Runtime identity rises
- Analysts argue runtime identity is becoming a core cybersecurity priority as agentic AI and bots act autonomously. - The piece frames identity as who or what is acting, with what authority, and in which context at runtime. - Expanding identity models beyond humans to include AI agents changes how access, approvals and runtime monitoring are designed. (channellife.com.au)
Identity in cybersecurity used to mean logging in a person. In 2026, vendors and analysts are recasting it as a runtime question: what is acting, with whose authority, in what context, right now. (learn.microsoft.com, pingidentity.com) Microsoft says identity and access management already covers “people, machines, and software components,” but most enterprise controls were built around employees and apps with fixed roles. Ping Identity argued on March 24 that autonomous agents need checks at the moment of each action, not just when credentials are issued. (learn.microsoft.com, pingidentity.com) Amazon made the same shift earlier, launching Bedrock AgentCore Identity on August 15, 2025 as an identity and access management service “purpose-built for AI agents.” AWS said agents may access GitHub, Salesforce, Slack and AWS services either on behalf of users or on their own with pre-authorized consent. (aws.amazon.com) The underlying problem is simple: an agent is software that can plan steps and call tools without waiting for a human click each time. Microsoft wrote on April 2 that agents are now booking flights, executing trades, writing code and managing infrastructure autonomously. (opensource.microsoft.com) That changes access design from “who signed in” to “who delegated this task, what tool is being used, and what action is allowed now.” Ping said agents should be registered as first-class identities, tied to human delegates, and evaluated against fine-grained rules on every action. (pingidentity.com) Industry groups are starting to formalize that model. The Cloud Security Alliance published an Agentic AI Identity and Access Management framework on August 18, 2025 that says OAuth, Security Assertion Markup Language and OpenID Connect were built for static apps and human users, not autonomous multi-agent systems. (cloudsecurityalliance.org) The proposed replacements borrow from zero-trust security and cryptography. The Cloud Security Alliance points to decentralized identifiers, verifiable credentials, just-in-time access and real-time monitoring, while Microsoft’s toolkit uses cryptographic identity and a policy engine that intercepts each agent action before execution. (cloudsecurityalliance.org, opensource.microsoft.com) Regulators are also moving onto the same timeline. Microsoft said the European Union Artificial Intelligence Act’s high-risk obligations take effect in August 2026, and the Colorado Artificial Intelligence Act becomes enforceable in June 2026. (opensource.microsoft.com) Not everyone defines runtime identity the same way, and many of the loudest voices are vendors selling the controls. But across Microsoft, AWS, Ping Identity and the Cloud Security Alliance, the common idea is now consistent: if software can act like a worker, security teams have to identify, authorize and watch it like one. (opensource.microsoft.com, aws.amazon.com, pingidentity.com, cloudsecurityalliance.org)
