Do we really need new identity systems for agents? I think we can start with what we already have
With AI agents moving into production, a lot of discussions focus on building new identity systems for them.
While newer cloud-native approaches (workload identity, short-lived credentials, etc.) are useful for dynamic execution, I think we’re overlooking something simpler: treating agents as non-human users inside our existing enterprise IAM.
Most agents today still end up using human OAuth tokens or shared service accounts. This creates the usual problems — poor attribution, weak auditability, and difficulty applying proper governance and access reviews.
We can already give agents their own stable identity in the IAM, add them to groups (such as AI-Agent or Supervised-Agent), and include them in existing access review processes. This doesn’t require new platforms.
Newer identity tools can still be used for the runtime layer. The two approaches are complementary — one focuses on governance and accountability, the other on dynamic execution.
How are others currently managing identity and access for agents in production environments?