AI agents are no longer emerging—they’re multiplying.

They’re acting on behalf of users, spinning up thousands at a time, and making decisions that affect critical business operations. Whether it’s a copilot issuing refunds, an automation agent reconfiguring infrastructure, or a team of AI workers managing supply chains, the shift is already happening.

But here’s the problem: the identity systems we’ve relied on for decades were never built for this.

Traditional IAM assumes humans. Predictable logins. Long-lived accounts. Linear workflows. That model falls apart when you’re dealing with autonomous actors operating at machine speed, across clouds, and without human supervision.

So what happens next?

To secure this future, we need a new way to think about identity. One that evolves as agents evolve. One that doesn’t just patch the gaps—but orchestrates identity across every stage of AI maturity.

In this post, I’ll walk you through the Agentic Identity Maturity Model—a practical framework for understanding how AI agents evolve, what risks emerge at each stage, and why identity orchestration is the only viable path forward.

This is more than a new chapter for IAM. It’s a new architecture for the future of enterprise operations.

Let’s dive in.

The speed mismatch and the visibility gap

Here’s the harsh reality:

  • Agents operate at microsecond lifecycles.
    Traditional IGA and IAM operate on human timeframes – days, not microseconds.
  • Most organizations lack observability into their agent population, lifecycle, or scope.
    You can’t secure what you can’t see.
  • Privilege risk is pervasive.
    Many agents operate with overly broad OAuth scopes or static credentials, creating silent privilege escalation paths and unauthorized access to critical systems.
  • Fragmentation creates silos.
    Agents are spread across platforms like Google Vertex, Azure Agent Foundry, LangChain orchestrators, and countless specialized MCP (Model Context Protocol) frameworks. Each enforces local policies, but no centralized governance or risk scoring exists.

What risks arise from lack of visibility and observability?

Without comprehensive discovery, runtime observability, and governance, organizations face:

  1. Shadow agents
    • Agents running outside approved workflows or without registration, increasing attack surface and operational chaos.
  2. Zombie credentials
    • Credentials or tokens issued to agents that are no longer active, creating orphaned privileged identities.
  3. Privilege escalation
    • Over-scoped tokens granting agents access beyond their intended purpose.
  4. Non-compliance
    • Lack of audit trails for agent actions violates regulatory requirements like SOX, HIPAA, and upcoming AI governance standards.
  5. Data leakage
    • Agents interacting with APIs and tools without policy-aware controls can exfiltrate sensitive data unknowingly.
  6. Operational fragility
    • No consolidated view of agent population prevents effective troubleshooting, performance optimization, or incident response.

Counting agents: It’s harder than you think

What exactly counts as an agent?

  • LLM-based agents orchestrating multi-step execution graphs.
  • Agent orchestrators spawning ephemeral sub-agents for each task.
  • Plugins, proxies, and sidecars operating with runtime identities.

For example, a five-step orchestration pipeline might spawn five ephemeral agents, each with its own privileges, runtime context, and potential risks.

Critically, discovery must cover three categories:

  1. Agents running on platforms
    • Resident agents in frameworks like LangChain, Azure Agent Foundry, or Google Vertex AI.
    • These may be long-lived or ephemeral but are invisible without platform-integrated discovery.
  2. Ad hoc inbound agents
    • Agents arriving dynamically from external organizations or services, connecting via MCP-based APIs or delegated execution frameworks.
    • These agents appear transiently, leaving little trace without real-time registration and monitoring.
  3. Runtime agent observability logs
    • Agents generate ephemeral logs containing execution context, delegated tasks, and API calls.
    • Without capturing and integrating these logs, organizations lose critical audit trails and behavioral data for risk scoring and compliance.

Introducing the agent fabric: A new registry for the agentic era

In identity management, the Identity Fabric emerged to unify multiple identity services and providers across clouds, vendors, and protocols. We now need a parallel construct for AI agents – an Agent Fabric.

What is an Agent Fabric?

An Agent Fabric is a registry and governance layer purpose-built to manage agent identities. It:

  • Discovers and registers all agents
    • Including platform-resident agents, ad hoc inbound agents, and runtime ephemeral agents.
    • Integrates with orchestrators, MCP services, and proxy telemetry to capture full agent population.
  • Tracks agent metadata
    • Lifecycle state, owner, provenance, time-to-live (TTL), execution context, and behavioral patterns.
  • Ingests runtime agent observability logs
    • Captures and normalizes logs from orchestrators, MCP endpoints, and agent runtimes to build complete visibility and auditability.
  • Calculates real-time risk scores
    • Based on:
      • Privilege levels and scope
      • Behavioral anomalies
      • Policy compliance status
      • Runtime execution patterns
  • Integrates with policy engines
    • Enforces dynamic, context-aware authorization decisions.
  • Provides centralized observability and audit trails
    • For every agent action, delegated task, and API call, unifying siloed data into a single operational and compliance view.

Why risk scores are essential for AI agents

Just as human users and service accounts have risk-based adaptive policies, agents require real-time risk scoring to:

  • Limit privilege sprawl by flagging over-privileged or stale agents and related standing privilege risks.
  • Trigger step-up controls for sensitive tasks, like financial transactions or data exports.
  • Prioritize security operations by identifying agents with high risk scores.

Without risk scores, all agents are treated equally – which is unsustainable in an environment where the number of agents will dwarf the number of human users.

Managing scale without losing control

To govern agentic AI effectively:

Implement an Agent Fabric as part of your identity architecture to unify discovery, registration, and governance.
Enforce just-in-time issuance/provisioning with ephemeral credentials instead of static keys.
Integrate policy-as-code engines (OPA, Cedar, IDQL) to enforce Zero Trust decisions dynamically.
Ingest and analyze runtime observability logs, creating full-lifecycle visibility and auditability.
Calculate and monitor agent risk scores continuously, enabling adaptive policy enforcement.
Consolidate observability into a single pane of glass, spanning cloud, on-premises, and hybrid agent ecosystems.

The Strata Identity perspective

At Strata, we believe the future of identity isn’t just human – it’s a hybrid of human + agentic identities. Our Maverics Platform extends your Identity Fabric into an Agent Fabric, enabling:

  • Continuous discovery and registration of agents across platforms, MCP frameworks, and inbound services.
  • Policy-based orchestration and risk-aware authorization for agents in real time.
  • Integration of runtime observability logs into a centralized identity and security view.
  • Calculation of dynamic agent risk scores to drive Zero Trust enforcement and compliance reporting.

We make it possible to manage agents as first-class identities with the same rigor, agility, and trust as your human users – because that’s what the agentic era demands.

The question isn’t whether you have an agent problem. It’s whether you even know how many agents are running in your environment right now – and what risks they pose.

The age of agentic AI is here. It’s time for your identity strategy to catch up.

Learn how Strata’s Maverics Identity Orchestration for Agents can unify your human, machine, and agent identities into a seamless fabric for the AI-driven enterprise. Join Strata’s Agentic Identity Preview