Beyond Identity ships Ceros, an identity platform for AI agents

Beyond Identity, the New York-based identity and access management vendor, launched a product on Tuesday aimed at a problem most enterprise security teams are only beginning to plan for: what happens when the actor in front of an application is an AI agent, not a person. The platform is called Ceros, and it is the latest signal that the next layer of enterprise security is being built for software that acts on its own.

Ceros extends Beyond Identity's existing employee identity controls to AI agents. It tracks every agent session, records which human user launched the agent and from which device, and maps the chain of external services that agent touches during a task. From there, administrators can set rules about which agents can use which tools, and under what conditions. The platform also handles the credentialing piece: agents running through Ceros get device-bound passkeys that cannot be lifted off the host machine, which the company argues makes them impossible for an attacker to steal and reuse.

Beyond Identity is hardly the only vendor pushing into this space. In the last three weeks alone, CrowdStrike launched what it calls a Continuous Identity product for AI agents, the startup Lens shipped a governance layer aimed at the same buyer, and the agent-authorization company Arcade raised a $60 million round to expand its reach. The launches are landing in the same quarter that US cyber agencies released stricter access control guidance for AI agents and a string of research teams published new attack techniques against autonomous coding tools.

That clustering is not a coincidence. Enterprises are running out of patience for improvised controls. A 2026 survey by KPMG found that 71 percent of large organizations now have AI agents in production for at least one workflow, but only 38 percent had a formal access policy in place for them. The gap between deployment and policy is the opening the new tools are built to fill.

How Ceros tries to lock down an agent session

The product itself does three things in sequence. When an agent starts a task, Ceros first verifies the device the agent is running on, the human who started the session, and the policy that applies to that specific agent. Then it issues short-lived credentials for every external service the agent will need: a cloud LLM, a Model Context Protocol server, an internal API, a database. Each of those credentials is bound to the host machine and to the agent's session, which means the credential expires when the session ends and cannot be replayed elsewhere.

That last detail matters because of how attacks on AI agents have actually been unfolding in 2026. The dominant pattern researchers describe is the same one Microsoft and others have flagged in their runtime security write-ups: an attacker tricks an agent into performing an action with elevated privileges, then exfiltrates the result through a tool call the agent was already authorized to make. The hard part is not getting the credentials. It is using them in a way the defender did not predict. Device-bound passkeys limit that surface by removing the option of moving the credential to an attacker-controlled host.

Ceros also watches the agent's tool calls as they happen. If an agent that normally touches a Salesforce API suddenly tries to read from a Postgres database it has never used, the platform can flag the call, block it, or require a human approval step. The behavior is similar to what cloud security posture tools have done for infrastructure for years, just applied to agent reasoning.

The third feature is a practical one: automatic LLM failover. When the model that powers an agent goes offline, Ceros can route the next prompt to a different model, sparing developers from writing that switching logic by hand. It is not a security feature, but it is the kind of thing platform teams ask for once they have more than a handful of agents in production.

What is actually missing from agent security

It is worth being clear about what Ceros does not solve. The product does not detect prompt injection in real time. It does not verify the output of an agent before that output reaches a downstream system. It does not reason about whether the combination of tools an agent is calling makes sense. In other words, it manages the identity layer. The trust layer above it is still the responsibility of the application developer.

That split is becoming the standard shape of the category. The May 2026 Cyber agencies guidance, the Microsoft agent governance toolkit, the Cisco IDE security scanner, and the Lens governance layer all take a similar cut at the problem. They handle the access controls, the credentialing, the audit log, the policy enforcement, and the developer hooks. The harder questions about whether an agent is doing the right thing in a given moment are still mostly unresolved.

This is also why venture funding is flowing into the space. Beyond Identity itself is backed by more than $200 million and was already a mature company before Ceros. Arcade's $60 million Series B in early June and Lens's seed round earlier in the year both suggest that the buyers are not waiting for a clear category leader. They are signing checks and seeing which approach sticks.

The bigger question for enterprise security teams

For enterprise security leaders, the practical question is not whether to buy an agent security platform. It is which layer to start with, and how much of the control plane they want to keep in house.

The answers are starting to settle. Identity and credentialing are the most standardized piece, and products like Ceros, CrowdStrike's Continuous Identity, and the open standards work around OAuth for agents are converging on a roughly similar model. Governance, audit, and policy authoring are less mature, and most teams end up writing a thin internal layer on top of whatever they buy. The hardest layer, the one that decides whether an agent should be allowed to do what it is about to do, is still being defined.

The broader enterprise AI rollout, including the governance, the use cases, and the rollout checklist that larger teams are still working through as part of their Enterprise AI strategy in 2026, sits squarely in that "still being defined" zone. Teams that already have a real production deployment of agents are converging on a short list of common components, and identity is now near the top of that list. The vendors are moving faster than the standards, which is usually a sign that the buyers have figured out what they want even if the analyst market has not.

What is clear is that the "AI agent security" category is no longer a slide at a security conference. It is a product line, with multiple serious vendors, real money behind it, and an enterprise buyer who is past the proof of concept stage. Beyond Identity's Ceros, launched this week with coverage from SiliconANGLE, is one entry in that line. It is not the last one, and it will not be the one that wins by default. But it is a useful data point about how quickly the rest of the stack is being bolted on to the new shape of enterprise software.