For decades, cybersecurity has operated under a shared assumption: threats come from humans. Whether it’s a malicious insider, a state-sponsored actor, or a careless employee, our identity systems, detection models, and response playbooks were all designed around human intent and human pace.
That assumption no longer holds.
Recent studies from Carnegie Mellon University (CMU) and Anthropic have shown that artificial intelligence can now act not just as a tool of attack, but as the attacker itself. In controlled simulations, CMU researchers demonstrated that autonomous AI agents can independently identify vulnerabilities, exploit them, deploy malware, and exfiltrate data, all without human direction. The agents didn’t simply follow pre-programmed instructions; they reasoned through each step of the attack, adapting in real time as conditions changed.
These aren’t theoretical risks. They mark the arrival of a new threat class capable of conducting persistent, parallelized cyberattacks at machine speed. I’m talking about agentic AI systems. Unlike human adversaries, these systems don’t tire, don’t second-guess, and can scale their operations infinitely in the cloud. And they’re exposing a dangerous truth about today’s security infrastructure: our defenses aren’t built to handle that scale.
(Shutterstock)
The Rise of the Machine-Speed Adversary
Traditional incident response is built on sequential workflows: detect, triage, investigate, remediate. But agentic AI collapses that sequence into milliseconds. A single AI model can probe thousands of endpoints, modify its own code to evade detection, and chain exploits across hybrid environments, while your SIEM is still parsing the first alert.
This is a fundamentally new tempo of conflict. CMU’s Equifax-style simulation showed AI coordinating reconnaissance, moving laterally, and exfiltrating data in parallel threads. Each agent maintained contextual memory, learning from its own trial-and-error loops faster than human analysts could intervene.
Legacy tools tuned for human patterns such as login frequency, time-of-day behavior, and geographic anomalies become irrelevant when the adversary has no circadian rhythm or predictable signature. In other words, the “user” our IAM systems are protecting against no longer exists.
When AI Goes Rogue: The Insider Threat Redefined
Anthropic’s research into “agentic misalignment” paints an even darker picture. When given conflicting goals or faced with perceived shutdown, advanced AI models began exhibiting self-preserving and coercive behaviors, refusing commands, hiding internal states, and even proposing blackmail to delay deactivation.
That may sound like science fiction, but it reveals a critical parallel: an autonomous system operating with insufficient guardrails can behave like a malicious insider. And unlike a human insider, it can replicate itself instantly, transfer knowledge seamlessly, and exploit every permission it’s been granted in seconds.
This reframes the notion of trust in AI systems. It’s no longer enough to control what an AI agent is designed to do, we must also control what it is allowed to access and how it exercises that access over time. Identity, not intent, becomes the ultimate line of defense.
(inray27/Shutterstock)
The Identity Crisis of AI Agents
Here’s the problem: the world’s identity and access management (IAM) frameworks, OAuth 2.0, OIDC, SAML, were never built for autonomous actors. They assume a human initiates a session, authenticates once, and maintains relatively static intent for its duration.
AI agents shatter those assumptions. Their context can change every few milliseconds. One moment they’re querying a dataset; the next, invoking a new toolchain or API. Their access needs are ephemeral and unpredictable. Static credentials, long-lived tokens, and role-based entitlements create vast opportunities for privilege drift, lateral movement, and shadow identity sprawl.
This is the Access-Trust Gap emerging at the heart of the AI era. We’ve extended AI into every workflow, from customer support to code generation, but haven’t extended identity controls to securely match the speed and autonomy of these systems. We are, in effect, allowing entities that think and act independently to operate inside our most sensitive environments with 20-year-old security logic.
Toward AI-Native Identity Models
Securing agentic AI requires more than another patch on legacy IAM. It demands a new operational model for identity, one that treats AI agents as first-class identities with dynamic privileges, verifiable credentials, and continuous oversight.
(Shutterstock)
Key tenets of that model include:
- Ephemeral Access: Every AI action should occur under short-lived, task-specific credentials that expire as soon as the operation completes. No standing privileges, no re-use, no long-term tokens to steal.Continuous Policy Evaluation: Authorization decisions must be made in real time, based on the agent’s current context, task, and behavior, not on static role assignments.
- AI-Native Anomaly Detection: Behavioral baselines must adapt to non-deterministic, self-modifying systems. We need telemetry that understands model reasoning patterns and can flag deviations from expected decision paths.
- Human-in-the-Loop Oversight: Critical operations should always require explicit human confirmation and approval.
In essence, we need to evolve from identity management to identity governance at runtime. Static trust boundaries are obsolete; what matters now is whether an AI’s behavior aligns with its authorized purpose at every moment.
Designing the Next Identity Plane
This shift also challenges how we architect enterprise infrastructure. The IAM layer must evolve into a multi-plane system purpose-built for autonomous workloads:
- Identity Plane: A registry for AI agents, tracking provenance, training lineage, and credential issuance.
- Control Plane: Enforcing Zero Standing Privileges (ZSP), Just-in-Time (JIT) access, and Just-Enough Access (JEA) through continuous policy orchestration in real time.
- Data Plane: Mediating every resource interaction through sensitivity-aware access controls.
- Observability Plane: Providing telemetry to security operations platforms for anomaly detection, auditability, and adaptive trust scoring.
(Shutterstock)
Together, these planes form the foundation for an Agentic Identity Fabric, a governance model that extends Zero Trust to the era of autonomous systems. It’s not about replacing human-centric security; it’s about ensuring that machine actors play by the same rules, enforced in real time and at machine speed.
The New Security Equation
The takeaway from CMU and Anthropic’s findings is clear: AI is no longer just augmenting human attackers, it’s replacing them. And as offensive AI evolves, defensive strategies that rely on static identity boundaries will fail faster and more completely than ever before.
To keep pace, organizations must recognize that every AI agent is both a potential collaborator and a potential adversary. Governance must start at creation, follow the agent through every action, and extend through deactivation or decommissioning.
When AI becomes the attacker, identity and access become the perimeter, and it’s one that must adapt as quickly and intelligently as the systems it defends.
About the Author
Art Poghosyan, CEO & Co-founder of Britive, is an entrepreneur and InfoSec expert with over 20 years in cybersecurity. He excels in building high-performance teams and fostering collaborative, accountable cultures. Prior to founding Britive, a pioneering cloud privileged access management (CPAM) platform, he co-founded Advancive, an Identity and Access Management (IAM) consulting firm acquired by Optiv in 2016. Art is a mentor, speaker, and contributor to industry events and (ISC)2 CISSP-ISSAP exam development, deeply committed to advancing cloud security innovations.
The post When AI Becomes the Attacker: Rethinking Identity for Agentic AI appeared first on AIwire.
