-access.com\/wp-content\/uploads\/2026\/05\/image-11-300x123.png 300w\" sizes=\"auto, (max-width: 508px) 100vw, 508px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">The&nbsp;<code>sub<\/code>&nbsp;claim always stays as the citizen. The nested&nbsp;<code>act<\/code>&nbsp;claims form a verifiable history of every delegation step. Downstream systems can enforce policies against the full chain not just the immediate caller.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">A proposition of what \u201cSecure Agentic AI Identity\u201d should looks Like<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">If we were to map all this out, a basic version of the architecture would probably look something like this:<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"592\" src=\"https:\/\/sme-access.com\/wp-content\/uploads\/2026\/05\/Citizen-AI-Agent-Mesh-Architecture-1024x592.png\" alt=\"\" class=\"wp-image-282\" style=\"width:1099px;height:auto\" srcset=\"https:\/\/sme-access.com\/wp-content\/uploads\/2026\/05\/Citizen-AI-Agent-Mesh-Architecture-1024x592.png 1024w, https:\/\/sme-access.com\/wp-content\/uploads\/2026\/05\/Citizen-AI-Agent-Mesh-Architecture-300x174.png 300w, https:\/\/sme-access.com\/wp-content\/uploads\/2026\/05\/Citizen-AI-Agent-Mesh-Architecture-768x444.png 768w, https:\/\/sme-access.com\/wp-content\/uploads\/2026\/05\/Citizen-AI-Agent-Mesh-Architecture-1536x888.png 1536w, https:\/\/sme-access.com\/wp-content\/uploads\/2026\/05\/Citizen-AI-Agent-Mesh-Architecture-2048x1185.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h5 class=\"wp-block-heading\">1. Give Every Agent a Verifiable Identity, Not Just a Service Account<\/h5>\n\n\n\n<p class=\"wp-block-paragraph\">The first step is separating the&nbsp;workload&nbsp;identity from the&nbsp;agent&nbsp;identity. Just because Agent X runs inside a Kubernetes pod doesn\u2019t mean it should inherit the pod\u2019s service account as its identity. Each deployed agent should be registered in an Agent Registry and issued its own identity, cryptographically bound to the workload it runs on.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Tools like SPIFFE\/SPIRE are excellent here, they give workloads cryptographically signed identity certificates (SVIDs) that can be used to bootstrap agent-specific tokens from an STS. The agent gets an identity it can prove, not just a credential that was handed.<\/p>\n\n\n\n<h5 class=\"wp-block-heading\"><a href=\"#2-never-let-tokens-outlive-their-purpose\"><\/a>2. Never Let Tokens Outlive Their Purpose<\/h5>\n\n\n\n<p class=\"wp-block-paragraph\">Long-lived API keys and service account tokens that never rotate are a gift to attackers. With AI Agents, the answer is clear:&nbsp;<strong>tokens should be short-lived and scoped to a single hop<\/strong>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">If a session involves five agent-to-agent calls, that\u2019s five separate token exchanges, each producing a token valid for minutes and only for its intended recipient. The STS becomes a critical control plane, and every exchange is an opportunity to enforce policy: Does this agent have the right to delegate to that agent? Does the actor chain make sense for this request?<\/p>\n\n\n\n<h5 class=\"wp-block-heading\"><a href=\"#3-preserve-the-full-actor-chain--everywhere\"><\/a>3. Preserve the Full Actor Chain<\/h5>\n\n\n\n<p class=\"wp-block-paragraph\">It\u2019s not enough to give agents good credentials for calling downstream systems. We need to carry the&nbsp;<strong>full context<\/strong>: who initiated the session, through which agents, with what stated intent, all the way to the final API call or database query.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">When the downstream system (payment system in our example) receives a request, it should be able to see a JWT claim chain that reads:&nbsp;<code>[citizen \u2192 orchestration-agent \u2192 verification-agent \u2192 review-agent]<\/code>. That\u2019s not just nice-to-have. It\u2019s what makes the process fully auditable. It\u2019s what makes compliance audits defensible. It\u2019s what lets us write policies that say \u201ca payment can only be triggered when the chain originated from an authenticated citizen, not from a fully automated pipeline with no human touchpoint.\u201d<\/p>\n\n\n\n<h5 class=\"wp-block-heading\"><a href=\"#4-apply-least-privilege--dynamically\"><\/a>4. Apply Least Privilege &#8211; Dynamically<\/h5>\n\n\n\n<p class=\"wp-block-paragraph\">AI agents are non-deterministic in their behavior, which means static permission sets are inherently over-privileged. The answer isn\u2019t to give agents broad access and hope they behave, it\u2019s&nbsp;<strong>Just-in-Time (JIT) access and Zero Standing Privileges<\/strong> combined with scope constraints in the token exchange flow.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">When an agent requests a token to call a specific tool, the STS can evaluate: Is this the right agent for this tool? Is the human in the actor chain authorized to trigger this action? Does the current session context justify this scope? This is where the access control layer becomes adaptive rather than static.<\/p>\n\n\n\n<h5 class=\"wp-block-heading\"><a href=\"#5-monitor-the-actor-chain-not-just-the-endpoint\"><\/a>5. Monitor the Actor Chain, Not Just the Endpoint<\/h5>\n\n\n\n<p class=\"wp-block-paragraph\">Security operations teams are used to monitoring API calls. With agentic AI, you need to monitor <strong>the&nbsp;full lineage<\/strong>&nbsp;of every call. Who initiated? What agents were in the chain? What tools were invoked, in what order, with what authorization decisions?<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This turns your SIEM or <strong>observability<\/strong> platform into something more like a behavioral analysis engine for AI agents. Anomaly detection shifts from \u201cthis service account called an unusual API\u201d to \u201cthis agent session deviated from expected patterns for this type of task.\u201d<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">The Governance Layer<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">In my experience working with organizations on IAM, one thing tends to hold true across the board: security controls are only as effective as the governance and visibility layers supporting them.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">From an identity security point of view, a useful way to think about agentic AI is as three stacked layers:<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"755\" height=\"1024\" src=\"https:\/\/sme-access.com\/wp-content\/uploads\/2026\/05\/Three-Layer-Security-Architecture-755x1024.png\" alt=\"\" class=\"wp-image-284\" style=\"width:387px;height:auto\" srcset=\"https:\/\/sme-access.com\/wp-content\/uploads\/2026\/05\/Three-Layer-Security-Architecture-755x1024.png 755w, https:\/\/sme-access.com\/wp-content\/uploads\/2026\/05\/Three-Layer-Security-Architecture-221x300.png 221w, https:\/\/sme-access.com\/wp-content\/uploads\/2026\/05\/Three-Layer-Security-Architecture-768x1041.png 768w, https:\/\/sme-access.com\/wp-content\/uploads\/2026\/05\/Three-Layer-Security-Architecture-1133x1536.png 1133w, https:\/\/sme-access.com\/wp-content\/uploads\/2026\/05\/Three-Layer-Security-Architecture-1511x2048.png 1511w, https:\/\/sme-access.com\/wp-content\/uploads\/2026\/05\/Three-Layer-Security-Architecture-scaled.png 1888w\" sizes=\"auto, (max-width: 755px) 100vw, 755px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">If your organisation try to jump straight to Layer 3 &#8211; governance dashboards, audit reports before Layer 1 is even in place. It rarely works out well. And the reason is straightforward: you can&#8217;t govern what you can&#8217;t identify.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">To make a real difference, I beleive we shoudl start with <strong>a reliable source of truth<\/strong>, an Agent Registry (we can call it a Directory for Agent) that tells you which agents exist, what they&#8217;re authorized to do, where they&#8217;re deployed, and who owns them. Without that foundation, issuing meaningful identities becomes difficult, enforcing policies becomes inconsistent, and auditing becomes largely theoretical.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Let\u2019s talk ownership: the security admin sets the policy, the Dev team builds the agent, but it\u2019s the business owner who owns the &#8220;why&#8221; behind using it. Once it&#8217;s built, we need to talk about agent identity lifecycle management. Agents have their own version of JML, models get upgraded, vendors swap out, and purposes shift. If we aren&#8217;t careful, we get &#8220;<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-orange-color\">zombie agents<\/mark>&#8220;: AI agents quietly running with live credentials long after their job is done. It\u2019s essentially the AI version of the classic &#8220;<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-orange-color\">orphan account<\/mark>&#8221; problem, but given the scale of agentic AI, it has the potential to become a much larger attack surface if we don&#8217;t take it seriously.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Perhaps the most important shift, though, is treating agent identity <strong>as a natural part of the software development lifecycle<\/strong> kind of <strong>&#8220;Identity By design<\/strong>&#8220;. If teams are spinning up agents outside of identity provisioning processes, the problem compounds quickly. The goal (and this is easier said than done) is to make the secure path, the path of least resistance for developers. That usually means integrating agent identity management directly into the platforms, SDKs, and deployment pipelines they&#8217;re already using.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">My Practical Recommendations for Getting Started<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">You don\u2019t have to solve all of this at once. Here\u2019s how I\u2019d prioritize:<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"270\" src=\"https:\/\/sme-access.com\/wp-content\/uploads\/2026\/05\/Agent-Identity-Security-Recommendations-1024x270.png\" alt=\"\" class=\"wp-image-287\" style=\"width:1116px;height:auto\" srcset=\"https:\/\/sme-access.com\/wp-content\/uploads\/2026\/05\/Agent-Identity-Security-Recommendations-1024x270.png 1024w, https:\/\/sme-access.com\/wp-content\/uploads\/2026\/05\/Agent-Identity-Security-Recommendations-300x79.png 300w, https:\/\/sme-access.com\/wp-content\/uploads\/2026\/05\/Agent-Identity-Security-Recommendations-768x203.png 768w, https:\/\/sme-access.com\/wp-content\/uploads\/2026\/05\/Agent-Identity-Security-Recommendations-1536x405.png 1536w, https:\/\/sme-access.com\/wp-content\/uploads\/2026\/05\/Agent-Identity-Security-Recommendations-2048x540.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><strong><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-orange-color\">Start with inventory<\/mark><\/strong>&nbsp;Before you can secure agent identities, you need to know what agents exist. Do an audit. You will be surprised by what\u2019s running.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-orange-color\">Establish your identity foundation first<\/mark><\/strong> Get workload identity (SPIFFE\/SPIRE) in place. This is the cryptographic root everything else is built on.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-orange-color\">Instrument your token exchange<\/mark><\/strong>&nbsp;Even before you have full policy enforcement, getting every agent-to-agent call to go through an STS gives you visibility. Visibility is the prerequisite for control.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-orange-color\">Build provenance into your audit logs<\/mark><\/strong> Start logging the full actor chain on every significant action. This pays dividends immediately when something goes wrong.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-orange-color\">Enforce least privilege iteratively<\/mark><\/strong>&nbsp;Start with broad scopes, then tighten. It\u2019s easier to relax a scope than to recover from an over-privileged agent incident.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Enjoy !<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u0634\u0643\u0631\u064b\u0627 \/ Thank you \/ Merci<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Reference<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/datatracker.ietf.org\/doc\/html\/rfc8693\">RFC 8693 &#8211; OAuth 2.0 Token Exchange<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/datatracker.ietf.org\/doc\/html\/rfc7523\">RFC 7523 &#8211; JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.uber.com\/us\/en\/blog\/solving-the-agent-identity-crisis\/\">Solving the Identity Crisis for AI Agents<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/a2a-protocol.org\/latest\/topics\/what-is-a2a\/\">What is A2A<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.youtube.com\/watch?v=blmAkayzE8M\">How to Secure Agents using OAuth \u2014 Jared Hanson (Keycard, Passport.js)<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/developer.cyberark.com\/blog\/can-spiffe-solve-the-secret-zero-problem\/\">Can SPIFFE Solve the Secret Zero Problem?<\/a><\/li>\n<\/ul>\n\n\n<div class=\"brz-root__container\"><\/div>\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The noise around Agentic AI security is hard to ignore. I&#8217;ve been watching identity challenges evolve for over 10 years, and what&#8217;s happening today feels different. We went from managing hundreds or thousands of Active Directory accounts to federating millions of consumer identities, to wrestling with the explosion of service accounts, API keys, and certificates [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"brizy-blank-template.php","format":"standard","meta":{"site-container-style":"default","site-container-layout":"default","site-sidebar-layout":"default","disable-article-header":"default","disable-site-header":"default","disable-site-footer":"default","disable-content-area-spacing":"default","footnotes":""},"categories":[17],"tags":[20,21,18,23,22,19],"class_list":["post-233","post","type-post","status-publish","format-standard","hentry","category-identity-security","tag-agenticai","tag-cybersecurity","tag-iam","tag-identiysecurity","tag-techstrategy","tag-zerotrust"],"_links":{"self":[{"href":"https:\/\/sme-access.com\/index.php?rest_route=\/wp\/v2\/posts\/233","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sme-access.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sme-access.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sme-access.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/sme-access.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=233"}],"version-history":[{"count":5,"href":"https:\/\/sme-access.com\/index.php?rest_route=\/wp\/v2\/posts\/233\/revisions"}],"predecessor-version":[{"id":335,"href":"https:\/\/sme-access.com\/index.php?rest_route=\/wp\/v2\/posts\/233\/revisions\/335"}],"wp:attachment":[{"href":"https:\/\/sme-access.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=233"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sme-access.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=233"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sme-access.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=233"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}