Blog homeKYC for AI AgentsIntegration guideEU AI Act checklistCompare
← Back to blog
· By

Identity and Access Management for AI Agents

Identity and Access Management for AI Agents: Challenges, Emerging Frameworks, and the Path to Accountable Autonomy

Preferred source on Google
Identity and Access Management for AI Agents
Table of Contents

Abstract

The rapid adoption of autonomous AI agents—software systems capable of perceiving context, reasoning over goals, invoking tools, and executing multi-step actions with limited human intervention—exposes fundamental limitations in conventional Identity and Access Management (IAM) systems. Designed primarily for human users or static machine identities (e.g., service accounts and API keys), traditional IAM protocols such as OAuth 2.0, OpenID Connect (OIDC), SAML, and role-based or attribute-based access control (RBAC/ABAC) prove inadequate for the dynamic, ephemeral, non-deterministic, and often recursive delegation patterns characteristic of multi-agent systems (MAS).

This article provides a structured examination of the problem. It reviews the shortcomings of existing approaches in handling agent identity lifecycle, authenticated delegation, fine-grained and context-aware authorization, cross-protocol session management, and auditability. It then analyzes promising technical frameworks, including decentralized identifiers (DIDs) and verifiable credentials (VCs) combined with zero-knowledge proofs (ZKPs), authenticated delegation extensions to OAuth/OIDC, zero-trust architectures with dynamic policy enforcement, and capability-aware discovery mechanisms such as Agent Naming Services (ANS). Regulatory drivers, notably the EU Artificial Intelligence Act and emerging NIST initiatives on agent identity, are considered alongside ongoing standards work by the OpenID Foundation and related bodies. The analysis concludes by identifying critical research gaps and the need for interoperable, purpose-built standards that balance agent autonomy with robust accountability and security guarantees.

1. Introduction

AI agents represent a paradigm shift from passive models or scripted automation to active, goal-oriented entities that operate across digital environments. Unlike traditional software, agents exhibit autonomy, adaptivity, and the capacity to delegate or spawn sub-agents, creating complex chains of authority. As deployments scale—from consumer assistants and enterprise workflow agents to multi-agent systems coordinating research, trading, customer service, or infrastructure management—the question of *who* an agent is, *what* it is authorized to do, and *how* its actions can be attributed and governed becomes central to security, compliance, and trust.

Conventional IAM evolved to manage human identities (with strong authentication, consent flows, and governance) and, later, non-human identities (NHIs) such as workloads, IoT devices, and service accounts. Standards like SPIFFE/SPIRE provide cryptographic workload identities via X.509 certificates or JWTs bound to attested environments, enabling zero-trust service-to-service communication. However, AI agents differ qualitatively: they are often short-lived or task-bounded instances of underlying models and code; their behavior is non-deterministic and context-dependent; they require rich, dynamic claims about capabilities, provenance, behavioral scope, and compliance posture; and they participate in delegation chains that must remain auditable even when agents act asynchronously or across trust domains.

The result is a proliferation of secrets, coarse-grained permissions, attribution gaps, and an expanded attack surface. Prompt injection, agent compromise, confused deputy problems in inter-agent communication, and recursive delegation without scope attenuation pose concrete risks. Industry analyses and early academic position papers converge on the diagnosis that merely extending existing protocols is insufficient; a purpose-built Agentic AI IAM paradigm is required.

2. The Limitations of Traditional IAM in the Agentic Era

Traditional IAM assumes relatively stable principals, predictable actions, and human-centric governance workflows. Several structural mismatches emerge with AI agents:

- Identity Lifecycle and Ephemerality: Agents may be instantiated on-demand, cloned, versioned, or terminated rapidly. Static service accounts or long-lived credentials create “secret sprawl” and orphaned privileges. Distinguishing agent type (template or model) from *instance* (runtime state, memory, interaction history) is essential for traceability yet unsupported in most systems.

- Authentication and Attribution: Proving “this specific agent instance is acting” is difficult when behavior is emergent. Shared credentials or impersonation flows blur lines between agent and human sponsor, undermining accountability.

- Authorization and Delegation: Coarse-grained scopes fail to capture nuanced, context-sensitive permissions. Agents may need just-in-time, narrowly scoped access that attenuates properly across recursive delegations (agent → sub-agent). Natural language instructions from users must translate reliably into enforceable policies without introducing new vulnerabilities.

- Session and State Management: Agents operate across heterogeneous protocols (e.g., MCP for tool use, A2A communication, browser orchestration). Global revocation or policy updates must propagate consistently; traditional session models do not span these boundaries.

- Auditability and Non-Determinism: Logging “who did what” requires cryptographic binding of actions to verified identities and scopes. Non-deterministic reasoning complicates static policy enforcement and post-hoc forensic analysis.

- Scalability and Dynamics: Thousands of short-lived agents, inter-agent discovery, and cross-domain interactions overwhelm centralized registries and manual review processes. Human oversight fatigue becomes a systemic risk.

These gaps are documented in recent analyses. Huang et al. (2025) illustrate how existing protocols struggle with identities that “spawn others, dynamically change roles, or require fine-grained, context-sensitive authorization at massive scale.” South et al. (2025) emphasize the accountability vacuum created when agents act indistinguishably from users or when delegation chains lack verifiable provenance. The OpenID Foundation whitepaper (2025) highlights fragmentation risks, the inadequacy of impersonation versus true delegated authority, and the absence of robust support for shared/team agents or browser/computer-use agents that bypass API-centric controls.

3. Emerging Technical Frameworks for Agent Identity and Access Management

Researchers and standards bodies are converging on layered, cryptographic, and policy-driven approaches that treat agents as first-class, verifiable entities.

3.1 Decentralized and Cryptographic Identities (DIDs, VCs, and ZKPs)

W3C Decentralized Identifiers (DIDs) v1.0 and Verifiable Credentials (VCs) Data Model provide globally unique, controller-controlled, cryptographically verifiable identifiers and signed attestations. For agents, a DID can anchor persistent identity while VCs convey dynamic claims: capabilities, authorized toolsets, provenance (model hash, training data characteristics), compliance attestations (e.g., SOX or regulatory posture), reputation, or behavioral scope.

Huang et al. (2025) integrate DIDs and VCs as foundational pillars of a zero-trust Agentic AI IAM framework. VCs enable selective disclosure and, when combined with Zero-Knowledge Proofs (ZKPs), privacy-preserving verification that an agent possesses required attributes without revealing underlying details. This supports both self-sovereign agent operation and governance by accredited issuers. The approach directly addresses NHI proliferation by replacing static secrets with rich, revocable, instance-aware credentials.

3.2 Authenticated Delegation and Authorized AI Agents

A core innovation is moving from impersonation (agent acts *as* the user) to explicit, auditable delegation (agent acts *on behalf of* the user or another principal within a defined scope).

South et al. (2025) propose extensions to OAuth 2.0 and OIDC that introduce Agent-ID tokens (capturing agent metadata, capabilities, and limitations) and Delegation Tokens signed by the human principal. These reference user ID tokens and specify scopes, validity periods, and revocation conditions. Natural language permissions can be translated (with human oversight where appropriate) into structured policies. The framework maintains compatibility with existing web infrastructure while providing clear chains of accountability.

Complementary work explores Verifiable Credentials for delegation and mechanisms such as token exchange or macaroons/biscuits for offline scope attenuation in recursive delegation scenarios.

3.3 Zero Trust Architectures and Dynamic Policy Enforcement

Zero Trust principles—“never trust, always verify”—align naturally with agentic environments. Huang et al. (2025) outline a four-layer architecture:

1. Identity & Credential Management Layer — DID/VC issuance, key management, and lifecycle.
2. Agent Discovery and Trust Establishment Layer — Capability-aware resolution.
3. Dynamic Access Control Layer — Policy Decision Points (PDPs) evaluating agent DID + VCs + context against ABAC/PBAC policies; support for Just-In-Time (JIT) temporary scoped credentials.
4. Unified Global Session Management & Policy Enforcement Layer — Cross-protocol Session Authority and distributed Session State Synchronizer ensuring consistent revocation and state across heterogeneous protocols (e.g., MCP, A2A).

This enables real-time, context-aware decisions and global logout or policy updates. Complementary industry frameworks from the Cloud Security Alliance (2025) similarly advocate DIDs, VCs, and Zero Trust for multi-agent systems.

Hybrid approaches combining SPIFFE/SPIRE (for underlying workload cryptographic identity and attestation) with higher-level agent-specific layers (instance identity, behavioral claims, delegation VCs) are also under exploration, though SPIFFE’s original design for more static workloads requires extensions to fully accommodate agent ephemerality and non-determinism.

3.4 Discovery, Session Management, and Cross-Protocol Coordination

Secure discovery is non-trivial in open or federated MAS. Huang et al. (2025) introduce an Agent Naming Service (ANS) analogous to DNS but capability- and attestation-aware. Queries can request agents matching specific functions, compliance profiles, or versions; responses include DIDs and VC snippets, enabling trust establishment before interaction.

Unified session management addresses the reality that agents interact via multiple protocols simultaneously. A global authority can enforce consistent policy (including revocation) while local adapters handle protocol specifics.

4. Regulatory and Governance Imperatives

Technical mechanisms must align with emerging legal and compliance expectations. The EU Artificial Intelligence Act (Regulation (EU) 2024/1689) imposes obligations on providers and deployers of high-risk AI systems, including requirements for transparency, human oversight, logging of interactions, robustness, and accountability. While not yet explicitly agent-centric, autonomous agents operating with privileged access in regulated domains (finance, healthcare, critical infrastructure) will likely fall under or be analogized to these provisions. Traceable identity and delegation chains are prerequisites for demonstrating human oversight and post-incident attribution.

In the United States, NIST has launched dedicated work on software and AI agent identity and authorization standards, complementing the AI Risk Management Framework (Govern, Map, Measure, Manage functions). Mapping IAM controls to these functions supports structured risk treatment across the agent lifecycle.

Broader governance expectations include “Know Your Agent” (KYA) practices analogous to KYC, ownership binding (linking agents to responsible humans or entities), least-privilege scoping, continuous monitoring, and defensible audit trails. Failure to implement robust identity infrastructure risks regulatory non-compliance, liability exposure, and erosion of trust in agentic systems.

5. Practical Considerations and Standards Development

Vendors are already shipping agent-aware identity features (e.g., dedicated agent IDs with governance workflows). However, proprietary solutions risk fragmentation. The OpenID Foundation whitepaper (2025) advocates convergence on interoperable profiles of existing standards (OAuth 2.1, SCIM extensions for AgenticIdentity resources, OIDC for Agents proposals) rather than entirely new protocols. IETF drafts on SCIM agent schemas and OAuth extensions for agents-on-behalf-of-users reflect active community efforts.

Key practical recommendations emerging across sources include:
- Treat agents as first-class identities with clear ownership and lifecycle management (provisioning/de-provisioning).
- Prefer explicit delegation over impersonation.
- Externalize authorization decisions (PEP/PDP separation) and enforce least privilege with JIT scoping.
- Maintain cryptographic audit trails linking actions to verified identities and scopes.
- Design for interoperability and avoid lock-in to single-vendor agent identity models.
- Extend existing enterprise controls (SSO, SCIM, IGA) to agents while adding agent-specific guardrails (real-time behavioral constraints, data masking).

6. Conclusion and Future Research Directions

Identity and Access Management for AI agents is no longer a peripheral concern but a foundational requirement for safe, scalable, and trustworthy agentic AI. Existing IAM primitives provide valuable building blocks, yet the unique characteristics of autonomous, delegating, non-deterministic agents demand purpose-built extensions and new architectural layers centered on verifiable, rich identities, authenticated delegation, dynamic context-aware authorization, and cross-protocol enforcement.

Significant progress is evident in 2025 position papers and standards initiatives. Nonetheless, the field remains nascent. Priority research and development areas include:
- Empirical evaluation of proposed frameworks at scale, including performance, usability, and attack resistance.
- Standardized schemas for agent capabilities, behavioral scope, and compliance claims.
- Robust mechanisms for natural-language-to-policy translation with formal guarantees or human-in-the-loop safeguards.
- Support for multi-human / shared-agent scenarios and complex recursive delegation with automatic scope attenuation.
- Integration of behavioral observability and intent verification into IAM decisioning.
- Privacy-preserving techniques (ZKPs, selective disclosure) tailored to agent workflows.
- Governance models for federated or decentralized agent ecosystems.

As agentic systems move from experimental deployments to production-critical infrastructure, the quality of their identity and access foundations will determine not only their security posture but also their societal acceptability and regulatory viability. Purpose-built Agentic AI IAM—grounded in cryptographic verifiability, least-privilege principles, and clear chains of accountability—offers the most promising path forward.

References (selected; full scholarly apparatus would expand with DOIs where available)

Chan, A., et al. (2024). IDs for AI Systems. arXiv:2406.12137.

Cloud Security Alliance. (2025). Agentic AI Identity and Access Management: A New Approach.

European Parliament and Council of the European Union. (2024). Regulation (EU) 2024/1689 (Artificial Intelligence Act). Official Journal of the European Union.

Huang, K., Narajala, V. S., Yeoh, J., et al. (2025). A Novel Zero-Trust Identity Framework for Agentic AI: Decentralized Authentication and Fine-Grained Access Control. arXiv:2505.19301.

Huang, K., et al. (2025). Agent Name Service (ANS): A universal directory for secure AI agent discovery and interoperability. arXiv:2505.10609 (related).

NIST. (2023/updated). Artificial Intelligence Risk Management Framework (AI RMF 1.0). NIST AI 100-1.

OpenID Foundation. (2025). Identity Management for Agentic AI: The new frontier of authorization, authentication, and security for an AI agent world. https://openid.net/wp-content/uploads/2025/10/Identity-Management-for-Agentic-AI.pdf

South, T., Marro, S., Hardjono, T., et al. (2025). Authenticated Delegation and Authorized AI Agents. arXiv:2501.09674.

South, T., et al. (2025). Identity Management for Agentic AI. arXiv:2510.25819.

SPIFFE Project. SPIFFE Specification. https://spiffe.io/

W3C. (2022). Decentralized Identifiers (DIDs) v1.0. W3C Recommendation.

W3C. (2021). Verifiable Credentials Data Model v1.0. W3C Recommendation.

Palash Bagchi
Published June 12, 2026
All articles →
Read more from the blog
Documentation →
API reference and guides