The Shift from Answering Questions to Taking Action

AI systems are evolving beyond conversation. Today’s autonomous agents book flights, manage calendars, and execute business workflows without constant human oversight. This represents a fundamental shift: from tools that respond to tools that act.

This autonomy creates a problem. When an AI agent acts using your credentials, how can systems verify it was authorized? When something goes wrong, how do investigators determine whether you acted or your agent did? These questions expose a vulnerability in systems built for human users, not autonomous software acting on their behalf.

The Artificial Intelligence Identity Management Community Group (AIIMCG) from the OpenID Foundation, has just published a new whitepaper, “Identity Management for Agentic AI,” which identifies eight urgent security gaps that threaten the agent ecosystem. The AIIMCG’s effort is the first comprehensive endeavor to map the challenge and propose solutions.

Eight Security Challenges Demanding Solutions

1. The Accountability Problem: When Agents Impersonate Users

Current systems cannot distinguish between you taking an action and your agent taking an action on your behalf. This “impersonation” creates a fundamental accountability gap that makes forensic investigation nearly impossible.

The proposed solution involves “delegated authority” using On-Behalf-Of (OBO) flows. Instead of borrowing your identity, an agent receives a distinct credential proving it’s authorized to act for you. The access token contains two identities: yours as the delegator and the agent’s as the authorized actor, creating an auditable trail.

2. The Chain Reaction: When Agents Create Agents

Advanced agents delegate tasks to specialized sub-agents, forming complex authorization chains. Without proper controls, this leads to “permission chaos.” A top-level agent with broad access might pass those same permissions to a sub-agent that only needs limited capabilities, violating the principle of least privilege.

The whitepaper calls for “scope attenuation” mechanisms that automatically reduce permissions at each delegation step, ensuring sub-agents receive only the specific capabilities they need.

3. The Border Problem: Security That Stops at Company Lines

Existing frameworks like OAuth 2.1 work within a single organization’s systems. These frameworks fail when agents cross organizational boundaries to interact with external platforms—each operating in different trust domains with different security requirements.

This fragmentation forces developers to build custom integrations for every external service, creating security gaps at every connection point.

4. The Approval Trap: Why Constant Permission Requests Backfire

As agents become more capable, they generate more requests for approval. Users experiencing “consent fatigue” start approving reflexively without reading the requests, rendering oversight meaningless.

The whitepaper proposes Intent-Based Authorization, allowing users to approve high-level goals in natural language that systems translate into specific policies. Risk-based dynamic authorization interrupts users only for high-risk actions, allowing routine tasks to proceed automatically within established guardrails.

5. The Shared Space Gap: Agents Built for Teams

OAuth was designed for individual users, not collaborative environments. This model breaks when agents operate in shared spaces where access rights vary by user. No widely adopted protocol addresses multi-user agent scenarios, creating a significant gap in enterprise security.

6. The Interface Bypass: Browser Agents That Sidestep API Security

A new generation of agents controls browsers directly, clicking buttons and filling forms like humans. These “presentation-layer” agents bypass every API-based security control, appearing identical to legitimate human activity.

Addressing this requires two distinct solutions: Web Bot Auth to allow agent platforms to identify themselves to public websites, and Workload Identity frameworks like SPIFFE/SPIRE to authenticate agents to specific APIs when accessing protected resources.

7. The Fragmentation Risk: Incompatible Agent Identity Systems

Without common standards, vendors are building proprietary agent identity systems. This fragmentation forces developers to build separate integrations for each platform, multiplying complexity. Each proprietary system introduces unique security assumptions and potential vulnerabilities.

As Tobin South, Co-Chair of the OpenID Foundation’s AIIM Community Group, notes: “AI agents are outpacing our security systems. Without industry collaboration on common standards, we risk a fragmented future where agents can’t work securely across different platforms and companies.”

8. The Identity Shift: Agents That Switch Between Modes

Advanced agents operate in two distinct modes: independently using their own credentials, and on behalf of users with delegated authority. Current identity systems struggle with this duality, making it difficult to track which mode an agent is operating in and enforce appropriate permissions for each.

A Call to Action: Building Security into the Foundation

The challenges outlined in the OpenID Foundation’s whitepaper exist today in deployed systems and will intensify as agent adoption accelerates. The encouraging reality: we’re not starting from zero. Existing identity frameworks provide foundational tools that can be adapted and extended for autonomous software.

The whitepaper offers specific recommendations by stakeholder group:

• Developers and architects: Align implementations with emerging enterprise profiles like IPSIE, ensuring solutions work across platforms and meet security requirements from the start.
• Standards bodies: Accelerate protocol development for agent identity, focusing on interoperability to prevent fragmentation into incompatible proprietary systems.
• Enterprises: Treat agents as “first-class citizens” in identity and access management infrastructure. Establish robust lifecycle management with clear governance, audit trails, and accountability mechanisms.

Why This Matters

While AI is the impetus for acting with urgency, agentic identity has been a longstanding if not well-recognized issue. Intent-based configuration and management, which became the de-facto standard for modern application infrastructure in the mid-2010s, faces all of these same issues. Except, with intent-based systems management, agents inherently act on behalf of privileged users – meaning the agents act as super-users, able to create, modify, and delete critical parts of the infrastructure, as well as access all data.

I applaud the AIIMCG and the OpenID foundation for their call to arms. However, I hope that the industry will recognize that AI is not agents, and agents aren’t AI, and that solutions to these challenges are applicable across the board.

As automated systems rapidly take on more responsibility – in our personal digital lives, in the enterprise, and in IT – the identity infrastructure supporting them must keep pace.