For about a decade, security teams have been doing the same patient work: tightening who can reset a password, who can move money, who can touch a privileged system, and proving that the person on the other end is actually that person. Identity Impersonation Detection (IID) exists because attackers learned to walk past every control that trusts what a caller knows or what a device holds.
Now those same organizations are handing AI agents the exact access they spent years locking down for humans. The agent resets things. It moves money. It reaches into systems on behalf of a user, often with no human watching and no pause between the request and the action.
Here is the question almost nobody is answering. When an agent acts, how do you prove it is the agent you authorized, and not something riding its credentials?
The trust model quietly broke
An AI agent needs credentials to do anything useful. It authenticates to APIs, queries databases, sends mail, and spins up cloud resources. Every one of those credentials is a non-human identity, and the scale is not subtle. Rubrik Zero Labs puts the ratio of non-human to human identities at roughly 45 to 1 in a typical enterprise. In cloud and DevOps environments, Entro Labs has measured it closer to 144 to 1. A single agentic workflow can create dozens of new identities in an afternoon, and in most companies those credentials get made once, owned by nobody, and never rotated.
45 : 1
Non-human to human identity ratio in a typical enterprise.
Source: Rubrik Zero Labs
144 : 1
That ratio in cloud and DevOps environments.
Source: Entro Labs
The industry has noticed. The World Economic Forum has called non-human identities the new frontier of cybersecurity risk for agentic AI. Gartner named identity and access management adapting to AI agents one of its top cybersecurity trends for 2026. Weeks into the year, NIST opened a public request for input on how organizations should securely build and deploy agent systems. The governance conversation is loud and it is correct as far as it goes.
But governance is mostly about hygiene: discover the credentials, scope the permissions, rotate the secrets, assign an owner. All of that is necessary. None of it answers the impersonation question, which is the one we have spent a decade learning the hard way with humans.
When an agent acts, how do you prove it is the agent you authorized, and not something riding its credentials?
This is the same attack, wearing different clothes
Account takeover has always worked for one reason. Systems trust a signal that can be stolen or faked. A caller knows the right answers. A device holds the right token. The help desk hears a convincing voice. Strip away the technology and every successful social engineering case comes down to a system believing a claim it never verified against anything real.
Agents inherit that weakness and make it worse in two specific ways. They operate at machine speed, so there is no human pause where someone might feel that a request is off. And most organizations cannot even tell their agents apart. A 2026 Gravitee survey of more than 900 practitioners found that 88 percent confirmed or suspected an AI agent security incident in the prior year, while only about 22 percent treat agents as distinct identity-bearing entities. The rest lean on shared credentials.
88%
of organizations confirmed or suspected an AI agent security incident in the past year.
Source: Gravitee · State of AI Agent Security 2026
22%
of organizations treat agents as distinct identity-bearing entities. The rest share credentials.
Source: Gravitee · State of AI Agent Security 2026
Shared credentials are the part that should keep you up. When several agents authenticate as the same thing, a compromised or spoofed agent does not look like an intruder. It looks like normal traffic. After the fact, you cannot say which agent took the action. One security team described post-incident analysis in that situation as forensic archaeology rather than attribution, and that phrase is accurate. You are digging, not reading a log.
Picture the incident before it happens
Run the tape forward on a realistic case. An organization deploys an agent that handles routine account servicing. It has the access it needs to do that job. An attacker obtains or imitates the agent’s credentials, which is not exotic when those secrets sit in a CI/CD log, a config file, or a shared vault that 40 services already touch.
The attacker now acts as the agent. The requests are well formed. The volume looks ordinary. The identity checks out because the identity was never the thing being verified, only the credential was. By the time anyone asks who did this, the answer is a shrug and a week of log review. No malware fired. No exploit ran. A trusted identity did exactly what trusted identities are allowed to do, and the system had no way to ask whether the thing behaving like the agent really was the agent.
It is the help desk reset story with the human removed and the clock sped up.
IID was never only about people
Here is the part worth sitting with. The discipline of verifying an identity claim against an authoritative source, rather than trusting what the requester presents, does not stop applying because the requester is software. It applies harder. Agents do not get tired, do not feel social pressure, and do not hesitate, which means the only thing standing between an authorized action and an impersonated one is whether the system can actually confirm the actor.
The market is crowded with tools that discover non-human identities and manage their lifecycle. Far fewer are asking the verification question at the moment an agent acts. That gap is exactly where IID started for human identity, and it is open again for agents. Whoever defines what authoritative verification means for autonomous systems will set the standard the rest of the category measures against, the same way help desk verification became the line in the sand for social engineering defense.
This is not a far-off problem to monitor. Agents are in production now, making decisions and taking actions at scale, and most organizations admit they have already had an incident. The teams that treat agent identity with the same seriousness they finally gave human identity will be the ones who can answer the question when it counts: not what happened, but who actually did it, and could we have stopped them before they acted.
That question is the whole game. It always has been. The actor changed. The work did not.
See Agent Verify in action
Trusona’s ATO Protect Agent Verify extends Identity Impersonation Detection to autonomous systems. Verify the agent acting on a request against an authoritative source, before it acts.
Setup: 30 minutes | Surface: API · SDK | Verification: Authoritative | Latency: Sub-200ms
Book a 7-minute demo at trusona.com/demo
Frequently Asked Questions
What is agentic identity?
Agentic identity is the identity an AI agent carries when it acts on systems. It includes the credentials the agent uses to authenticate and, more importantly, the question of whether the thing presenting those credentials is the agent you authorized. Most organizations track the credentials. Few verify the actor behind them.
How is verifying an AI agent different from verifying a human?
The discipline is the same: verify an identity claim against an authoritative source rather than trusting what the requester presents. The conditions are harder. Agents act at machine speed, run continuously, and frequently share credentials across services. There is no pause for a human to notice that something feels off, so the verification has to be automatic, fast, and rooted in something the attacker cannot fabricate.
Why isn’t non-human identity governance enough?
Governance answers questions about hygiene: where credentials live, who owns them, how often they rotate. Necessary work. It does not answer the impersonation question at the moment an action is taken. Verifying the agent behaving on a request, against an authoritative source, is a different control from cataloging the credential it carries.
What does Trusona’s Agent Verify do?
Agent Verify extends Identity Impersonation Detection to autonomous systems. When an agent takes a sensitive action, Trusona verifies the agent against an authoritative source before the action completes, rather than after the fact when teams are reconstructing logs.
Sources Cited
- Rubrik Zero Labs. The State of Data Security: Measuring Your Data’s Risk. Non-human to human identity ratio benchmarks, 2025.
- Entro Labs. Non-Human Identity Security Report, cloud and DevOps environment measurements, 2025.
- World Economic Forum. Agentic AI and the Frontier of Non-Human Identity Risk, 2026.
- Top Cybersecurity Trends for 2026, identity and access management adapting to AI agents.
- Public Request for Input on Securing Agent Systems, January 2026.
- State of AI Agent Security 2026, survey of 900+ practitioners.