No more blind trust: Identity controls for AI agents | resource
No more blind trust: Identity controls for AI agents | resource
https://www.scworld.com/resource/no-more-blind-trust-identity-controls-for-ai-agents
Publish Date: 2026-06-23 10:00:00
Source Domain: www.scworld.com
AI agents are starting to do real work inside the enterprise. Think of a product manager querying Anthropic’s Claude to draft a launch-readiness summary. Or a developer asking an agent in Cursor or VS Code to check deployment status.Users rarely see most of the transactions happening underneath, and that’s a problem. The handshake between an AI agent and the enterprise application typically happens outside the view of the IT and security teams responsible for governing it.”There’s a lot of stuff we’ve been doing for years that we’ve gotten away with because of the scale that’s happened,” says Aaron Parecki, Director of Identity Standards at identity and access management provider Okta. “A lot of the stuff around AI is new, but at the same time, it’s not actually that it’s new; it’s just happening faster.”For years, static API keys and standing privileges were an acceptable trade-off: clunky, but manageable. AI agents have changed that math.The volume and speed of machine-to-machine requests hitting enterprise applications now outpaces what those legacy controls were built for, and the gap between what security teams can see and what’s happening has widened into a real blind spot.
The visibility gap
When an AI agent requests data from an enterprise app on a user’s behalf, it gets there through OAuth, the open identity protocol behind most enterprise login and authorization flows. Somewhere in that flow, the user logs into the organization’s identity provider; a routine sign-in is what shows up in the admin’s logs.What the logs don’t show is the next step: the app granting an access token to the agent itself.That connection was not negotiated through the enterprise identity provider, so it never surfaces in the admin’s view.A handful of more sophisticated applications build their own visibility tools so their administrators can see which agents are granted access. But most don’t. Even where the data exists, it’s scattered application by application, rather than…
Source
