Without an identity, Agentic AI becomes a free radical

One AI agent compares supplier proposals. A second checks availability. A third prepares the purchase order. A fourth informs the relevant teams. What once required multiple process steps, systems, and approvals will increasingly run automatically in the background.

That is the promise of Agentic AI: AI systems do more than answer questions. They take on tasks, make decisions, and initiate actions. And that is precisely what changes the security equation.

As soon as AI agents interact with enterprise data, applications, and business processes, it is no longer enough to secure only the model itself. Organizations need answers to fundamental questions:

• Who—or what—is actually taking action here?
• What permissions does this agent have?
• Who granted those permissions?
• Can every action be traced and audited afterward?

Many companies are already experimenting with generative AI. The next step involves AI agents that not only generate content but also take active action: researching, booking, ordering, approving, managing, or handing tasks over to other agents. 
In this way, agents become part of the digital value chain. They access data, use tools, communicate with systems and collaborate within multi-agent structures. A single agent may only be active for a few minutes. Other agents coordinate entire process chains. This is attractive for companies. Processes become faster, workflows more efficient, and the workload on employees is reduced. At the same time, a new vulnerability arises. Because every agent that is supposed to act productively needs access. And access without a clear identity is a risk.

One security principle is particularly well-suited to AI agents: Zero Trust. The guiding principle is: Never Trust, Always Verify. No request is automatically considered trustworthy — not even if it comes from within the organisation’s own network. This is
crucial for agents. They operate dynamically, in a distributed manner and often in changing contexts. That is why they should only be granted the rights they need for a specific task. Not permanently. Not across the board. But minimal, verifiable and revocable.
Zero Trust for AI agents means, among other things:

• Unique identity: Each agent must be uniquely identifiable.
• Least privilege: Rights are restricted to the minimum necessary.
• Just-in-time access: Permissions apply only to the specific task.
• Automatic revocation: Compromised or expired identities are quickly revoked.
• Auditability: Every relevant action can be traced.

Frameworks such as SPIFFE/SPIRE can help to automatically issue short-lived, workload-specific identities and revoke them once the task is complete. This is particularly important because manual identity management processes can hardly keep up with the speed and scale of modern agent-based systems.

AI agents often do not work alone. They hand over tasks, share interim results and pass on context. It is precisely these hand-offs that are critical to security. If a handover is tampered with, the wrong agent may receive information. If a message is re-sent, actions may be triggered twice or without authorisation. If the context is altered, the next agent may make the wrong decision. That is why agent-to-agent communication also requires clear security mechanisms: mutual authentication, encryption, integrity checks and traceable handovers. 

Control is not a hindrance: security often sounds like added complexity. With AI agents, however, it is a prerequisite for scaling. A pilot project might still be manageable manually. A productive agent ecosystem is not. As soon as dozens, hundreds or thousands of agents take on tasks, companies need automated governance: identities, permissions, policies, logs and evidence must become part of the operating model. The crucial management question is therefore not just: How do we use AI productively? It is: How do we create a framework in which AI agents can act productively without the company losing control? Whether agents become a competitive advantage or a vulnerability is not a purely technical question. It is a leadership decision.

AI agents can speed up processes, support decision-making and make digital value creation more efficient. However, the more autonomously they operate, the more important identity, authorisation and traceability become. The answer is not to slow down Agentic AI. The answer is to provide it with a robust security framework:
Zero Trust, short-lived identities, least-privilege access, secure communication and comprehensive auditability.