Your Small Business Guide to Agentic AI Identity & Access Management (2026)

Agentic AI Identity & Access Management (Agentic AI IAM) is: Tracking every AI tool - who approved it and what data it touches – so it can work for you without putting your money, data, or reputation at risk. 

In the 2025 Salesloft Drift attack, just one unmonitored AI agent led to data leaks at 700+ organizations across the world. 

The good news is you don’t need a Fortune 500 budget to protect your business. You just need to know what agents you have and what apps your agents touch.  

The first step is understanding what agentic AI IAM is and why it matters. 

What is agentic AI Identity & Access Management (Agentic AI IAM)? 

Agentic AI identity & access management (agentic AI IAM) is about giving you control. It’s about knowing what AI agents you have, what they can access, and what actions they can take on your behalf. 

Here's why this matters right now: AI agents are reshaping the threat landscape in 2026.  

Their autonomy and speed are making attacks far more dynamic, adaptive, and difficult to predict. 

This is because AI agents aren’t just another type of user.  

Human identities vs bot identities vs AI agents: What’s the difference? 

• Human identities are non-deterministic (behavior changes based on context) and often authorized through RBAC, ABAC, or other identity governance controls. 

• Bot identities are machine accounts that exhibit deterministic behavior. They operate under pre-defined permissions, which means specific inputs result in expected outputs every time. 

• Meanwhile, AI agents are non-deterministic, autonomous systems. They adapt, negotiate, and choose actions based on context. They’re also often ephemeral (short-lived) and can make choices you didn’t explicitly program them to make. 

For example, they can probe their environment and grant themselves higher privileges if not properly constrained.

 

And if you have multiple agents forming ad-hoc workflows, the potential for misuse or unintended actions rises.

 

And therein lies the problem. Because of their non-deterministic behavior (read “unpredictability”), AI agents can’t just be classified as bot or machine identities.

 

Nor can traditional IAM provide the identity governance they need. 

 

Agentic AI identity access management (Agentic AI IAM) versus traditional identity access management: What’s the difference? 

While traditional IAM relies on passwords and MFA, AI IAM must navigate:  

• Volumes of ephemeral agents and their token lifecycles 

• Cross-agent communications 

• Cross-app permissions 

Unlike human users or service accounts, AI agents aren’t tied to roles or even a specific application. 

Instead, they make decisions, take actions, and operate across multiple systems. Their speed and efficiency are exactly what makes them valuable. 

But they’re also what makes AI IAM critical: The more entitlements or privileges your AI agents accumulate, the more they become a prime target for attackers. 

Traditional IAM was made for humans constrained by time and context. AI agents are different. Once authorized, they have persistent, broad access, which creates an exposure risk for your business. 

Why does traditional IAM fall short for AI agents? 

Traditional IAM falls short because pre-defined identity governance controls like RBAC are too broad for autonomous AI agents, whose behavior can be manipulated in real-time. 

In the 2025 CoPhish attack, threat actors created fake AI chatbots on Microsoft’s trusted Copilot Studio site and then sent phishing links to admin users on sites like LinkedIn.  

• The fake links pointed to a real Microsoft domain such as copilotstudio.microsoft.com and promoted a Copilot demo or “new” productivity assistant. 

• Because the links looked legit, victims clicked to complete a Microsoft OAuth consent flow. 

• By doing so, they approved permissions for broad, long-lasting access to internal data. 

• In the next step, they received a numeric code to “verify” their identity in the Copilot Studio agent. 

• Once they verified, attackers used the code to get both access and refresh tokens from the Microsoft Entra ID token service. 

• The tokens gave the attackers ongoing access to all connected Microsoft 365 apps, which also meant the AI agent could be steered into abusing this access. 

If you’re doing business today, your employees and admins live in SaaS – Teams, Outlook, SharePoint, HubSpot, Salesforce, QuickBooks – all accessed via browser tabs. 

And while regular users can’t approve broad OAuth scopes that give tenant-wide consent to resources, admins can. This is why attackers target them, as seen in the CoPhish attack.  

Just one compromised admin login can enable access to all connected SaaS apps.  

If you’re worried about your admins being targeted this way, Tech Radar recommends blocking Copilot Studio shared agents from outside your company.  

More importantly, you can enforce conditional access and FIDO2 MFA for admin accounts. Try FIDO2 MFA for all endpoints with a free LastPass Business Max trial (no credit card required).  

This brings us to a critical issue. 

What are the limitations of OAuth 2.0 for AI agents? 

OAuth 2.0 access tokens expire quickly but refresh tokens are functionally long-lived. That’s why the CoPhish attack was so dangerous.  

The AI agent didn’t just get temporary access; it got persistent access through refresh tokens that let it create access tokens at will.  

And although OAuth 2.1 isn’t finalized, it tries to eliminate this “long-lived token” problem with two options for refresh tokens: one-time use only or tied to the sender with a cryptographic binding. 

In June 2025, 149 identity professionals from finance, healthcare, government, and tech gathered at Identiverse (the world’s largest digital identity event) to explore what comprehensive agentic AI IAM should look like.  

And what they discovered might keep you up at night. 

The five critical gaps of OAuth 2.0 that put your business at risk 

#1 AI agents don’t have their own identity

This was one of the most debated issues. Attendees asked, “Should agents be treated as a service principal, workload identity, or new entity?” 

Some organizations are treating agents like human users, complete with licenses and permissions. 

Meanwhile, others are using hybrid models that combine user and agent-specific attributes. 

There's no standard approach, which means everyone’s guessing. 

#2 It’s all-or-nothing access when it comes to AI agents

OAuth 2.0 grants fixed permissions up front, but they don’t adapt to context. This means once an agent has these permissions, it can perform both safe and harmful tasks as long as it remains authenticated. 

There’s no alternative where an agent has its own clearly defined identity termination policy and continuous, context-aware validation workflow. 

#3 You can’t see what your AI agents are really doing

When a security incident occurs, you need to know what happened. But if an AI agent was involved, good luck on figuring out: 

• Did a person tell it to do that? 

• Did the AI agent decide on its own? 

• Did another AI agent tell it to do that? 

One expert put it bluntly, “Agents are showing us where our access controls are already broken.” 

#4 Nobody knows who’s in charge of which AI agent

Here’s a question that stumped a room full of experts: Who actually owns an AI agent? 

If someone leaves an organization, you deactivate their account. But what about the AI assistants they created? Should they be shut down or allowed to co-exist with current agents? Most importantly, who decides? 

As one participant puts it: “We need to manage agents like we manage humans —onboarding, offboarding, and everything in between.” 

#5 Your employees can’t always tell they’re interacting with an AI agent

Identiverse experts agreed these questions are critical:  

• How do admins discover agents? 

• How do agents discover each other? 

• How do users know they’re interacting with an agent? 

An Identiverse attendee rightly pointed out, “We don’t just need to govern agents - we need to design for how they’re experienced.” 

So, what should a granular Agentic AI IAM framework include? 

The Cloud Security Alliance (CSA) recommends an agentic AI IAM framework architecture that rests on these pillars: 

1. Decentralized identifiers (DID), which gives each agent a verifiable identity 
2. Verifiable credentials (VC) that can be cryptographically verified, so each agent can prove what they’re authorized to do 
3. Zero Knowledge Proofs (ZKP), which allows each agent to show VCs without exposing internal details, balancing verifiability with privacy 
4. Agent Naming & Discovery Service (ANS), which allows each agent to discover and verify the right collaborator agent before sharing data 

You may be thinking, “This sounds like enterprise-level complexity. I’m just a small business.” 

But the truth is compliance requirements (GDPR, CCPA, HIPAA) don’t care about company size, and data breaches come with penalties, whether you have 50 or 3,000 employees.  

The good news? You have options.  

AI agent observability: How do you keep track of AI agents? 

Solutions from Microsoft, Okta, Permit.io, and LastPass can give you the visibility you need. 

Microsoft’s new offerings for tracking and monitoring AI agents 

In response to concerns raised at Identiverse 2025, Microsoft has introduced three distinct but interconnected offerings to track AI agents: Microsoft Entra Agent ID, Microsoft Entra Built-in Security Agents, and Microsoft Agent 365 (via Frontier Early Access program): 

• Microsoft Entra Agent ID is an identity and governance system for AI agents 

• Microsoft Entra Built‑in Security Agents are AI tools using Agent IDs to operate securely. 

• The Microsoft Agent 365 platform lets you observe, manage, and secure your AI agents, whether created with Microsoft or third-party platforms. 

Best fit if:

• You’re already using Microsoft 365, Azure AI Foundry, or CoPilot Studio 

• You’re already managing users through Entra ID (formerly Azure AD) 

• You’re in a compliance-heavy industry like healthcare, finance, legal, or government 

Not ideal if:

• Your business isn’t a Microsoft-first business 

• You’re a platform-agnostic business using AWS, Google, OpenAI, or Anthropic 

• You aren’t willing to invest in Microsoft 365 E5 licensing ($57 per user/per month) 

#1 Microsoft Entra Agent ID (available in Public Preview)

This is the core identity program for AI agents: 

• Agent registry: Unified directory of all agents across your organization 

• Lifecycle Management: Assigns human owners to every agent and is least privilege by default (agents only get exactly what they need to complete tasks) 

• Conditional access policies: Sets rules for accessing data 

• Threat protection: Blocks actions by agents attempting privilege escalation or communications with suspicious external sources 

#2 Microsoft Entra Built-in Security Agents

This offers three (3) production-ready security agents: 

• Conditional Access Optimization Agent. Aligns with Zero Trust and continuously monitors your Conditional Access policies and recommends improvements.  According to a Microsoft study, businesses using this agent completed Conditional Access tasks 43% faster and 48% more accurately, with a 204% improvement in detecting missing baseline policies. 

• Identity Risk Management Agent. Identifies risky agents, generates a risk summary, and recommends remediations 

• Access Review Agent. Automatically gathers insights for each access review, generates approve/deny recommendations, and guides human reviewers through the process via natural language chat in Microsoft Teams 

#3 Agent 365 (Frontier Early Access)

This comprehensive control plane was announced at Ignite 2025.  

Agent 365 refers to Microsoft 365 Copilot’s agent framework, the AI assistant that works across Microsoft 365 apps like Teams, Outlook, Word, etc.  

It gives each AI agent its own Microsoft Entra Agent ID and allows agents to be monitored in the Microsoft 365 admin center. 

It has five (5) core capabilities: 

• Registry. Provides a complete view of all agents in your organization 

• Access control. Limits agent access to only the resources needed to complete tasks 

• Visualization. Shows interactions between agents, people, and data and assesses their impact on your business 

• Interoperability. Equips agents with apps & data to simplify human-agent workflows 

• Security. Detects threats against agents and remediates attacks against them 

Note: For Agent 365, your agents can be built anywhere (whether on Microsoft or third-party platforms), but you must use Microsoft 365 as your management platform. 

Okta’s new offerings for tracking and securing AI agents 

Okta announced similar capabilities at Oktane 2025 with its Cross App Access (XAA) protocol (included in Okta for AI Agents). 

• XAA adds capabilities that OAuth 2.0 doesn’t have. It decides what AI agents can do in a dynamic, context-aware way i.e. what they can access, what apps they can connect to, and what data they can read or modify 

• AI agents using protocols like Model Context Protocol (MCP) or Agent2Agent (A2A) make app‑to‑app connections that are often invisible to IT. XAA provides visibility into every AI‑initiated access request. 

• XAA ensures agents get only the permissions they need, not full access granted through broad OAuth consent flows 

Note: You can test Okta features like XAA and Identity Security Posture Management (ISPM) in Early Access. Full GA (general availability), however, won’t be available until FY27. 

Permit.io for tracking and securing AI agents 

If you build custom AI agents and use multiple AI platforms (not just Microsoft), Permit.io is an industry-recommended choice. It’s developer-friendly, affordable (with a free tier), and business-user accessible with a no-code policy editor.  

With Permit.io, you can answer these questions: 

• “Which agent took this action?” 

• “Which user was it representing?” 

• “Which policy approved that action?” 

• “What data can it touch?” 

Permit.io is especially relevant for AI agents because it supports fine-grained access controls like: 

• ABAC (attribute-based access control) 

• ReBAC (relationship-based access control) 

• RADAC (risk-adaptive access control) 

Best if: 

• You have a technical or dev team 

• You need to enforce what an AI agent can do at the boundary where it talks to your APIs, databases, tools, etc. 

• You’re in a regulated field and need clear documentation of what agents are accessing 

Permit.io is built for zero standing permissions i.e. access is derived at the moment of action. This means you can enforce these policies, whether you’re building your own custom agents or integrating commercial ones like Moltbot: 

• Just-in-time approvals 

• Time-bound access 

• Risk based conditions 

The critical gap these systems miss: Why your agentic AI IAM needs LastPass too 

Here’s what Microsoft, Okta, and Permit.io can’t see on their own: Every SaaS app or Shadow AI tool your employees are actually using (approved or not). 

While Agent 365, Permit.io, and Okta for AI agents can see and track agents registered in their systems, they can’t see: 

• SaaS apps your employees sign up for with corporate emails 

• Free AI tools accessed directly (ChatGPT, Claude, Gemini) 

• Duplicate apps across departments 

• Shadow SaaS nobody authorized 

This is where LastPass SaaS Monitoring + Protect comes in, giving you the ability to: 

• See which AI tools are being accessed with corporate credentials 

• See if an AI tool your team signed up for is using a weak password 

• Block high-risk SaaS or Shadow AI apps 

Remember: You need full discovery before you can have proper governance

So, you can use Microsoft 365, Okta for AI agents, or Permit.io to track your agents. 

But without SaaS visibility, governance will be incomplete.

This is because agents can have broad, ungoverned access to SaaS apps. 

Take Moltbot (formerly Clawdbot and now OpenClaw as of February 2026) - the AI agent that can respond to emails, manage calendars, screen phone calls, and even make table reservations – all with minimal action from you. 

While Moltbot’s access to accounts and credentials enables it to perform these tasks, there’s a risk it can expose highly sensitive SaaS data from platforms like Slack, Discord, or Telegram. 

And security experts like Jamieson O'Reilly, founder of red-teaming company Dvuln, have already sounded the alarm. 

In January 2026, researchers discovered that admin dashboards for Moltbot were exposed online with no authentication.  

This means anyone who found them could have stolen API keys and used Moltbot as a “master key” to access connected systems and SaaS apps.  

Essentially, this would have turned Moltbot into a backdoor that allowed attackers to inject rogue prompts, alter automation workflows, and exfiltrate data. 

According to a 2024 Varonis report, the average organization has: 

• 4,468 SaaS app accounts without MFA 

• 33 super admin accounts, more than half of which don’t have MFA enabled 

• 40+ million unique permissions across SaaS apps, which IT isn’t managing 

This is a security and compliance risk you simply can’t afford. 

With LastPass SaaS Monitoring + Protect, you get:  

• Complete visibility into your SaaS landscape, without adding more hours to your day 

• Easy deployment with no complex integrations 

• Cost savings from eliminating redundant, unused, or over-provisioned apps 

• Transparent pricing at $9 per user/per month, with no hidden costs, service fees, or surprise renewal increases 

LastPass SaaS Monitoring is a cost-effective way for you to get visibility into what apps or AI tools your employees are using, whether approved or not.  

That kind of visibility empowers you to block such tools before they expose your business. 

You can try LastPass SaaS Monitoring + Protect now with a free Business Max trial (no credit card required). 

Sources 

The Hacker News: Who Approved This Agent? Rethinking Access, Accountability, and Risk in the Age of AI Agents

Cloud Security Alliance: Agentic AI identity management approach

Microsoft: Preparing for 2026: Adapting identity and network security to the age of AI agents

Microsoft Entra blog: The future of AI agents—and why OAuth must evolve

OpenID: Identity management for agentic AI

Cybersecurity Insiders: Navigating the era of agentic AI and identity management in 2026

Microsoft: The future of AI agents—and why OAuth must evolve

Microsoft: AI agents and the future of identity: What’s on the minds of your peers?

The Microsoft Cloud Blog: Preparing for 2026: Adapting identity and network security to the age of AI agents

CNBC: Microsoft unveils tool to help companies control, track AI agents

Cloud Security Alliance: Agentic AI Identity and Access Management (IAM)

Permit.io: The rise of agentic identities