Javascript is actually
a good thing!
Make sure it's turned on
so that pingidentity.com can work properly.
AI Agent Classes and Use Cases | Ping Identity
Identity Fundamentals
Identity and Access Management
Agentic AI
B2B Identity and Access Management
Identity Providers and Service Providers
Centralized Identity Management
What is Centralized Identity Management?
How Does Centralized Identity Management Work?
Centralized Identity Standards
SAML
OAuth
OpenID Connect (OIDC)
Decentralized Identity Management
What is Decentralized Identity Management?
How Does Decentralized Identity Management Work?
How is Decentralized Identity Different?
Decentralized Identity Standards
Common Terms
Zero Trust Security
Orchestration
Authentication
Single-factor, Two-factor, and Multi-factor Authentication
Passwordless Authentication
FIDO (Fast Identity Online)
Risk-based Authentication
Certificate-based Authentication
Token-based Authentication
Single Sign-On (SSO)
Federated Identity Management
Continuous Authentication
CHAP Authentication
Authorization
Authorization Methods
User and Account Provisioning
Single Sign-on with a Directory
Dynamic Authorization
Protocols
LDAP
SCIM
WebAuthn
Kerberos
WS-Trust
Verification
Expand All | Collapse All

AI Agent Classes and Use Cases

There are many types of AI agents and use cases. When considering how IAM systems should support AI agents, there are some key attributes of agentic systems that should help guide decision-making.

 

Outbound Interaction - API vs. GUI

A key factor influencing IAM strategy is how the agent interacts with external systems. Two broad categories are:

  1. API-Interacting Agents

    • Definition: These agents programmatically call APIs to request or mutate data. They typically rely on OAuth2, API keys, or similar token-based credentials.

    • Challenges: Accurately identifying and scoping permissions for the agent; ensuring tokens cannot be misused or replayed by unauthorized parties.

  2. GUI-Interacting Agents (CUA)

    • Definition: These agents emulate human behavior by “controlling” a browser, applications, or other GUI elements in a manner reminiscent of screen scraping.

    • Challenges: Agent detection (differentiating between human users, bots, and malicious bots), agent authentication (without those agents impersonating users), and MFA challenges suitable for agent driven sessions.

 

While API interacting agents can be managed using standard OAuth authorization models, CUAs require dedicated authentication flows, because agents should never impersonate users, and users should never share their credentials with agents.

 

Additional Agent Attributes

Certain agent attributes are especially relevant to how organizations choose to manage access:

  1. Agent Ownership & Control

    • Managed agent: The agent is operated by the enterprise

    • Personal agent: The agent is brought by the individual – bring-your-own-agent

  2. Agent Supervision

    • Attended: Human-in-command; the agent is actively in interaction with a human user

    • Semi-Supervised: Human-in-the-loop or human-on-the-loop; the agent has some human supervision/interaction at key points in time

    • Unattended: The agent is autonomous

  3. Agent Access

    • Own Account: The agent has its own credentials and access

    • On-Behalf-Of: The agent acts on behalf of a user and has delegated access

  4. IAM Segment

    • Workforce: The agent receives prompts and inputs from employees/internal users

    • CIAM: The agent receives prompts and inputs from customers/external users

 

Example Agentic AI Use Cases

Based on the use case for a given AI agent, the IAM solution may vary. Ping identity categorizes agents into four types, each serving a distinct use case with its own trust and security considerations:

 

An image showing Unmanaged Agents which are Personal Agents Your agent works for you and Managed Agents which are Digital Assistants for consumers Our agents work for you digital assistants for workforce Our agent works for us and digital workers Our agent solves tasks autonomously

 

Personal Agent

A personal agent can be accessed on your device and perform a wide array of tasks for you. For example, you might prompt ChatGPT to aggregate the best flight deals between airlines.

 

Personal agents are unmanaged agents that are governed by a third party.

 

Example Scenarios:

  • Retail: a user using an agent to do shopping

  • Financial Services / Insurance: a user using an agent to aggregate financial information and summarize, recommend further actions, etc.

Key Attributes:

  • Ownership: Bring your own agent

  • Interaction style: CUA or MCP

  • Supervision: Supervised

  • Access: On behalf of a user

  • Segment: Primarily CIAM

Main IAM Challenges:

  • Identification – differentiating between legitimate, helpful agents and adversarial bots

  • Avoiding impersonation – agents should be authenticated and authorized as such, and should never impersonate human users

  • Out-of-band user authentication and authorization – the human user should be prompted for agent’s operations on their behalf

 

Digital Assistant for Consumers

Digital assistants for consumers are customer-facing agents owned by an organization to help users complete specific tasks, such as a chatbot that assists with booking an appointment.

 

Unlike a personal agent, a digital assistant is a managed agent that’s created and governed by your organization. They interact directly with users, but often require access to protected information to complete user requests.

 

Example Scenarios:

  • Retail: a chatbot is integrated into a web application, and the customer can interact with it with natural language (e.g. “get me the groceries for a potato soup, have them delivered to me around 6pm” when interacting with an online grocery store)

  • Financial Services / Insurance: an AI advisor or broker helps clients invest

Key Attributes:

  • Ownership: Managed

  • Interaction style: MCP

  • Supervision: Semi-Supervised / Unsupervised

  • Access: On behalf of a user

  • Segment: CIAM

Main IAM Challenges:

  • Delegated permissions – the agent interacts with APIs like a standard application but it needs to be restricted under the user permissions, and only to the operations the user consented to.

 

Digital Assistant for Workforce

Digital assistants for workforce are similar to digital assistants for consumers. They’re agents managed by your organization, they need to access backend resources to perform tasks on behalf of the user, and they’ll use MCP and Agent2Agent (A2A) protocol to do so.

 

However, digital assistants for workforce are targeted internally to increase the efficiency of an organization, and the end user is an employee within the organization’s purview.

 

Example Scenarios:

  • An HR chatbot that helps employees submit time off requests

  • A chatbot integrated into the admin console that helps simplify troubleshooting

Key Attributes:

  • Ownership: Managed

  • Interaction style: MCP

  • Supervision: Semi-Supervised/Unsupervised

  • Access: On behalf of a user

  • Segment: Workforce

Main IAM Challenges:

  • Delegated permissions – the agent interacts with APIs like a standard application but it needs to be restricted under the user permissions, and only to the operations the user consented to.

 

Digital Worker

A digital worker is a managed agent that’s semi-autonomous to fully autonomous within an enterprise designed to perform internal tasks.

 

Similar to an intern with a simple set of tasks who checks in periodically to ensure they’re on the right path, a digital worker performs tasks on its own and checks in with a human when required.

 

Example Scenarios:

  • An agent that autonomously manages inventory and coordinates logistics

  • A digital employee working as part of a hybrid team with human employees

Key Attributes:

  • Ownership: Managed

  • Interaction style: MCP

  • Supervision: Unsupervised / Semi-Supervised

  • Access: Own account

  • Segment: Workforce

Main IAM Challenges:

  • Non human identity (with access to applications intended for human use)

  • Agent / human custodian relationship and authorization

Start Today

Contact Sales

sales@pingidentity.com

See how Ping can help you deliver secure employee, partner, and customer experiences in a rapidly evolving digital world.