Operationally, this is the single biggest cause of "non-secure" portfolios. Every agent is onboarded into the same identity system the company uses for human privileged accounts. No exceptions.
Each agent has:
- A unique identity — a service principal, agent identity object (e.g., Entra Agent ID), or dedicated SSO user. Named, attributable.
- A documented access scope — which APIs, which data, which systems, at which permission level. Written into the Agent Card.
- Rotatable, revocable, audited credentials. Never shared between agents.
- A human owner — the Department Champion or Builder. The agent's actions trace back to a real person.
- A managed lifecycle — provisioned at Build, reviewed quarterly, de-provisioned at Retirement.
Operational rules:
- Use the company IdP for agent identities. Do not build a parallel system.
- Apply least privilege. An agent that emails customers does not need write access to finance.
- Separate capabilities. An agent needing CRM read + Gmail send gets two scoped credentials, not one super-account.
- Same provisioning / de-provisioning workflow as human privileged accounts.
- Every API call is logged against the agent's identity. No anonymous service calls.
This is the AI version of service-account sprawl in classical IT. Companies that don't lock it down early end up with hundreds of agent credentials they cannot safely revoke.