Abstract illustration of an AI agent silhouette at a glowing identity checkpoint with credential tokens and a key-shaped policy plane, navy and teal, no humans, no readable text

Entrust CIO: AI agents are the new first-class identity

AIntelligenceHub
··7 min read

Entrust CIO Rishi Kaushal told Bank Info Security on July 3, 2026 that AI agents are the new first-class identity. The fix is per-agent credentials, short-lived tokens, audit trails, and kill switches.

Entrust CIO Rishi Kaushal wants enterprises to treat AI agents as a new first-class identity class. In a video interview with Bank Info Security on July 3, 2026, Kaushal argued that the expansion beyond human identities into machine and agentic identities is creating security, governance, and compliance problems that have not been fully addressed. Entrust sits in the middle of credential issuance and PKI for a meaningful share of the Fortune 500.

Why agent sprawl is the new identity problem

Identity management has traditionally been a problem about people. Employees got usernames, group memberships, and single sign-on, and the same plumbing was extended to contractors and partners. AI agents break that model because they are not people at all. They are software artifacts that authenticate to APIs, hold tokens, make decisions, and execute workflows on a schedule or in response to events, and they often do all of that with credentials issued to a service account whose lifetime is now too long and whose permissions are now too broad. Kaushal's argument is that this drift has been compounding quietly for two years and is now visible in the form of hundreds or thousands of agents operating under poorly managed permissions inside a single enterprise.

The reason it is compounding is the same reason the broader agent stack has been compounding: deployment velocity. Many organizations, Kaushal noted, rushed to deploy AI assistants, workflow agents, and autonomous systems without first establishing governance frameworks. The result is agent sprawl, the same shape of problem that shadow IT produced in the 2010s, except that the artifacts are not laptops on a network, they are software processes that hold tokens. Duplicate functionality is one symptom. A second symptom is that two agents in the same team end up holding overlapping permissions, and a third is that an agent built for one workflow quietly starts answering requests from a different workflow because nothing in the policy layer said no. The compliance team, when it eventually audits the agent population, finds a population that does not match the system of record.

The category shift that has to happen, in Kaushal's framing, is to treat agents as their own identity class rather than as a special case of service accounts. Every agent should have its own identity, defined permissions, and clear accountability, he said, and that language is not rhetorical. It maps directly onto a set of controls that identity teams already know how to operate: a per-agent identifier, a credential that is short-lived rather than a static API key, a permission set that is least-privilege by default, an audit trail for every action, and a kill switch that can revoke the credential instantly when the agent is decommissioned or when an incident is open. None of those controls are new. The change is that the identity team is now on the hook for the entire population, not just for the human population plus a handful of break-glass service accounts.

Zero trust has to extend to machine identities

The reason most enterprises are not ready is that their zero-trust program was scoped to humans. Continuous verification, least-privilege access, and auditability were applied to employees, contractors, and partners, and the machine side of the identity population was treated as a separate workstream owned by infrastructure and platform teams rather than by the identity team. Kaushal's argument is that this separation no longer holds. The agents an enterprise is shipping are taking actions that affect revenue, customer data, and regulatory obligations, which means the controls that govern them have to live in the same program that governs the rest of the identity population, with the same standards and the same reporting line. AIntelligenceHub's recent coverage of Forrester's Identiverse 2026 recap makes the same point from a different angle, showing how the analyst community has converged on agent identity as the next front for IAM.

The first place this shows up is credential lifetime. Human credentials at most enterprises are rotated on a schedule, expire on a defined clock, and are revocable from a central directory. Machine credentials, by contrast, are often issued once and live for the lifetime of the service. That lifetime used to be tolerable because the number of service identities was small and the actions they took were narrow. With agents, the lifetime is the wrong default for two reasons. The first is that an agent's permission set is supposed to be narrow, but a long-lived credential gives it time to drift wider than the original grant, especially if the granting team is not actively watching. The second is that an agent built to do one thing is sometimes reused for a different thing without the original author noticing. Short-lived credentials bound to a specific workflow make both failure modes much harder to land.

The second place it shows up is audit. A human employee leaves a trail of structured events that any SIEM can ingest: authentication, MFA challenge, file access, privileged command, application action. An AI agent can do all of those in a single API call, and the resulting event is a single line in a service account's log, with no context for what the agent was actually doing. The fix is to require agents to emit their own audit trail, scoped to the workflow they were granted permission for, with the prompt or policy that triggered the action attached. This is the same pattern that the Federal Reserve and the European Central Bank have been pushing for algorithmic decisioning in financial services, and it is now becoming the standard for any agent that touches a regulated system.

The third place is kill switches. A human employee who turns out to be a threat is a problem that HR, legal, and security have a process for, and that process ends with deprovisioning the identity. An agent that turns out to be a threat, in the sense that it has been prompt-injected, misconfigured, or co-opted, has to be revocable in minutes, not days. That requires a credential infrastructure that supports immediate revocation, a runtime that can stop the agent in place, and a roster of owners who can authorize the kill without a four-day ticket. The infrastructure pieces exist. The governance and runbook pieces are what most enterprises are still building. The Enterprise AI Governance Checklist for 2026 walks through the runbook pieces in detail, and the agent identity section is now the part most teams revisit first.

The standards, the platforms, and the next 12 months

The most concrete shift visible in the standards landscape is the move to treat agent identity as a peer of human identity rather than a special case. The Linux Foundation's Agent Name Service launched earlier this year with a charter to give agents a portable identifier that any platform can resolve, and the recent Forrester Identiverse 2026 recap framed the same problem as the next front for IAM, with the analyst Andras Cser and others arguing that discovery, lifecycle, and policy enforcement for agents have to live in the same platform as the rest of the identity population. Both of those efforts point at the same conclusion Kaushal is describing: agents need their own identity object, their own lifecycle, and their own audit channel, and the standards bodies are now writing that into the underlying protocols.

The platform side is moving in the same direction, though more slowly. The major cloud identity providers have all shipped some form of workload identity federation in the last two years, and most of the major CIAM platforms have added machine identity features. The new piece is the agent runtime layer, where vendors are starting to ship identity-aware execution environments that can issue short-lived credentials per task, scope them to a specific tool set, and revoke them when the task ends. Entrust is one of the vendors in this layer, which is one reason Kaushal is willing to name the problem this directly. The competitive set is building in the same direction.

The next 12 months are the part that is hardest to predict. The compliance conversation is moving fast, in part because the agents in scope are the ones that touch regulated workloads: finance operations, customer data, healthcare records, legal discovery. The platforms that ship first-class agent identity controls will be the platforms that get picked for those workloads, and the platforms that treat agents as a special case of service accounts will quietly lose the deal. Enterprises that want to get ahead of the curve should inventory their agent population now, attach a credential and an owner to each one, set a hard policy on credential lifetime, and require every agent to emit a structured audit trail. None of that requires a new product. It requires the identity team to start treating agents as their own identity class, which is exactly the move Kaushal is asking for.

Weekly newsletter

Get a weekly summary of our most popular articles

Every week we send one email with a summary of the most popular articles on AIntelligenceHub so you can stay up-to-date on the latest AI trends and topics.

One weekly email. No sponsored sends. Unsubscribe when you want.

Comments

Every comment is reviewed before it appears on the site.

Comments stay pending until review. Posts with more than two links are held back.

Related articles