Agents create identity headaches
Reporting says AI agents are beginning to act like employees—taking actions and making decisions—while companies still treat them as software, creating ambiguity over identity, permissions and accountability. The shift frames agent governance as a workforce‑style problem as much as a traditional IT control issue. (fortune.com)
Companies are starting to give artificial intelligence agents real authority inside the business, while still managing them like ordinary software. (tech.yahoo.com) In an April 13 column distributed by Yahoo Tech and AOL, Okta executive Dan Mountstephen wrote that agents can analyze data, start workflows, and make customer-facing or financial decisions without a human manager directing each step. He said the risk is shifting from model intelligence to delegated authority. (tech.yahoo.com) (aol.com) The scale is already large. Microsoft said on February 10 that more than 80% of Fortune 500 companies use active artificial intelligence agents, including in sales, finance, security, customer service, and product work. (microsoft.com) The identity problem is basic but messy: companies know how to hire, credential, monitor, and remove people, and they know how to manage fixed software accounts, but agents sit in between. Okta said traditional identity and access management assumed predictable behavior and slower provisioning, while agents can be created in large numbers and change what they do based on context. (okta.com) That leaves a gap over who an agent is, what systems it can touch, and who answers when it makes a mistake. The National Institute of Standards and Technology opened a concept paper for comment on February 5 that asked for input on identification, authorization, auditing, non-repudiation, and prompt-injection controls for software and artificial intelligence agents. (csrc.nist.gov) Survey data suggests companies are deploying agents faster than they are governing them. Gravitee said in a February 4 report based on 919 executives and practitioners that 88% of organizations had confirmed or suspected agent-related security incidents, while only 22% treated agents as independent identities. (gravitee.io 1) (gravitee.io 2) Vendors are now trying to turn that security gap into a product category. Okta said on March 16 that its “Okta for AI Agents” product will be available on April 30 and pitched it as a way to find agents, control their access, and cut off permissions quickly if one goes wrong. (investor.okta.com) Microsoft is framing the same shift in workforce terms. Its February report said agents should be held to the same standards as employees or service accounts, with least-privilege access, explicit verification, and an assumption that compromise will happen. (microsoft.com) The argument over governance is not whether agents are human. It is whether companies can keep treating digital workers with open-ended access as if they were just another background application. (tech.yahoo.com)
