Every sensitive action now has an identity behind it: a person, device, service account, API, AI agent or privileged session.
For CISOs, CTOs and IAM leaders, access control can no longer stop at login. Security teams need to know who acted, from which device, under whose authority, with which permissions, and where the evidence sits.
Okta’s AI Agents at Work 2026 research shows the gap. 91% of organisations were already using AI agents, while only 10% had a well-developed strategy or roadmap for managing non-human identities.
The new identity perimeter is action-aware. It connects identity, device posture, delegated authority, privilege, API security and audit evidence into one operating model.
Human identity remains the starting point for access governance.
Employees can fall victim to phishing attacks, contractors may retain access longer than they should, and helpdesk processes are often targeted by attackers. At the same time, customer-facing services must balance security with a smooth user experience, while also addressing fraud risks and privacy requirements.
Strong authentication helps reduce these risks, particularly when organisations use phishing-resistant MFA, passkeys and context-aware access policies. Secure enrolment and account recovery processes are equally important, as many attacks begin before a user ever reaches the login screen.
Security leaders need evidence that every human identity has an owner, a reason, a lifecycle and a policy.
Okta can support workforce access. Auth0 can support customer identity and authorisation. SailPoint can support governance, lifecycle processes and access reviews.
Connected properly, login, lifecycle, authorisation and governance give security leaders evidence they can use with auditors, regulators and boards.
The same user creates different levels of risk depending on the device.
A valid credential from a managed, compliant device should not be treated the same way as a valid credential from an unmanaged, outdated or compromised endpoint.
Managed status, patch level, certificate status, encryption and endpoint risk should influence access to sensitive applications.
Omnissa Workspace ONE and Okta integrations can support this model by adding device compliance into the access decision.
For hybrid work, mobile teams and frontline environments, identity needs endpoint context. Without it, security teams are making access decisions with incomplete information.
AI agents are part of a wider non-human identity problem.
Most organisations already depend on service accounts, API keys, OAuth tokens, certificates, cloud workloads, CI/CD pipeline identities, containers, scripts, bots and automation accounts.
Many of these identities have persistent credentials and broad permissions. Ownership is unclear. Offboarding is inconsistent. Monitoring is often weaker than for human users.
Security leaders need a disciplined sequence: build the inventory, assign ownership, reduce standing privilege, then add vaulting, credential rotation, access certification, monitoring and revocation.
SailPoint can support discovery and lifecycle governance. Delinea can support privileged access, credential vaulting, rotation and machine identity protection. Okta and Auth0 can support stronger identity standards and authorisation flows.
The control model should be simple: every identity needs an owner, purpose, permission, context, lifecycle and evidence.
AI agents should not borrow employee accounts, hide behind generic service accounts or operate through unmanaged API tokens with broad permissions.
Each approved agent needs a unique identity, human owner, business purpose, scoped permissions, short-lived credentials, revocation rules and audit trails. Shadow agents need discovery, governance or blocking.
Okta is expanding Universal Directory to treat AI agents as first-class non-human identities, with lifecycle visibility from onboarding to decommissioning. Auth0 for AI Agents adds capabilities for delegated access, token management, granular authorisation and human approval flows.
For CISOs, unmanaged agents create audit gaps. For CTOs, they introduce uncontrolled dependencies across applications and APIs. For IAM leaders, they create identities without owners, lifecycle rules or certification paths.
Cloudcomputing can support this through an AI Agent Identity Readiness Assessment covering discovery, ownership, access models, lifecycle, authorisation, monitoring and revocation.
Privilege used to be discussed mainly through accounts: domain admin, cloud admin, database admin, root.
Modern environments require control over privileged actions. A privileged action may be a production change, cloud console operation, database query, SaaS administration change, break-glass session, data-changing API call or AI-agent action.
Modern PAM needs to govern these actions in real time.
Delinea is relevant because privileged access now covers human administrators, machine identities, DevOps workflows and AI agents. Control needs to extend into session governance, command control, query authorisation, approval flows and evidence collection.
Just-in-time access, approval workflows, credential rotation and session monitoring help CISOs reduce standing privilege while keeping urgent work possible.
APIs are where identities act, delegate and transact.
Users log in. Agents call APIs. Services exchange tokens. Customers grant consent. Partners request access. Workflows trigger transactions.
API security needs strong authentication, scoped authorisation, token governance, federation, auditability and abuse detection. OAuth scopes need careful design. Tokens need lifecycle control. API events need traceability.
Axway API Gateway can connect API authentication and authorisation with identity management systems. Auth0 can support CIAM, OAuth patterns and granular authorisation. Identity threat detection signals can add context where anomalies suggest account takeover, customer fraud or suspicious activity.
For CTOs, APIs are a delivery issue as much as a security issue. Poor authorisation design creates risk, slows integration and makes audit evidence harder to produce.
Security leaders need to prove what happened across identity logs, privileged sessions, API traces, device posture events, AI-agent actions, failed authorisation attempts, role changes, policy updates and permission changes.
Dynatrace’s State of Log Management 2026 research states that AI workloads drove a 93% increase in log and telemetry volume in the past year. It also reports that 71% of organisations struggle to collect and correlate AI health metrics, and that 84% say AI trust depends on log analytics that can forecast and reduce problems.
For identity-led security, observability is where controls become evidence.
Organisations need to investigate AI-agent actions, defend privileged access decisions and prove compliance across identity, device, API and application telemetry.
NIS2 includes cybersecurity risk-management measures related to access control, asset management, MFA and continuous authentication where appropriate.
DORA adds detailed ICT risk-management expectations for financial entities. The EU AI Act requires high-risk AI systems to allow automatic recording of events over the system lifecycle.
These regulations increase demand for evidence-based security governance.
For CISOs, identity becomes a board-level risk control. For CTOs, identity becomes part of operational resilience. For IAM leaders, identity controls need mapping to regulatory requirements, supported by logs, reports, reviews and remediation evidence.
Cloudcomputing starts with identity visibility: which identities exist, which ones are privileged, which ones are unmanaged, which ones act through APIs, and which ones already sit outside normal lifecycle controls.
From there, security leaders can move through 7 practical steps.
Security leaders need to govern every actor that can access systems, every device that can influence trust, every agent that can act autonomously and every privileged action that can change business outcomes.
The new identity perimeter is managed through ownership, context, delegated authority and evidence.
Cloudcomputing helps organisations assess where those controls already exist, where they break across humans, devices, agents, APIs and privilege, and how to connect the right technologies into a security model that can stand up to audits, incidents and business change.