A lot of companies are racing to secure AI agents before they have solved the underlying problem of human authority and identity governance. I’ll be blunt: that’s just backwards.
Agents don’t operate independently from the rest of the organization. They operate inside the boundaries, permissions and operational systems humans have already created. That means the future of agentic security will be heavily shaped by how well organizations govern human access, delegated authority and privileged operations today.
That point gets missed surprisingly often. Right now, most enterprise discussions around agents focus on the models themselves:
- Which framework are we using?
- Which orchestration layer?
- Which copilots?
- Which tools?
- Which guardrails?
Those are important questions. But they are not the foundational question. The better question is: what operational authority is being delegated and how is it governed?
That becomes especially important because most organizations are still figuring out how to handle privileged human access in modern environments. Standing privilege is still everywhere. Access approvals are often inconsistent. Service accounts are poorly governed. Entitlements drift over time. Teams accumulate broad operational permissions because no one wants workflows to break.
NOW layer agents on top of that environment.
The industry often talks about agent identity as if there is one standard deployment model. In reality, organizations are already deploying agents in several very different ways, each with different operational and security implications.
In some environments, the organization deploys and governs the agent centrally through IT or platform engineering teams. The agent operates with its own scoped identity, permissions and operational boundaries regardless of which employee interacts with it.
In other cases, users deploy or connect agents themselves. In those environments, the agent may inherit portions of the user’s identity, permissions or delegated authority directly from the requester.
And increasingly, agents are invoked indirectly through service accounts, orchestration systems, workflows or background automation where there may not be a single obvious human identity tied to the action at all.
Each model creates different risks.
An independently governed agent may hold broader operational visibility than the requesting user realizes. A user-scoped agent may inherit overly broad permissions from the requester. A workflow-driven agent may operate through service identities that no individual human fully understands or governs.
Imagine a user who only has access to a subset of customer records in Salesforce. They invoke an agent to identify at-risk customers or automate a workflow. The agent itself, however, may support multiple departments and hold visibility into a much larger customer dataset than the requester can directly access.
Separately, neither identity model necessarily looks alarming. Combined, a new operational authority surface emerges.
That complexity is exactly why agentic security is becoming less about static permissions and more about understanding how authority gets assembled dynamically across humans, agents, services, tools and runtime systems.
The risk does not come only from human authority. The risk does not come only from agent authority. The risk emerges from the combination. That is why organizations need stronger guardrails around both the requester and the agent itself.
A lot of current conversations focus almost entirely on restricting the agent: limiting tool access, constraining prompts, adding approvals and reducing operational scope.
Those things matter. But if the human request path itself is poorly governed, organizations are already starting from an unstable foundation.
If a company already has excessive standing privilege, inconsistent approval models, unclear entitlement boundaries, weak operational identity governance, broad service account access or poor visibility into delegated authority, those weaknesses do not disappear when agents arrive. They become amplified.
This is where I think the industry still underestimates the importance of modern privileged access governance. The future operational model for agents is going to rely heavily on concepts enterprises are still struggling to implement consistently for humans:
- least privilege
- bounded operational scope
- contextual authorization
- runtime policy enforcement
- approval-based escalation
- per-request authorization
- accountability tied to real identities
Those capabilities are not becoming less important in an agentic world. They are becoming foundational.
And agentic systems also create a growing gap between authentication and operational control. Authentication answers a relatively simple question: who initiated the request?
Operational control is much harder:
- What systems are involved?
- What authority is being delegated?
- What downstream actions become possible?
- What operational boundaries apply?
- What context should constrain the action?
- Which approvals are required?
- What combinations of authority should never exist together?
Those are authorization and governance questions… not just identity questions.
This is why the future of agentic security is going to depend heavily on blended identity models and contextual authorization decisions. Organizations cannot evaluate the human identity and the agent identity separately anymore. They need to understand how those identities interact operationally in real time.
The user’s entitlements matter. The agent’s operational scope matters. The workflow matters. The tools matter. The runtime context matters. That entire puzzle* determines what becomes possible.
The future of agentic security will not be determined by model quality alone. It will be determined by how well organizations govern human authority, delegation and operational identity before autonomous systems begin operating at AI scale.
*Speaking of “puzzle,” if you plan to be at Identiverse in a few weeks, stop by our booth. We will show you how we put the pieces together for end-to-end agentic policy enforcement at runtime!