Javascript is actually
a good thing!
Make sure it's turned on
so that pingidentity.com can work properly.
AI Agent Classes and Use Cases | Ping Identity
Identity Fundamentals
What is Identity and Access Management (IAM)?
Identity Providers and Service Providers
Centralized Identity Management
What is Centralized Identity Management?
How Does Centralized Identity Management Work?
Centralized Identity Standards
SAML
OAuth
OpenID Connect (OIDC)
Decentralized Identity Management
What is Decentralized Identity Management?
How Does Decentralized Identity Management Work?
How is Decentralized Identity Different?
Decentralized Identity Standards
Common Terms
Zero Trust Security
Orchestration
Authentication
Single-factor, Two-factor, and Multi-factor Authentication
Passwordless Authentication
FIDO (Fast Identity Online)
Risk-based Authentication
Certificate-based Authentication
Token-based Authentication
Single Sign-On (SSO)
Federated Identity Management
Continuous Authentication
CHAP Authentication
Authorization
Authorization Methods
User and Account Provisioning
Single Sign-on with a Directory
Dynamic Authorization
Protocols
LDAP
SCIM
WebAuthn
Kerberos
WS-Trust
What Is B2B Identity and Access Management (B2B IAM)
Agentic AI
Expand All | Collapse All

AI Agent Classes and Use Cases

There are many types of AI agents and use cases. When considering how IAM systems should support AI agents, there are some key attributes of agentic systems that should help guide decision-making.

 

Outbound Interaction - API vs. GUI

A key factor influencing IAM strategy is how the agent interacts with external systems. Two broad categories are:

  1. API-Interacting Agents

    • Definition: These agents programmatically call APIs to request or mutate data. They typically rely on OAuth2, API keys, or similar token-based credentials.

    • Challenges: Accurately identifying and scoping permissions for the agent; ensuring tokens cannot be misused or replayed by unauthorized parties.

  2. GUI-Interacting Agents (CUA)

    • Definition: These agents emulate human behavior by “controlling” a browser, applications, or other GUI elements in a manner reminiscent of screen scraping.

    • Challenges: Agent detection (differentiating between human users, bots, and malicious bots), agent authentication (without those agents impersonating users), and MFA challenges suitable for agent driven sessions.

 

While API interacting agents can be managed using standard OAuth authorization models, CUAs require dedicated authentication flows, because agents should never impersonate users, and users should never share their credentials with agents.

 

Additional Agent Attributes

Certain agent attributes are especially relevant to how organizations choose to manage access:

  1. Autonomy vs. Delegation

    • Acting on behalf of a user: The agent acts on behalf of a user under the user’s identity.

    • Acting under its own identity: The agent acts as an independent entity. It is provisioned as a distinct principal with dedicated credentials.

  2. Supervision

    • Attended: a human user is interacting with the agent in real time, can supervise and respond to the agent activity.

    • Unattended: the agent is acting without real-time human supervision. Interaction with a human supervisor requires out-of-band notification to the user.

  3. Ownership

    • Managed: The agent is created, provisioned, and governed centrally by the organization.

    • Unmanaged / Bring Your Own Agent: Employees or customers may “bring” an external agent into the environment.

  4. Segment

    • Workforce

    • CIAM

 

Example Agentic AI Use Cases

Based on the use case for a given AI agent, the IAM solution may vary.

 

The “Operator” Agent (CUA)

A CUA executes remotely within a sandboxed environment, running an automated browser instance.

 

Example scenarios:

  • CIAM (Retail): a user using an agent to do shopping

  • CIAM (Financial Services / Insurance): a user using an agent to aggregate financial information and summarize, recommend further actions, etc.

  • Workforce: an employee using an agent to help do office work more efficiently.

Key Attributes:

  • Identity: On behalf of a user

  • Supervision: Attended

  • Segment: Both, though CIAM is likely to adopt faster

  • Ownership: Bring your own agent

Main IAM Challenges:

  • Identification – differentiating between legitimate, helpful agents and adversarial bots.

  • Avoiding impersonation – agents should be authenticated and authorized as such, and should never impersonate human users.

  • Out-of-band user authentication and authorization – the human user should be prompted for agent’s operations on their behalf.

 

The “Chatbot” Agent

An API interacting agent, managed by the organization, integrated into existing applications (e.g. like a sidebar agent) or as a standalone application (e.g. custom GPT). This type of agent is often used to provide customer service, technical support, or other types of assistance.

 

Example Scenarios:

  • CIAM (Retail): a chatbot is integrated into a web application, and the customer can interact with it with natural language (e.g. “get me the groceries for a potato soup, have them delivered to me around 6pm” when interacting with an online grocery store)

  • CIAM (Financial Services / Insurance): an AI advisor or broker, external to the specific platform, integrates with public APIs of the platform or interacts with the GUI.

  • Workforce: an in-org custom GPT where an employee interacts with an AI agent via a chat interface. The agent tools may interact with corporate systems over APIs.

Key Attributes:

  • Identity: On behalf of a user

  • Supervision: Attended / Unattended

  • Segment: Both

  • Ownership: Managed

Main IAM Challenges:

  • Delegated permissions – the agent interacts with APIs like a standard application but it needs to be restricted under the user permissions, and only to the operations the user consented to.

 

The “Digital Worker” Agent

This type of agent is a fully managed digital employee that interacts with internal systems using APIs and/or GUI. It has its own identity within the organization, acting as an autonomous entity, rather than on behalf of another user.

 

Example scenarios:

  • A digital employee working as part of a hybrid team with human employees.

  • An agent as part of team of agents responsible for a specific task / domain within the organization.

Key Attributes:

  • Identity: Autonomous

  • Supervision: Unattended

  • Segment: Workforce

  • Ownership: Managed

Main IAM Challenges:

  • Non human identity (with access to applications intended for human use)

  • Agent / human custodian relationship and authorization.

 

Start Today

Contact Sales

sales@pingidentity.com

See how Ping can help you deliver secure employee, partner, and customer experiences in a rapidly evolving digital world.