Over the past several years, I've spent countless hours discussing Privileged Access Management (PAM), Zero Trust, machine identities, and authentication with customers and industry experts.
But one topic has rapidly moved from emerging trends to urgent priority: AI agents and non-human identities.
During a recent webinar discussion with Candi Green, Senior Workshop & Principal Advisory Director at Info-Tech, one message came through loud and clear: privileged access is no longer primarily a human problem.
For decades, security professionals focused on securing administrators, privileged users, and high-risk human accounts. Today, however, machine identities already outnumber human identities by a significant margin in most enterprise environments. Add AI agents to the equation, and the scale of the challenge increases dramatically.
What struck me most was how concerned many organizations are becoming about visibility and governance. Most security teams understand how to manage people. They understand onboarding, offboarding, approvals, and access reviews. But AI agents operate differently. A single AI-driven workflow can spawn multiple agents, access systems, APIs, and data sources on behalf of a user or process.
The question security teams are increasingly asking is simple: do we actually know what these identities are doing?
One of the most interesting themes from the discussion was the idea that privilege should no longer be defined by the type of identity. Instead, privilege should be defined by capability.
Whether an identity belongs to a human administrator, a service account, an application, or an AI agent is becoming less important. What matters is what that identity can do. If it can access sensitive data, modify systems, execute transactions, or influence other identities, it should be treated as privileged.
This shift has important implications for how organizations approach access control.
Traditional role-based access models were designed for a world where users had relatively stable responsibilities. In modern environments, particularly those involving automation and AI, context matters more than job titles or static roles. Increasingly, organizations are exploring policy-based and attribute-based authorization models that allow access to decisions to be made dynamically based on context and risk.
Another point that resonated with me was how AI agents expose weaknesses that already exist.
Many organizations worry that AI agents might perform unintended actions because they have excessive permissions. But if an AI agent can misuse those permissions, then the underlying machine identity was already overprivileged. The difference is that traditional applications generally behave exactly as they were programmed, while AI agents introduce variability and decision-making into the equation.
In that sense, AI isn't creating entirely new security problems. It's forcing us to confront old ones that have been hiding in plain sight.
So where should organizations begin?
The answer isn't necessarily more technology. First, organizations need visibility. They need to understand what non-human identities exist, what they access, and why they exist in the first place. Second, they need governance.
AI adoption cannot be a "set it and forget it" exercise. Every agent should have a clearly defined purpose, measurable outcomes, and appropriate oversight. Finally, organizations need stronger controls, including ephemeral credentials, least privilege access, continuous auditing, and policy-driven authorization.
The good news is that we are not starting from scratch. Many of the principles needed to secure AI agents already exist within modern identity security and Zero Trust frameworks. The challenge is applying them consistently and at scale.
If there was one conclusion I took away from this discussion, it is this: organizations must begin treating non-human identities and AI agents with the same seriousness they apply to human users. In many cases, these identities have access to more systems, more data, and more privileges than any individual employee ever would.
As AI adoption accelerates, the organizations that succeed will be those that make identity governance, visibility, and control foundational parts of their AI strategy—not afterthoughts.