How are people handling identity for AI agents in production right now?
Hey r/devsecops — I’ve been spending a lot of time recently looking at how teams are handling identity and access for AI agents, and I’m curious how this is playing out in real environments.
Full disclosure: I work in this space and was involved in a recent study with the Cloud Security Alliance looking at how 200+ orgs are approaching this. Sharing because some of the patterns felt… familiar.
A few things that stood out:
- A lot of agents aren’t getting their own identity — they run under service accounts, workload identities, or even human creds
- Access is often inherited rather than explicitly scoped for the agent
- 68% of teams said they can’t clearly distinguish between actions taken by an agent vs a human
- Ownership is kind of all over the place (security, eng, IT… sometimes no clear answer)
None of this is surprising on its own, but taken together it feels like the identity model starts to get stretched once agents are actually doing work across systems.
Curious how others are dealing with this:
- Are you giving agents their own identities, or reusing existing ones?
- How are you handling attribution when something goes wrong?
- Who actually owns this in your org right now?
If useful, I can share the full write-up here: https://aembit.io/blog/introducing-the-identity-and-access-gaps-in-the-age-of-autonomous-ai-survey-report/