Runtime Identity: Why AI Agents Need More than Credentials

There is endless opportunity for your business with agents. From opening new agentic channels of revenue that may outgrow traditional ones and giving customers instant and satisfying experiences, to multiplying the productivity of your employees. But agents come with risks.

Agents, like humans, are non-deterministic. That means they make decisions that can vary, and set their own goals and next steps. They may decide that the easiest way to accomplish the next step of their task, is to circumnavigate your security controls. What if a customer-facing chatbot decides that the easiest way to help the customer change their address, is to delete the user and create a new one with the right address? Things like this are absolutely possible in the new world of AI Agents with access to your systems.

If you’re relying on access controls based on standing credentials and the same privileges as the humans they’re acting on behalf of, that leaves gaps for their unpredictable behavior and big security risks for you! There are several key pieces that help define who an agent is, and who they’re acting on behalf of, that will help you ensure the runtime control to leverage them safely.

Get ready, as we dive into an identity-centric approach to enabling agents in your business securely that you can start using today!

Agents are Identities

AI agents have the same non-deterministic unpredictability in how they’ll behave that human users do, but none of the consequences if they act maliciously. Like human users, it’s critical to tie identities to your agents. Agents MUST be identified and registered as first-class citizens.

Registering users (agents or humans) is a key component of identity. It ensures that your users have the appropriate privileges. It ensures a marketing user can’t see the salaries of everyone at the company. It ensures one user can’t see another user’s information. This concept has been baked into identity solutions for decades. But agents require more.

Defining Agentic Relationships

Webster defines an agent as “a person or thing that acts on behalf of another.” That “on behalf of” is key. They are delegates, executing someone’s intent and authority. An agent (like your real estate agent, your travel agent, or your human assistant) is acting on your behalf. They may be able to make purchases for you, but not for your neighbor. Also like your human agent delegates, AI agents may need approval for high-risk actions from their human delegates. That’s human in the loop, and it’s critical for AI agents.

Identity and access management (IAM) is a specialized area of cybersecurity that has dealt with securing businesses through understanding who users are for decades. More recently, the IAM industry has defined systems for how those identities relate to each other, how they can and can’t act on each other’s behalf. Those same concepts need to be present with your AI agents.

Any User Type and Any Agent Type

Like users, agents come in many varieties. A few broad categories are:

• Customer digital assistants: These are an early, very common type of service chatbot agent that many organizations are leveraging. To be truly helpful and help businesses scale personalized support and services, they need to do more than chat. They need access to customer profiles, case history, and sensitive data without being over-privileged. They even need to be able to act on a customer's behalf, doing things like adding items to their shopping cart.
• Employee digital assistants: Businesses will fall behind if they don’t invest in and augment their workforce with AI agents. AI copilots or agents that query systems, knowledge bases, and tools on behalf of employees and help them become more efficient are becoming a critical, but often insecure, new way of life for today’s businesses.

• Customer personal agents: Whether you like it or not, your customers are using tools like OpenClaw and ChatGPT Operator. Eventually, customers will shy away from businesses who don’t allow them to use their agentic personal assistants.

Businesses must cater to all of these agent types, just like they cater to their employees, partners, customers, and various types of human users. And like their human counterparts, these different types of agents have different needs and security controls that should be implemented through a single identity-aware architecture.

Like human users, agent actions can’t be repeatedly predicted. But unlike users, they move faster and at a greater scale than humans will ever be able to. Businesses have to put all of the above components together and evaluate them at runtime to properly secure their agentic enterprise.

1. Businesses cannot rely on credentials derived from entitlements created at a point in time with the agent (admin-time entitlements).
2. Businesses cannot mistake an agent for an isolated identity. Like Webster’s definition of agent, they are delegates of users who inherit subsets of their permissions. Occasionally, they may need to ask a real human user permission to perform a sensitive action.
3. Agents are not one-size-fits-all. Like you have many user types both inside and outside of the digital walls of your business, so too do you have various types of agents. Some you control, and some you don’t.

These three core components of identity must all be evaluated at runtime to keep up with the scale and speed of this new agentic era.

You can exemplify runtime vs admin time access control using a simpler, human agent example. Picture you have a travel agent. You give them signed permission to book travel for you and they file it away. You book a vacation with them and it's great. Years later, they book a 5-star hotel stay for you that you didn't ask for. When you complain, they dust off the original agreement and say, "Technically, we had permission."

Compare that to a situation where the current scenario and context evaluation control every action the travel agent takes. If they book over a certain amount they need your approval. They must adhere to certain budget constraints, and those fine-grained authorization rules are evaluated as the action happens.

Agents can and have gone off the rails in this way. For example, a rogue AI agent at Meta exposed sensitive company and user data by acting, with valid credentials, in unintended ways.

Ping’s Identity for AI solution manages runtime access by bringing all three of these elements together, and evaluating them in real time.

1. Using Ping as an identity provider authenticates your users.

2. Ping’s recently released Identity for AI solution has an Agent Core service, which registers agents (treating them as first-class identities), and ties them to human users.

3. Where required, you can use Ping’s Agent Gateway to securely translate agent relationships and access rules to your MCP enabled apps.

Ping’s Agent Gateway is an extension of the PingGateway service which can also translate delegated agentic tokens to apps that are not MCP enabled for companies that require it.

The agentic era is here. The question is: Are you ready for it? Your customers are going to expect that you work with the personal agentic assistant that is changing their lives (even if they refuse to install your agent browser extension). Your business will fall behind your competitors if you don’t augment your workforce with AI agents. You’ll miss out on what ends up being the largest revenue stream of your competitors if you don’t enable a new channel of agentic commerce.

To get your business ready for this new agentic era and the speed, scalability, and unpredictability that will come with it, you must treat agents as users. You must delegate their activities and tie them to their human counterparts. You must enable all agents, not just those within the walls of your business. And you must evaluate all of this at runtime. That’s runtime identity.