AI agents are new identities
Industry coverage is reframing AI agents as an identity class that authenticates, requests resources and acts with delegated authority, expanding AI security concerns beyond model risk to agent governance and telemetry. The pieces argued security teams should separate human, service, application and agentic identities in logging and build controls and dashboards that show authentication, policy denials and resource access per identity class. (cio.com)
A chatbot answering a question is one thing. An artificial intelligence agent that logs in, opens systems, reads files, and places orders is starting to look less like software and more like a new employee badge. (cio.com) That shift is showing up in security guidance now. Microsoft says artificial intelligence systems need identity-based controls that authenticate agents, enforce access policies, and govern “nonhuman identities” alongside people and apps. (learn.microsoft.com) The reason is simple: old software usually follows fixed steps, but agents make choices on the fly. Microsoft’s example is an infrastructure agent that could delete critical systems if it is compromised, because it can decide and act without waiting for a person. (learn.microsoft.com) That is why the conversation is moving away from model risk alone. The April 10, 2026 CIO piece says security teams now have to think about permissions, monitoring, and supply-chain exposure around Model Context Protocol servers and command-line interfaces, not just whether a model gives a bad answer. (cio.com) Once an agent can authenticate, it needs a lane of its own in the logs. The same Microsoft guidance groups humans, applications, services, and agents as identities that should get consistent authentication, authorization, and governance controls, which is a different setup from lumping every nonhuman action into one machine bucket. (learn.microsoft.com) That split changes what a security dashboard has to show. If an agent is denied access to a finance folder at 2:14 p.m., that event needs to be visible as an agent action, not buried among service account noise, because the fix might be a delegated-permission problem instead of a broken app. (learn.microsoft.com) The industry is already building around that idea. Microsoft’s March 2026 Entra update says “Agent 365” will become the unified catalog and control plane for agents, while Entra Agent ID remains the identity foundation underneath it. (learn.microsoft.com) Standards bodies are moving in the same direction. The National Institute of Standards and Technology launched its Artificial Intelligence Agent Standards Initiative on February 17, 2026, and one of its first linked projects is a concept paper on “Software and AI Agent Identity and Authorization.” (nist.gov) The language there is telling. NIST says it is researching authentication and identity infrastructure for agents that act “on behalf of users,” which is the same delegated-authority problem companies have dealt with for human assistants and service accounts, now applied to software that can keep working for hours. (nist.gov) Federal coverage of the NIST project put the risk in plain terms in February 2026: agents can write code, manage calendars, and shop for goods, but their real-world use depends on whether organizations can identify, manage, and authorize their actions securely. (federalnewsnetwork.com) So the new question in enterprise security is no longer just “what model is this?” It is “who is this agent, what was it allowed to do, what did it try to do, and where can we see every denial, approval, and resource touch tied to that identity class.” (cio.com)
