Enterprise security teams spent years hardening their networks, then more reorganizing around identity. The work paid off until the user stopped being a single human at a single keyboard. Today, an AI agent can open the same case management system, query the same data lake, file the same ticket, and trigger the same downstream workflow that a senior analyst would. The agent does so faster, often in parallel, and frequently on behalf of a person who is not actively in the loop. Gartner's 2026 cybersecurity trends place IAM adaptation for AI agents among the top trends of the year, naming identity registration, credential automation, and policy-driven authorization for machine actors as the work that has to happen now.¹ The identity model behind those agentic applications was not designed for that level of delegation, and the gap is becoming visible to attackers and auditors alike.
The 2026 OWASP Top 10 for Agentic Applications underscores the urgency. Excessive Agency, the risk that an agent has more autonomy or access than its task requires, sits at the top of the list, and OWASP introduces a new principle called Least Agency to address it.² McKinsey's 2026 research on AI trust reports that 80 percent of organizations have already encountered risky behavior from AI agents and that security and risk are now the top barriers to scaling agentic AI.³ The pattern is consistent across regulators, standards bodies, and operating teams: identity has become the single most important control surface for autonomous systems.
Conventional identity and access management was built around predictable assumptions. A user authenticates once, holds a role, and acts within a bounded session. Agents do not behave that way. A production agent may invoke a tool, call another agent, retrieve evidence from three systems, and complete an action across business hours and time zones, all under credentials that were originally issued to a person. NIST SP 800-207, the foundational reference for Zero Trust Architecture, requires that every request be authenticated and authorized based on real-time context, with policy decisions made centrally rather than at the perimeter.⁴ The principle holds for agents, but the implementation guidance was written for human and device behavior, and most organizations have yet to extend their Zero Trust programs to cover the way an autonomous system actually operates.
Two common workarounds have emerged, and neither solves the underlying problem. The first is to issue agents broad service accounts. Service accounts give a fast path to production, but they collapse the audit trail and concentrate risk in credentials that no human owns. The second is to hard code scopes into agent prompts or configuration. Hardcoded scopes look tidy in development and become brittle in operation, because they fail to reflect the relationships that actually govern enterprise access, such as who owns a deal, which team a project belongs to, or which case file a clinician is assigned. Both approaches drift from the Zero Trust principle of policy decisions made on real-time, contextual signals.
A useful way for CISOs to think about Excessive Agency is to ask three questions about any agent in production. Who is the agent acting for. What is the agent allowed to read, write, or execute, in this specific context. What can leave the boundary, by way of tool calls, data movement, or downstream automation. When any of those answers is vague, the agent has become a privileged actor whose permissions are no longer attributable to a human. A single prompt injection, compromised credential, or misconfigured tool can then translate a contained vulnerability into a chain of consequential actions across critical systems.
Regulators and standards bodies have begun to pay attention, and the operational language is shifting accordingly. Gartner's cybersecurity trends call out identity governance for AI agents as the work that has to happen now, not a problem to defer to the next planning cycle.¹ McKinsey's 2026 research frames the same shift in plain terms for the executive team: organizations can no longer worry only about AI systems saying the wrong thing, they must also govern systems doing the wrong thing, by taking unintended actions, misusing tools, or operating beyond appropriate guardrails.³
Relationship-Based Access Control (ReBAC) answers the agent problem with a small but important shift. Rather than granting access through static roles or broad service accounts, ReBAC defines authorization through the relationships that already structure enterprise work. A user belongs to a team, the team owns a project, the project includes a workspace, the workspace contains specific documents, and access policy follows that graph. When an agent acts on behalf of a user, the agent inherits the user's permissions appropriate for the task. If the user cannot see a record, neither can the agent.
The model has several properties that matter to security leaders. Inheritance is contextual, not permanent. Permissions are scoped to the action and the relationship that authorizes it, not to a long lived credential. Audit trails preserve attribution, because every agent action ties back to a human source of authority. And policy expression becomes more durable, because relationships, not role libraries, are the unit of governance. Kamiwaza's secure AI authorization layer implements this pattern so that agents operate inside the same access boundaries as the humans they serve, and so that the audit record reconstructs both the action and the authority behind it.
For CISOs and senior architects, the question is rarely whether to deploy agents. The question is how to deploy them in a way that survives an internal audit, a regulator review, or an incident postmortem. Five criteria help separate governance theater from architecture that holds.
First, every agent action should resolve to a human source of authority, with the initiating user, session, and applied policy captured at runtime. Second, agent permissions should reflect contextual relationships, not blanket service accounts or hardcoded scopes. Third, evidence should be inspectable, so that a reviewer can see what data informed an outcome, not only that an outcome occurred. Fourth, intervention points should sit at the moments of greatest consequence, such as approvals, exceptions, and irreversible actions. Fifth, the audit record should be durable enough that compliance, security, and legal teams can reconstruct what occurred months later, with enough specificity to defend a decision or refute a claim.
The McKinsey data on agent risk reinforces why these criteria matter. When 80 percent of organizations have already seen risky behavior from agents in production, governance has to move from policy documents into the architecture itself.³ Documents alone do not stop excessive agency, contextual relationships and inherited permissions do.
The pace of agentic deployment is not going to slow. Security leaders who try to hold the line with role libraries and service accounts will find themselves either blocking the business or, more often, being routed around. Security leaders who adopt relationship-based authorization for agents can move at the speed the business expects while keeping the audit trail, the policy boundaries, and the principle of Least Agency intact.
Zero Trust was a directional commitment when networks were the perimeter. Identity is the perimeter now, and relationships are the language identity speaks at agent scale. Enterprises that put a ReBAC model behind their agent deployments will not just satisfy the new standards forming around agentic security. They will give their organizations a governance foundation that gets stronger as autonomy expands.
Learn more about Kamiwaza's approach to secure AI authorization.