Synthetic identities are the next step for security in an agentic age

Skynet may have sent the Terminator back in time, but the all-powerful AI probably didn’t have to deal with something far more difficult: the headache of managing identity access for a hybridized workforce.

Today’s CIOs and sysadmins aren’t so lucky. They must navigate human and synthetic employee identities while ensuring inappropriate permissions aren’t granted to either. The rise of autonomous AI agents, which chain together processes and streamline workflows, has made it more difficult for humans to oversee these vital systems.

Some experts who spoke with IT Brew, like Avihay Nathan, SVP of product management, machine, and AI agent identity at Palo Alto Networks, endorse fully restricting permissions, or “zero standing privileges.” This is what you do for unpredictable outcomes, Nathan told IT Brew, both for anomalies in human behavior and for agentic actions that take place in digital space without oversight.

While implementing agentic AI is a goal for companies looking for productivity gains, CIOs and CISOs need to manage leakage and damage fromI misuse. It’s a delicate dance.

“From the identity security perspective, all of these different capabilities that we have developed through the years are the limbs that these agents need to have in order to effectively control,” Nathan said. “It’s not really a matter of trust, it’s a matter of capabilities.”

Even it out. The trick, AppOmni CISO Corey Michal told IT Brew, is finding the balance between allowing staff to utilize AI and ensuring they deploy it responsibly. Some knowledge of the tools that you’re allowing into the system is necessary. The role of the sysadmin is to institute an appropriate set of guardrails on how those tools are used and what they can access.

“We’re not trying to be super draconian and shut everything down, we’re trying to do this in a measured approach so we don’t take on a bunch of risks to the organization,” Michal said, adding that “it’s a really hard mix to get right, people’s expectations—something new is coming out every week.”

Leadership 101. Managing the difference between human and synthetic identities is one of the primary responsibilities for IT leaders, DTEX CEO Marshall Heilman said. Old paradigms around access and control were built around people, not automation; the speed of agents is a difference that needs to be handled.

The security concerns presented by machine speed are no joke. Compared to human identities, agents are less constrained by timing. That means that improper permissions and access can quickly spiral out of control.

“In this new world we find ourselves in, when you start having AI agents that can act autonomously, they are acting at machine speed, at the speed that computers operate,” Heilman told IT Brew. “Humans having to go and look through a bunch of alerts and trying to figure out what happened and then responding—you’re just so far behind what happened that if there is a malicious action or there’s something negligent that happens, you’re too far behind it to really prevent damage.”

Puzzle pieces. When gauging when to integrate agents into the system, Heilman said, it’s best to look to competitors. Companies you respect taking action is a good sign that the technology is ready, or close to ready. Gaps in permission and access can be solved as agents become more predictable.

“We have to be there for a little while before organizations will start unleashing these agents autonomously, in development environments, in testing environments, internally, doing things like onboarding,” Heilman said.

Michal told IT Brew that flexibility is important in tech workflows, but the control side can’t be left to chance. Agents offer the opportunity for boosted productivity but need restraint; providing staff with rules around how to use it is an essential task for IT leadership.

“Give people some guidance and communicate to them, because they usually want to do the right thing, even though they want to just move fast,” Michal said. “If they have some guidance, they will generally follow it.”