AI Agents and the Limits of Traditional Identity and Access Models
AI Agents and the Limits of Traditional Identity & Access Models is a Cloud Security Alliance Agentic AI Summit session with Hillary Baron of CSA and Apurva Dave of Aembit. It summarizes CSA and Aembit's Identity and Access Gaps in the Age of Autonomous AI survey report, which examines how enterprises are handling autonomous agents that act across applications, infrastructure, and data systems.
The useful finding is not that agents create an unprecedented class of risk. It is that they break old IAM assumptions in ordinary ways. The report and talk describe agents running under application or workload identities, shared service accounts, and sometimes human identities. That lets teams ship faster, but it weakens attribution: a log may show that an action was authorized while still failing to show whether a human, an agent, or an agent acting for a human actually initiated it.
The strongest section is the access-inheritance problem. CSA's public artifact says most AI agents lack distinct identities and inherit existing permissions. Aembit's report page says agents are often operating under borrowed identities, inherited permissions, and credentials nobody is rotating. In the talk, that becomes an operational warning: access designed for a person, service account, or automation context may be valid in the IAM system but wrong for the agent now using it. That belongs beside AI Agent Identity, AI Audit Trails, Confused Deputy Problem, and the site's Authority Gap review.
The practical answer is not only better prompt filtering. The session's sharper question is why the agent has broad or durable credentials in the first place. The proposed control pattern is familiar from workload identity: centrally enforced policy, just-in-time privileges, short-lived scoped credentials, user-plus-agent context, and logs that record the user, the agent, the policy triggered, the identity credential type, and the access credential issued. That maps to OAuth Token Exchange, SPIFFE Workload Identity, Agent Tool Permission Protocol, and enterprise MCP security.
Evidence and limits: this is a CSA/Aembit summit presentation based on a survey Aembit commissioned and CSA analyzed. A BusinessWire release says the survey received 228 IT and security professional responses in January 2026. The presentation is useful for surfacing practitioner patterns, but it is not an independent audit of Aembit's product, not a proof that any one agent IAM architecture is sufficient, and not a benchmark of agent safety. Its value is the checklist: give agents distinct identities, avoid inherited human access, rotate or replace credentials, bind access to task context, preserve attribution, and prefer policy changes over killing the whole compute environment after something goes wrong.