๐Ÿ“ข New post: Is It Even in Your Boundary? CVE-2026-0257 and the Question a KEV Clock Asks First ยท ๐Ÿ“ Also fresh: 20x Is Permanent Now: The Rehearsal's Over, the Rules Land in June ยท ๐Ÿšฆ Beacon โ€” the FedRAMP 20x KSI emitter โ€” design partners open โœจ ยท ๐Ÿ†• 20x Hub: program reference, kept current ยท ๐Ÿงช Free tool: KSI Quick Check โ€” paste, run, get the verdict
โ† Blog
AI SecurityIdentityGovernance

Who Is the Agent Logged In As?

A surprising amount of agent governance unravels the moment you ask a simple question: when this agent took an action, who was it logged in as?

The honest answer in most pilots is "the engineer who launched the session." The agent inherited a developer's GitHub token, a developer's cloud credentials, a developer's Slack session. Every action it took was attributed to a human. Every log entry has a real person's name on it. The audit trail is technically intact and substantively a fiction.

This is the non-human identity problem, and it has been sitting on platform teams' backlogs for years. AI agents have moved it from "we should get to that" to "we needed this last quarter."

Why borrowed identity is not identity

When an agent acts as a human, three things happen at once. The action's authorization is whatever the human had, which is usually too much. The action's accountability is the human's name, which is usually wrong. And the action's revocability is tied to the human's lifecycle, which is usually not what you want.

The authorization problem matters because developers tend to have broad credentials by design. An agent inheriting them can write to production, approve its own pull requests, or delete a database it should never have read from. The least-privilege story collapses the instant the agent uses borrowed keys.

The accountability problem matters because incident response begins with attribution. A log line that says user: jane.doe for an action that Jane did not actually take sends the investigation down the wrong path for the first hour. By the time someone notices the agent's session ID buried in the request metadata, the window for fast containment has closed.

The revocability problem matters because when Jane leaves the company, every agent that was running under her credentials breaks at the same time โ€” including agents Jane had nothing to do with, because they happened to inherit her token at session start.

What an agent identity actually needs

A workable agent identity has a handful of properties that distinguish it from both human accounts and traditional service accounts.

It is scoped to a single agent session or a single agent role, not to a long-running daemon. The lifetime is short enough that a leaked credential is not a multi-year liability. The identity carries its own audit trail โ€” actions taken under it are attributable to a specific agent and a specific authorizing context, not to whoever happened to start the process.

It has its own permission model that is narrower than any human's. An agent triaging tickets does not need write access to the deploy pipeline. An agent generating PRs does not need permission to approve them. The permissions live on the agent identity, not on a borrowed parent.

It is provisioned and revoked through automation that knows about agents specifically. The lifecycle is tied to the work โ€” the prompt file, the ticket, the session โ€” not to a human's tenure or a service's deployment.

The practical starting point

Most teams will not get to a clean agent-identity architecture in one pass. The intermediate state that actually helps is to give each agent role a dedicated service account with scoped permissions and to require sessions to assume that account rather than inheriting the engineer's. This is unglamorous platform work. It is also what stops the "Jane deleted prod" log line from being the first thing an auditor sees.

The longer-term destination is per-session ephemeral credentials, issued at the moment the agent starts work, scoped to the specific repository or system the prompt file authorizes, and revoked when the session ends. Several identity vendors are moving toward this. None of them are quite there yet, and the gap is wide enough that building a thin internal layer is reasonable for organizations that need it now.

The shift in framing matters more than the specific implementation. An agent is not a tool that humans use. It is an actor that takes actions. Actors need identities. Borrowed ones are a liability that grows linearly with how much work the agents do, and the agents are about to start doing a lot of work.