AI agents are multiplying faster than your identity infrastructure can handle. Your IAM system knows who your employees are. It does not know who your agents are — and that is where the agentic governance gap lives. This article is part of our comprehensive coverage of why the identity infrastructure for agents is missing from most enterprise security stacks.
Most IAM systems were built for humans: hired, onboarded, role-assigned, offboarded. AI agents authenticate like machines but behave like employees with broad, persistent access to data, APIs, and downstream systems. In 2025–2026, a new vendor category emerged to fix this: the AI control plane — a governance layer managing agent identity, access scope, observability, and lifecycle. If you want to understand how to shut agents down when things go wrong, see our separate article on the 35% problem — one-third of organisations can’t kill a rogue agent.
What Is an AI Control Plane and Why Is “Control Plane” the Right Analogy?
In networking, the control plane determines how traffic flows — setting the rules without touching the packets themselves. The same idea applies to AI agents. The control plane governs what agents are authorised to do, observes what they are actually doing, and can stop them when needed. It does not run the agents or execute their tasks.
IBM, ServiceNow, and Token Security have all claimed this framing. Different product names, different positioning, same underlying governance problem. What a control plane controls: agent identity, access scope, observability, and lifecycle. What it does not touch: model inference, business logic, or underlying infrastructure. That boundary is what you need to understand before comparing what each vendor actually ships.
What Are Non-Human Identities and Why Do AI Agents Create an NHI Governance Crisis?
Non-human identities already outnumber your employees 25–50x in a modern enterprise. Every autonomous agent can require identities for dozens of APIs, databases, and SaaS integrations — credentials that need secure storage, rotation, and revocation. This is why the NHI governance problem sits at the heart of the agentic governance gap that most enterprise security stacks have yet to close.
Here is what makes agents different from a standard service account. A CI/CD service account has a fixed scope — defined once, rarely changed, managed by a human. An AI agent generates intent dynamically at runtime, deciding which tools to invoke based on its own reasoning. Traditional IAM was not designed for principals that determine their own tool calls at execution time.
Two studies put numbers on how bad things currently are. A Keeper Security study of 3,200 cybersecurity decision-makers (May 2026) found 89% of senior IT leaders struggle to maintain visibility into AI tool usage, with 42% naming shadow AI as their top governance gap. A Ping Identity / IDC white paper covering 794 organisations (March 2026) found only 9% meet IDC’s criteria for verified trust. More worrying: 51% believed they were ahead of their peers. Overconfidence makes the gap worse. The shadow agents this tooling must be able to detect and contain are driving that 9% figure.
What Does Okta for AI Agents Actually Include at General Availability?
Okta for AI Agents reached general availability on 30 April 2026 — the first major identity vendor to ship a dedicated AI agent identity product.
Universal Directory for agents treats agents as first-class principals in the same identity graph as your human employees, enabling unified access reviews across any framework, cloud, or SaaS environment. Fine-grained authorisation scopes define permissions at the individual action or resource level — not broad roles that create lateral reach. Shadow agent discovery detects unmanaged agents via Chrome OAuth consent monitoring, without you having to instrument every agent framework. Scoped short-lived token issuance issues narrow, time-bounded credential tokens per task. Pre-built integrations with Salesforce Agentforce, Amazon Bedrock AgentCore, and ServiceNow AI Platform get your known agents under governance quickly.
Not yet in GA: secure agent-to-agent delegation, Agent Gateway, and malicious agent threat detection. These are roadmap items, not features you can use today.
Microsoft Entra Agent ID vs Okta — How Do They Differ and Who Should Choose What?
Microsoft Entra Agent ID (currently in preview via Microsoft’s Frontier programme) gives each agent its own persistent enterprise identity — with its own privileges, roles, and lifecycle controls, separate from human users or generic application registrations.
The decision really comes down to where your identity plane already lives. Entra Agent ID is Microsoft-ecosystem-native. If you are standardised on Azure AD, Azure AI, Microsoft 365, and Copilot Studio, you extend your existing conditional access policies to agent principals without re-engineering anything. Okta is identity-vendor-neutral — a single identity plane across AWS, GCP, Azure, and any agent framework. That flexibility comes at the cost of an additional vendor contract.
IBM watsonx Orchestrate operates at the orchestration layer, not the identity layer. It manages how agents from any framework coordinate with each other, with consistent policy enforcement at the workflow level. It complements Okta or Entra Agent ID but does not replace them for NHI governance. Identity and orchestration are separate architectural concerns in the Berkeley CMR Agentic Operating Model the vendors are implementing.
And if you do not have an existing Azure enterprise agreement? An enterprise identity vendor contract is probably premature for your first five-agent deployment. That is where the open-source option becomes relevant.
Where Do Google Agent Identity and ServiceNow AI Control Tower Fit in the Stack?
Google Agent Identity (announced May 6, 2026, at Google Cloud Next ’26) is built on SPIFFE — the Secure Production Identity Framework For Everyone — an open CNCF standard that assigns cryptographic workload identities via SVIDs. Because it is built on an open standard, Google Agent Identity works for agents running on-premises or in other clouds, not only GCP-hosted workloads.
Google’s Principal Access Boundary (PAB) is the standout feature: a hard ceiling on what resources a specific agent can ever access, regardless of other inherited permissions. Least-privilege enforcement baked into the IAM infrastructure layer itself. Identity-Aware Proxy for Agents and Context-Aware Access add contextual and human-in-the-loop controls on top.
ServiceNow AI Control Tower (expanded at Knowledge 2026, May 2026) is a governance monitoring dashboard — not an identity provider. That architectural distinction matters a lot. It operates across five dimensions: Discover (30+ integrations surfacing unmanaged agents across AWS, Azure, GCP, SAP, Oracle, Workday); Observe (OpenTelemetry-based behaviour tracing via its Traceloop acquisition); Govern (risk assessment aligned to NIST AI RMF and EU AI Act); Secure (real-time agent shutdown via Veza identity governance integration); Measure (cost tracking). ServiceNow consumes identity signals from Okta, Entra, and Google — it does not issue credentials or manage identity lifecycle. Think of it as the visibility layer sitting above the identity layer.
What Is Solo.io NemoClaw and When Is the Open-Source Route the Right One?
Solo.io NemoClaw (announced May 8–9, 2026) is the only open-source AI agent governance framework in this landscape. That matters more than it might first appear.
The architecture pairs NVIDIA‘s NemoClaw governance engine with Solo.io’s kagent runtime — a CNCF-auspiced, Kubernetes-native agent runtime. kagent lets you deploy AI agents using the same policy models you are already using for containerised workloads: RBAC, network policies, admission controllers. No new toolchain to learn.
It is the right choice for engineering teams already on Kubernetes who want agent governance using familiar tooling, no vendor contract, and policy-as-code. It is not the right choice if you are not running Kubernetes, or if you need enterprise SLAs, compliance audit trail exports, or multi-cloud identity unification.
Here is the practical advice: if your team already runs Kubernetes and you are deploying your first agents, start with NemoClaw. Okta, Entra, and Google all require vendor contracts and meaningful integration work upfront — absolutely worth it at enterprise scale, but not for your first five agents. Start open-source and graduate to commercial tooling when your compliance obligations or audit requirements demand it.
What Is the Confused Deputy Attack and Why Does It Make Least-Privilege Non-Negotiable?
The Confused Deputy attack turns least-privilege from a best practice into an architectural requirement.
Here is how it works. A low-privileged actor — an attacker, a compromised component, or a crafted prompt — manipulates a high-privileged agent into performing actions the attacker cannot perform directly. The agent’s credentials are not stolen. Its identity is valid. Standard token validation returns affirmative — and the attack proceeds without triggering any alerts.
Here is a concrete example. An agent managing procurement has broad access to financial systems, email, and contract repositories. A low-risk tool in its workflow gets compromised. The attacker now inherits the agent’s excessive privileges — modifying contracts, approving payments — without setting off a single alarm, because the agent’s identity is valid the entire time.
If that agent had only read access to the specific contract tables it needed for its current task, the payment approval fails at the permission check. Broad roles make Confused Deputy feasible. Granular task-scoped permissions eliminate the attack surface. Matt Caulfield put it well at RSA 2026: “just in time, just enough and just long enough to get the task done.”
Shadow agents operating without identity governance are the highest-risk Confused Deputy targets. In multi-agent chains, if Agent A fully trusts Agent B and Agent B is compromised, that compromise propagates silently through the chain. The mitigation stack is: fine-grained authorisation (Okta, Google PAB) plus just-in-time credentials plus runtime behaviour monitoring (ServiceNow AI Control Tower, Traceloop). No single vendor provides all three right now.
FAQ
What is non-human identity (NHI) and how is it different from a service account?
A service account is static, human-managed, and has persistent broad permissions. An AI agent NHI requires task-scoped ephemeral credentials with automated lifecycle management — creation, scoping, and revocation. Standard service account tooling was not built for this.
What does “least-privilege access control” mean for an AI agent specifically?
Each task gets only the permissions it requires, for the specific resources it needs, for the shortest time necessary. The agent cannot hold onto permissions between tasks — fine-grained authorisation scopes and just-in-time credential issuance make sure of it.
Is Okta or Microsoft Entra Agent ID better for AI agent governance?
Follow your existing infrastructure. Okta suits multi-cloud or mixed-stack environments. Entra Agent ID is the natural choice for enterprises already standardised on Azure AD and Microsoft 365 — agents inherit your existing conditional access policies without any re-engineering.
What does ServiceNow AI Control Tower actually do — is it an identity provider?
No. It is a governance monitoring dashboard. It discovers, observes, and governs agents using signals from identity systems like Okta, Entra, and Google — but it does not issue credentials or manage identity lifecycle. Visibility layer, not identity layer.
What is SPIFFE and why does it matter for Google Agent Identity?
SPIFFE (Secure Production Identity Framework For Everyone) is an open CNCF standard that assigns cryptographic workload identities via SPIFFE Verifiable Identity Documents (SVIDs). Google Agent Identity is built on SPIFFE, meaning agent identities are standards-based and portable — not locked to Google’s proprietary identity format.
Is Solo.io NemoClaw production-ready for enterprise use?
NemoClaw is open-source and Kubernetes-native — production-ready for teams with Kubernetes expertise and the DevOps capacity to run it. It lacks enterprise-grade features like SLA guarantees, compliance reporting, and multi-cloud identity unification. Evaluate it based on your operational capacity and your compliance obligations.
What is the Confused Deputy attack?
A manipulated agent performs actions on behalf of an attacker without its credentials being stolen — its identity is valid, so token validation misses it entirely. Least-privilege access and runtime behavioural monitoring are the primary mitigations.
What do the 9% and 89% statistics actually measure?
The 89% comes from Keeper Security (May 2026, 3,200 decision-makers) and measures IT leaders struggling with AI tool visibility. The 9% comes from Ping Identity / IDC (March 2026, 794 organisations) and measures organisations meeting IDC’s verified trust criteria.
What is agent-to-agent delegation and why is it a governance risk?
When one agent passes its permissions to a downstream agent, a compromise of the downstream agent propagates silently through the chain. No major vendor has shipped a complete solution to this yet — it remains an open governance problem.
