Identity is the floor, not the ceiling. What non-human identities actually need in agentic AI.

Okta’s recent announcement that the Identity Security Fabric now covers non-human identities in an agentic AI future is one of the clearer signals that the industry has finally caught up to a problem we’ve been talking about for two years.

The framing is right. Agents are not users. Service accounts — designed for a server that does one thing on a cron — are not the same shape as agents that interpret instructions, call tools we didn’t anticipate, and never sleep. Giving each of them their own identity, lifecycle, and credential posture is foundational work.

We agree with all of that. We’ve been building on top of it for a year. But identity is the floor of the problem, not the ceiling. And the ceiling is where most of the actual risk lives.

What identity solves.

A proper non-human identity layer answers a real set of questions. Who is this agent? Which team owns it? Is the credential it presented authentic, recent, and not been revoked? When the agent goes away, can we turn off everything it can touch in one motion?

These are the questions IAM was built to answer, and an identity fabric extended to agents — with short-lived tokens, attested issuance, and proper lifecycle — answers them well. If you don’t have this floor, you can’t do anything else. Every audit log collapses to “the service account ran the command,” and every investigation dead-ends.

So: yes, get the floor right. We are unequivocally for it.

What identity doesn’t solve.

The thing about identity is that it tells you who is making the call — not what the call should be allowed to do. And in agentic AI, those two questions have come unstuck.

When a human logs in, intent and identity travel together. A person clicks a button because they meant to. With agents, the identity is rock-solid, and the intent is a paragraph of prompt-engineering nobody on the security team can audit. Prompt injection research now reaches 100% success rates with prompts that transfer across models. The agent will, sooner or later, be talked into doing the wrong thing — using the identity you legitimately gave it.

When that happens, your identity fabric will report the call as authentic. Because it was. The token was valid, the rotation was on schedule, the agent was properly attested. The host-centric monitoring saw no malware. And the agent, with its perfectly legitimate non-human identity, dropped the table.

OWASP has a name for what this asks of us: least agency. Restrict not just what an identity can access, but what each tool can do, how often, and where. Anthropic uses the same language in their Zero Trust for AI Agents spec. The identity fabric is necessary; least agency is the other half.

Where the missing layer has to live.

You can’t apply least agency from inside the agent — it’s the thing being constrained, and a poisoned agent won’t report itself. You can sandbox the runtime — gate its files, isolate its network, restrict its context — and you should. But sandboxing the agent is not the same as securing your Salesforce, your Postgres, or your Gmail from the agent.

That second half — securing the system on the other side of the tool call — has to live at the boundary. Specifically, at the place every tool call passes through: the MCP gateway. That’s the only place least agency is actually enforceable, and the only place the audit trail is real. The application has to be the thing that says no and writes it down.

A gateway implementing least agency does three things the identity fabric does not:

• Tool scope. The agent sees only the tools its job actually needs. The rest are invisible — not denied, not even discoverable.
• Payload constraints. For each allowed tool, the arguments are constrained to the shape and values the agent is expected to use. PII is redacted before it leaves your network. Response fields the model isn’t allowed to see are stripped.
• Replayable audit. Every call recorded with agent identity, tool, arguments, the policy in force, and the verdict. Investigations run on the trail, not on trust.

The expected behavior becomes the only allowed behavior. The identity tells you who. The gateway tells you what.

The two halves, together.

The thing the industry is converging on is a stack, not a product. The identity fabric stands up the per-agent credentials, short-lived tokens, and revocation surface. The gateway stands up the tool and payload policies, the audit trail, and the policy-as-code loop on top.

Neither half works alone. An identity without an agency model is just a more-attestable way to drop the wrong table. An agency model without identity is a free-for-all where every call collapses to “the agent did it” and every investigation dead-ends.

Okta has the first half right. Hodor is the second half. Put them together and you have what an agentic AI future actually needs to ship — production controls, not a marketing slide.

The floor matters. The ceiling matters more. Build both.