The Identity Gap in Agentic AI

The Identity Problem Has Changed

For two decades, the identity question was relatively stable: who is this person, are their credentials valid, and what are they allowed to access? That question maps cleanly to authentication and authorization. SAML, OAuth2, OIDC, RBAC, ABAC. The industry built mature tooling around all of it.

AI agents break that model. An agent does not authenticate once and then sit idle. It authenticates, chains tools, calls external APIs, spawns sub-agents, carries tokens across session boundaries, and makes decisions autonomously. The identity surface is not a single point; it is an extended runtime behavior.

Traditional IAM asks: who are you? That is a solved problem. The harder question agentic AI requires is: what were you sent to do? That question does not have a commercial answer yet. Not in any shipping product. Not in any mature framework. The gap between those two questions is where most of the real risk lives.

What Vendors Cover Today

The non-human identity (NHI) market has grown substantially in the last three years. Several vendors are doing serious, useful work. It is worth being precise about what that work covers, because the gap is not in what they do, it is in what falls outside their scope.

CyberArk / Conjur

Secrets management, credential vaulting, PAM for non-human accounts. Rotation, injection, audit trail for service credentials.

SailPoint / Astrix

NHI governance, discovery, and lifecycle management. Visibility into service accounts, OAuth grants, and API key sprawl across environments.

Microsoft Entra Agent ID

First-class agent identity construct in the Entra ecosystem. Scoped tokens per task, managed identity integration, workload federation.

Okta Workforce Identity

OIDC and OAuth2 for workloads and service accounts. Machine-to-machine token flows with scoping and audience controls.

Veza

Access intelligence and authorization graph. Who has access to what, including service identities, across cloud and SaaS environments.

Delinea

JIT provisioning, privileged access controls, session recording for human and machine identities in hybrid environments.

GitGuardian

Secret scanning across repos, CI/CD pipelines, and developer tooling. Catches credentials before they land in version control.

What this market collectively covers: credential lifecycle, entitlement discovery, access reviews, secret rotation, JIT provisioning, and agent identity constructs. These are all identity-plane controls. They are necessary, they are mature, and they leave one category uncovered.

The Gap

Identity and authorization together tell you who an agent is and what resources that identity is permitted to touch. That is genuinely useful information. But it is not sufficient for agentic workloads, and the distinction matters.

Consider the actual questions that arise when an AI agent is operating autonomously inside an enterprise system. None of the current vendor categories have systematic answers to them:

Was this agent authorized to take this specific action, in this session, given what it was originally asked to do?
What was the declared intent at session start? Is the current action consistent with it?
Has the agent been redirected mid-task by a prompt injection or adversarial input it encountered in external content?
Is the agent exhibiting goal drift: still operating within its permission boundary, but pursuing something different from its original objective?
If a sub-agent was spawned, does it inherit the parent's intent scope, and who is accountable if it does not?

The identity plane knows who. The authorization plane knows what resources the identity can touch. Neither plane knows what the agent was asked to do, whether the current action reflects that ask, or whether something intercepted and redirected the agent between those two points.

This is the runtime authorization gap. It is not a credential problem. It is not a permissions problem. It is a behavioral consistency problem, and it requires a different class of control.

The gap is not a product deficiency on the part of these vendors. Credential vaulting is not the right tool for behavioral verification. Neither is an entitlement graph. The gap is structural: current IAM architecture was designed for synchronous, human-initiated authentication events. Agentic AI introduces asynchronous, multi-step, multi-actor behavioral chains that existing IAM architecture was never designed to reason about.

Dual-Intent Runtime Authorization

DIRA is a framework for closing the runtime authorization gap. It is not a product. The research starts with a simple observation: every agent session begins with a declared intent, and produces a sequence of realized actions. The security question is whether those two things remain consistent throughout the session.

DIRA captures two signals and compares them on every action the agent takes.

DIRA Framework

Signal 1

Declared Intent

What the agent was asked to do at session start. Captured at the authorization boundary before execution begins. This is the reference signal. It does not change during the session.

Signal 2

Realized Intent

What the agent is actually doing now. Inferred from the action sequence during execution. This is the observed signal. It is evaluated against the reference on each action step.

Enforcement model: on each action, compare realized intent against declared intent. If the action is consistent with the declared scope, permit. If it diverges beyond a configurable threshold, flag or block. The same mechanism surfaces prompt injection: an injected instruction changes what the agent is trying to do, and that change is detectable as divergence from the declared intent.

DIRA sits above the authorization plane in the stack. It does not replace credential vaulting, entitlement management, or scoped tokens. It assumes those controls are in place and adds the behavioral consistency layer that currently does not exist.

Full specification at dira.cyberdaemon.ai

Gap Analyzer

Check which identity controls you have deployed. The analyzer shows what coverage you have and where the gap falls.

Identity Controls Deployed

Select the controls active in your environment

Credential vaulting CyberArk, HashiCorp Vault, Conjur NHI discovery SailPoint, Astrix, similar Access reviews Periodic entitlement certification Secret rotation Automated credential refresh Agent identity tokens Entra Agent ID, OIDC workload federation JIT provisioning Delinea, Teleport, session-bound access

Coverage Analysis

? Select controls above to see your coverageAnalysis updates in real time