Identity is the crucial area to focus on when it comes to preventing cyber exposure through the use of AI agents, security experts tell CRN.
Identity will increasingly be the crucial area for solution providers to focus on when it comes to preventing the potential for massive cyber exposure through the use of AI agents, security experts told CRN.
Particularly in the era of AI agents, there’s no question that identity “absolutely is the perimeter at this point,” said Rob Gregory, CISO at Denver-based Optiv, No. 28 on CRN’s 2025 Solution Provider 500.
[Related: Analysis: Amid Claude Mythos FUD, Don’t Forget About Identity]
Even with the huge concern around accelerated vulnerability discovery and exposure through frontier AI models such as Anthropic’s Claude Mythos, vulnerabilities are “still not the most accessed ingress vector for an attack—that really still lies in identity,” Darktrace’s Nicole Carignan said.
The expected surge in agentic AI usage, meanwhile, will only exacerbate existing risks around identity sprawl, according to experts. Many predictions suggest there will be 50 or more autonomous agents for every human identity in the near future, which will have “the same credentials of human identities,” said Carignan, senior vice president of security and AI strategy at Cambridge, U.K.-based Darktrace.
Thus, “if you have a compromised human identity that’s now running 50 autonomous agents, you have kind of permissive accesses and capabilities across an organization,” she said. “That’s quite terrifying.”
Identity will therefore still be a critical area of focus because so much is tied to the identity control plane, according to Carignan.
This means that tracking the behavior of agents will be essential, experts said.
“Agents in and of themselves are identities. And what they can do—or what they should be able to do—needs to be tracked, reviewed, attested to,” Optiv’s Gregory said. “There should be an approval process. So it should have your traditional life-cycle management. It should have your traditional IAM [identity and access management] practices.”
Organizations should also follow the principles of least privilege for the identities associated with their AI agents, Gregory told CRN.
Blueprint For Securing Agentic
Identity security vendor Okta recently disclosed what it’s calling the “new blueprint for the secure agentic enterprise,” with the unveiling of a new framework for addressing the most critical questions amid the adoption of agentic AI.
The framework addresses the questions of, “What agents do I have? Do I know what agents are actually running inside my company?” said David Bradbury, chief security officer at San Francisco-based Okta.
The next question addressed by the framework is, “Once I know that I have agents, what actually do they have access to?” Bradbury told CRN. “And then lastly, what can they actually do with that access? Those are the three big questions that we solve as a company.”
Ultimately, “if you’re not securing identity, you’re not securing AI,” he said.
Extending Identity Practices To Agents
The bottom line is that with all of the existing fundamentals around securing human identities, “we have to continue to do them around agents,” Optiv’s Gregory said. “The same tool you’re using around IAM should be able to handle agentic AI life-cycle management.”
If that’s not the case, Gregory said that organizations should reconsider whether the identity platform they’re using will enable them to combat growing AI risks.
Because the reality is that “those AI risks of today are only going to become larger risks,” he said.
