SC Media: 7 identity best practices

SC Media published a May 22 commentary by Neal Goldman that argues organizations should secure AI agents mainly through identity and access controls, not by inventing an entirely new security model. Goldman wrote that agents “need to present credentials and have the correct permissions” like any human or application, but said deployments change the risk because agents are unpredictable, can operate at machine speed and often inherit broad privileges from the platforms that run them. Goldman’s piece lands as U.S. agencies and cloud providers are also framing agentic AI as a deployment and control problem. CISA said on May 1 that its guidance on agentic AI adoption outlines security challenges and “actionable steps” for designing, deploying and operating such systems safely, while AWS said on April 2 that agentic systems can carry out unintended actions “before a human can intervene.” (scworld.com) ### Why does identity sit at the center of this argument? Goldman wrote that today’s agents generally do not have unique identities of their own and instead proxy the identities of the humans or applications they serve. That means the basic risk is familiar: if an agent can reach a system, it is because some credential, token or permission boundary already allows it. (cisa.gov) SC Media’s article says the response should be to “secure identities and manage least privilege,” then adapt those controls for agent-specific conditions such as non-deterministic behavior and rapid execution. Goldman’s framing is that the core discipline does not change, but the speed and autonomy of agents make weak identity hygiene more dangerous. (scworld.com) ### What did Goldman say is different about AI agents? Goldman identified three traits that require security teams to adjust planning, starting with unpredictability. He wrote that unlike traditional software with defined execution paths, agents are authorizing “decision making,” and the same prompt can produce different results because execution paths are probabilistic. (scworld.com) AWS made a similar point in its April 2 post, saying agents connect to tools and APIs, plan and execute sequences of actions autonomously, and create new security questions because unintended actions can happen at machine speed. CISA’s May 1 guidance likewise said organizations need stronger oversight as agentic AI adoption grows. ### Which platform defaults drew the sharpest warning? (scworld.com) Goldman wrote that major agent platforms, including Anthropic Claude and Microsoft Copilot, were built to deliver functionality quickly and often leave security as an afterthought. He said such platforms generally require administrative or otherwise privileged access to function, lack granular permission controls, and in some cases elevate privileges behind the scenes. (aws.amazon.com) The SC Media article gives AWS Bedrock as a concrete example. Goldman wrote that creating a long-term API key in Bedrock also creates a separate AWS IAM user, assigns it a highly privileged Bedrock IAM policy and then generates an API key for that user. ### So what are the practical controls SC Media is pointing readers toward? SC Media’s search excerpt says Goldman’s seven recommendations include stronger identity security and least-privilege management to reduce the risk that agents, humans and other machine identities expose systems to malicious or accidental attacks. (scworld.com) The article summary and related SC Media coverage point specifically to ephemeral secret mounting, per-access authentication and tighter governance of non-human identities. Those controls fit the broader pattern in current guidance. CISA said agentic AI security should align with existing cybersecurity frameworks, and AWS said the industry should extend existing frameworks with architectural controls tailored to autonomous systems rather than replace them outright. ### What should readers watch next? CISA’s guidance remains a live reference point for organizations building or buying agentic systems, and AWS said its April 2 post reflects a response to NIST’s January 2026 request for input on securing autonomous AI systems. (scworld.com) SC Media’s full May 22 perspective by Goldman is the primary source for the seven-item checklist and the implementation details attached to each recommendation. (cisa.gov)