The Agentic Identity Control Plane · Part 1
Your AI agents are privileged identities you forgot to manage
Your AI agents are service accounts. You just forgot to manage them like service accounts.
That is the whole problem, and the identity vendors spent one week in June 2026 admitting it out loud.
The market reacted to the same realization at once
In a single week: SailPoint announced its intent to acquire Entro to scan for non-human identities and secrets. Bitwarden shipped an Agent Access SDK. Keeper pushed secrets sync to kill credential drift. Delinea wired privileged access management into data-exposure scoring. And a Cloud Security Alliance study commissioned by Zenity (445 IT and security professionals, surveyed September and November 2025) found that 54% of organizations report unsanctioned AI agents already in use, and 53% have had agents exceed their intended permissions.
That is not four product launches. That is the IGA and PAM market reacting to the same realization at once.
The realization, said plainly
An AI agent is a non-human identity. It authenticates, it holds secrets, it reaches APIs and data. It has the exact lifecycle a service account has, and we already know how to manage that lifecycle. We have known for twenty years.
So run the agent through the same five gates you run every service account through.
The five gates
1. Provisioning
Who created this agent, and what is its identity of record? If the answer is “a developer pasted a key into a .env file,” you do not have an identity. You have a leak with a heartbeat.
2. Least privilege
Veza’s 2026 State of Identity and Access analysis found that 27.8% of all permissions sit ungoverned, and just 0.01% of non-human identities hold 80% of cloud permissions. Agents inherit whatever you handed them, then go use all of it.
3. Secret rotation
Agents harvest credentials from .env files, password managers, and chat history. If a secret cannot be rotated without breaking the agent, it will never be rotated.
4. Audit
Can you answer “what did this agent touch last Tuesday” without grepping logs by hand? If not, you cannot do incident response on it.
5. Deprovisioning
When the project ends, does the agent’s access die with it, or does it become the orphaned account nobody remembers until the breach report?
The discipline is not new
I have spent twenty years putting non-human identities through that lifecycle. The agent is just the newest one.
The teams getting it right are not buying a new “agent security” category. They are extending the NHI controls they already own. The agent is new. The discipline is not.
Which of these five gates does your agent program actually have today, and which one are you about to learn the hard way?
This is Part 1 of a two-part series. Part 2, The AI control plane moves from protocol to principal, looks at where this discipline should live now that the obvious chokepoint is moving out from under us.
Sources
- SailPoint announces intent to acquire Entro (2026-06-15): sailpoint.com
- Bitwarden Agent Access SDK (2026-06-17): bitwarden.com
- Keeper Universal Secrets Sync (2026-06-15): prnewswire.com
- CSA AI agent security study, commissioned by Zenity, 445 respondents (2026-04-16): cloudsecurityalliance.org
- Veza 2026 State of Identity and Access Report: veza.com