AppViewX launches Agent Identity Security for enterprise AI agents

AppViewX launched Agent Identity Security on June 16, 2026, a new product that gives enterprise security teams a single control plane for every AI agent running in their environment. The launch is the strongest signal yet that agent identity is being treated as a first-class infrastructure problem, on the same shelf as PKI and machine identity, rather than a feature inside an existing IAM (identity and access management) suite.

Why AppViewX is putting agent identity on a PKI foundation

The product sits on top of AppViewX's decade of machine identity and PKI (public key infrastructure) work, the plumbing that issues, rotates, and revokes the digital certificates every machine-to-machine connection already depends on. That foundation matters because the alternative, bolting AI agents onto a human-centric IAM stack, is the problem AppViewX is explicitly trying to solve.

"AI agents have become the largest workforce most enterprises never hired, operating autonomously across sensitive infrastructure with broad access and minimal oversight," said Archit Lohokare, AppViewX's CEO, in the launch announcement. "This new class of identity will lead to incredible innovation if governed appropriately for the post-quantum era."

The pitch is that enterprises cannot govern agents with the same controls they use to govern human users. Agents do not log in once and stay in a fixed role. They get spun up to handle a single task, reach for tools and data through MCP (Model Context Protocol) connections, and disappear. A human IAM system has no native concept of an agent that exists for ten minutes, runs against a single dataset, and revokes itself at the end. AppViewX is building that concept from scratch, then grounding it in certificate-based identity so the same controls survive the move to post-quantum cryptography.

That last point is the strategic play. Quantum computing is the other trend AppViewX is folding into the same product, because the same certificate and key infrastructure that authenticates an agent today is what will need to be rotated to post-quantum algorithms over the next several years. If agent identity is already living inside that PKI layer, the post-quantum migration is a certificate swap, not a re-platforming. Todd Thiemann, principal analyst at Omdia, called the approach the right architectural response, saying that grounding agent governance in a native PKI foundation gives enterprises the cryptographic depth to handle both the AI and quantum challenges in one motion, rather than as separate bolt-ons. According to SiliconANGLE's reporting on the launch, that framing is the strategic bet AppViewX is making with the new product line.

The product lands as enterprise security teams are starting to treat AI agents as a privileged identity problem in their own right. A separate 2026 industry survey found that 61 percent of security leaders now rank agent identity as a top-three concern, and that 38 percent of enterprises have already had an agent-related incident in the past twelve months. AppViewX is the first major vendor to ship a purpose-built control plane for that problem, and it is using the same PKI primitives it has been selling to banks, healthcare systems, and large technology companies for the last ten years.

For context on the broader agent governance landscape, our guide to enterprise AI agent security walks through the first wave of CIS, NIST, and vendor guidance on the same problem.

What AppViewX Agent Identity Security actually does

The product groups its capabilities into four modules, and the names tell most of the story. Agent Inventory and Risk Insights is the discovery layer: it continuously enumerates every AI agent in the environment, the large language model behind it, the MCP tools it can reach, and the credentials it is currently holding. The output is a centralized AI bill of materials (AIBOM), the agent-era equivalent of a software bill of materials, that security teams can audit and feed into downstream tooling.

Policy-Based Agent Identity Governance is the compliance layer. It maps the discovered agent estate to a set of frameworks the security team already has to report against, including the NIST AI Risk Management Framework, the EU AI Act, SOC 2, and the SEC's cyber disclosure rules, and produces audit-ready evidence on a continuous basis. The point is to keep the board, regulators, and cyber insurance carriers supplied with the same answer to the same question, without a manual evidence-gathering exercise every quarter.

Adaptive Agent Access is the privilege layer. It applies least-privilege controls at the agent identity level, scoping each agent to only the tools and data its specific task requires, and integrating with existing PAM (privileged access management) and IAM tooling for enforcement. When the task ends, the access scope ends with it. John Barrow, CISO at JB Poindexter & Co, said in the launch that he has been working with the AppViewX team on the approach, and that the design is the right response for cutting the risk of agents in the enterprise.

Threat Detection is the runtime layer. A companion agent, called Guardian Agent, watches the live behavior of every governed agent, flags anomalies in context, and walks the security team through remediation. The goal is to catch the failure mode that no static policy can predict: an agent that behaves normally on day one and starts reaching for systems it has no business touching on day ninety.

Private preview is open now, and AppViewX is showing the product at Identiverse 2026.

The enterprise AI stack after agent identity lands as infrastructure

The launch reframes agent identity as an infrastructure category, not a feature inside an existing security product. That has three near-term consequences for enterprise teams buying or building AI agents in 2026.

First, agent governance is going to be a procurement question, not just a security question. If an enterprise is buying a third-party agent platform, the security team is going to want to know whether the agent identities created by that platform can be discovered, governed, and revoked by an external control plane, or whether they are locked inside the vendor's own IAM. AppViewX is positioning itself as that external control plane, which means the launch is also a pitch to every agent platform vendor that does not want to build its own identity layer from scratch.

Second, the PKI bet is the bet that matters. If post-quantum cryptography is going to force a rotation of every certificate in the enterprise over the next several years, the agent identities that ride on that PKI get rotated for free. The agent platforms that built their own identity layer without leaning on an established PKI provider will end up running that migration twice, once for human-facing certificates and once for agents.

Third, the AIBOM concept is going to spread. The same way a software bill of materials became a default procurement requirement for enterprise software over the last five years, an AI bill of materials, a living inventory of every agent, its model, its tools, and its credentials, is going to become the next default requirement on enterprise RFPs. AppViewX is shipping the first reference implementation of that idea at a moment when CIS, NIST, and the EU AI Act are all writing requirements that look like an AIBOM.

Agent Identity Security is available today as a private preview for qualified enterprises. For the broader picture on how agent identity fits into an enterprise AI rollout, our enterprise AI governance checklist for 2026 walks through the policies, controls, and audit evidence that boards and regulators are now asking for.