For a decade, enterprise cybersecurity relied on one foundational assumption: a human user sits at a screen, authenticates, and executes actions. Our identity and access management (IAM) infrastructure was built around that model. Validate the user at login, establish a trusted session, and monitor what happens next. But the emergence of the agentic enterprise is starting to challenge that assumption.
AI agents, coding assistants, and automated workflows are beginning to operate across cloud environments, code repositories, APIs, and internal systems with a level of speed and autonomy that traditional controls were not designed to manage. The issue is no longer just whether an identity was verified at the point of access. It is whether organisations can see, govern, and control what happens after access is granted, especially when the actor is software making decisions in real time.
Attackers are not always breaking in; increasingly, they are logging in. At the same time, enterprises are deploying AI-driven tools faster than many security teams can inventory them. Shadow AI, short-lived credentials, and machine-driven actions are expanding the attack surface in ways that create visibility gaps and governance blind spots.
The Friction Points of Autonomous Execution
The first challenge is visibility. Many organisations still lack a clear inventory of which AI agents exist, who approved them, what data they can access, and what actions they are taking on whose behalf. When agents are distributed across fragmented cloud and SaaS environments, those questions become harder to answer, and security blind spots grow quickly.
The second challenge is that traditional identity controls are too static for continuous machine activity. Traditional IAM and privileged access tools are effective at validating access at a point in time. But AI systems do not authenticate and stop. They continue acting after the initial session begins, making choices, invoking tools, and changing systems along the way. That creates a need for identity controls that can evaluate behaviour in context as actions occur, not just at login.
The third challenge is credential exposure. Long-lived secrets, shared credentials, and broad delegated access are already problematic in human-led systems. They become even riskier when handed to autonomous or semi-autonomous tools operating at machine speed. Security leaders need a model that reduces that exposure, improves attribution, and preserves a clear chain of accountability back to a human owner or policy decision.
Redefining the Identity Control Plane
To navigate this threat landscape safely, enterprise identity has to evolve from a system designed primarily for human administrators into infrastructure that can support humans, automation, and AI agents together. This is the broader shift behind identity infrastructure for the agentic enterprise: making identity easier to operate programmatically, governing AI agents across their lifecycle, and evaluating trust continuously as actions occur.
One part of that shift is operability. As more work moves into APIs, terminals, orchestration layers, and AI-assisted workflows, identity systems need to be easier to use beyond the admin console. Another part is governance: organisations need to identify AI agents, assign ownership, define boundaries, and understand what those agents are allowed to do. A third part is runtime trust: ensuring access is evaluated in context and that risky behaviour can be contained quickly without relying on static credentials or blind trust.
This is not just a technical design question. It is an operational one. Organisations need to move beyond asking only who logged in and start asking what is acting in the environment, what it is authorised to do, and whether teams can intervene when risk changes.
Moving Safely at the Speed of AI
The objective is not to inhibit innovation. It is to make innovation governable. Organisations that succeed with AI will be the ones that build identity, accountability, and runtime control into the operating fabric of the enterprise from the start.
That matters because the agentic enterprise is no longer theoretical. AI systems are already influencing workflows in development, operations, customer engagement, and decision-making across the business. The challenge for cybersecurity leaders is not to restrict what these systems can do outright. It is to ensure they operate safely, accountably, and within clear enterprise guardrails, and as unglamorous as it may be, Governance is going to be one of the most important factors in determining if a company succeeds or fails in the long run with their AI programs.
The organisations that get this right will be better positioned to use AI with confidence. The ones that do not may find that the biggest risk in the AI era is not the machine itself, but the lack of identity controls around what the machine is allowed to do.
Brought to you by:

Written by
As Ping Identity's Chief Information Security Officer, Russ operates at the intersection of identity, AI and enterprise resilience. His mission is to reposition security and compliance from cost centers into value creators, enabling organisations to scale with confidence in an era of constant change.
Over the course of his career, Russ has gathered a panoramic view of security across sectors, business scales and transformation contexts. This breadth equips him to craft strategies that balance innovation, governance and risk. Russ specialises in challenging orthodoxies and rethinking what “secure by design” means in the age of AI, zero trust and identity-centric architectures.
He has successfully steered complex business and technology transformations, led security overhauls and built robust governance frameworks. Russ believes in aligning security with business purpose. Whether engaging the board, unifying cross-functional teams or translating technical complexity into strategic insight, he operates as a trusted adviser and catalyst for change, believing in building security systems that don’t just protect but accelerate.