Identity security comes for the agents

When it comes to managing AI agents, it’s important to understand identity.

That’s what Avihay Nathan, SVP of product management for machine and AI agents identity security at Palo Alto Networks, told IT Brew in a recent interview. With companies increasing their use of agents across the tech stack, it’s important to keep track of what’s allowed where.

“We are in a place where agents are evolving every day, getting delegated to perform actions on behalf of users, instead of users with their own identities, with the identity of the human who invoked them,” Nathan said. “Identity security quickly becomes this area where you can look at the entire risk from AI agents and manage it just like you would do for any human in the organization.”

Because agents are often “privileged identities from day one,” Nathan continued, it’s important to securely manage credentials. The process could include conducting an audit to separate the actions of humans and agents to show who is taking which actions.

“Right now, there isn’t a single solution in the market that, if I just built an agent and it does something, it deleted something on a system, it will show that I did it,” Nathan said. “If you don’t have a machine identity scale, it will just show I went into the database and deleted all of the customer’s data.”

Locator. One way to determine identity, biometrics provider Aware CEO Ajay Amlani said, is to have delegated authority for agents with human oversight. That allows for a clearer demarcation between the two, one easily defined by biometrics and credentials.

“When that agent is acting on your behalf, as long as it’s got the signed certificate that it’s acting on behalf of the human and it has the permissions necessary—that’s done with sort of simple cryptography, public/private key pairs,” Amlani said. “There are things like verifiable credentials and other types of transferable identity documents, where you can still certify that from the source that signature is actually received and that agent is acting on behalf of the customer.”

As agents take on a stronger role in day-to-day business workflows, and cyberattackers figure out how to use this technology to infiltrate organizations, identity management is essential; as Amlani put it, there are serious concerns over “reputational damage and brand damage as a result of these attacks” that can also result in major revenue loss.

“We now have the ability to be able to deal with agents, we have the ability to deal with businesses, we have the ability to deal with consumers—by going back to the ABCs of authentication and identification,” Amlani said.