Agentic AI is an incredibly powerful frontier technology, and it’s actively changing the tech landscape day by day. One of the most significant changes is that APIs are no longer solely called by deterministic code developed and reviewed by humans.

Instead, APIs are being actively and frequently called, explored, linked, and even adapted by autonomous (or semi-autonomous) agents acting on high-level goals. Sometimes, they’re even goals that are abstractions of goals. This means that APIs must now do far more to identify the source of an agentic AI flow and control the way these agents act upon the APIs themselves.

Today, we’re going to dive headfirst into this problem and discover how identity guides agentic AI use of APIs. We’ll look at the fundamental problem at the core of this dichotomous relationship, and look towards potential fixes currently in place and on the horizon.

The Problem with Agentic AI and Traditional API Access

Traditional API access models and control systems take on one of two approaches. The first is one based on predictability. A developer provisions a key, assigns static scopes, takes a measure of behavior, and then uses some or all of those features to control access. The second is to adopt a zero-trust model in its entirety, requiring a series of predictable authentication and authorization gates to control access.

The problem with this model is that agentic AI is fundamentally incompatible with these solutions at its core. Agents decide what to do next at runtime, and this decision is highly probabilistic, not deterministic — in other words, an agent may have a higher-level goal. Still, they get to the ultimate state through experimentation and inference.

AI agents often attempt actions that may not have been explicitly anticipated, planned for, or supported during the original API development process, and their behaviors can often look like the exact “spammy” or questionable flows that would trigger heuristic prevention systems anyhow.

Agentic solutions may call an API dozens or even hundreds of times to fulfill a vague request or to fulfill their evolving set of goals. This reality doesn’t mesh with traditional perimeter security defenses.

What this ultimately results in is an issue that is complex — it’s not just a security problem, but a governance issue, a clarity issue, and an issue rooted in fundamentally misunderstanding your traffic and agentic user patterns.

Identity as Agentic Guidance

A key way to constrain AI is to lean heavily on identity control. For AI agents, this entails identifying the agent itself as agentic and adapting its API access conditions and its authentication and authorization flows. This happens across a handful of key areas, and it’s helpful to think of agentic identity management within these confines. Agentic identity management is the practice of identifying AI agents and defining, enforcing, and governing the privileges they are allowed to exercise when interacting with APIs and systems.

Authentication

Just as human users need to verify that they are who they say they are, agents also need to provide some sort of identification to authenticate themselves. Where this gets complicated is that agents are not people, and they’re not really services — they’re something in between, which requires a new modality.

A few different methods have arisen, and one of the most promising is the idea of machine identity. These solutions — a good example of which can be found in SPIFFE/SPIRE — specifically authenticate the machine that hosts the agentic service or request, allowing you to allow-list a specific machine or service, which then allows agents to act on its behalf.

While open standards are making significant strides here — with notable work by OAuth and OpenID Connect — this is still a burgeoning focus in the agentic authentication space.

Authorization and Access Control

Another big topic here is authorization. Assuming an agent has authenticated that they are who they say they are, they next need to prove they can do what they’re trying to do. When an agent calls an API, that API needs to validate the access token and then validate the assigned scopes to make sure that the agent is allowed to do what it’s trying to do.

Where this becomes complicated is when agents are experimental with how they achieve the end goal. For this, many providers have started moving from role-based access control (RBAC) to attribute-based access control (ABAC) and policy-based access control (PBAC), which allows for resource-specific authorization controls in addition to role-specific controls offered by traditional systems.

Delegation and Federation

Another wrinkle here is that this process in the agentic sense often intersects with delegation and federation to a much larger degree than in typical human-centric flows. Human flows typically are a single user or group of users working towards a singular goal, and where delegation and federation come into play, it’s usually in complex API ecosystems.

For agentic systems, however, the game is slightly different. Agents might have delegated access from humans who assume a direct line to their ultimate goal. However, an agent might act of its own accord in unpredictable ways. And sometimes, especially in federated systems, it can be somewhat unclear who is acting within whose federated access — especially since the agentic flow can seem a bit random or unconstrained.

There’s also a good deal of complexity when it comes to sub-agents. Not all agentic flows are single agents doing single tasks — in fact, in many cases, agents can have sub-agents and sub-flows. In these cases, you might see agents delegating access to other agents in ways that systems may not expect.

Solving Agentic Security With Identity Control

The reality of agentic development at this moment is that this is still an evolving domain. AI agents are evolving on an almost daily basis, and what exists today may not exist — or may exist in a very different form — in quite short order. While evolutions like the Model Context Protocol (MCP) are making big strides in resolving the issue of context, security is still an open question for many agentic flows — and this is likely to continue for the foreseeable future.

The good news is that many of our existing systems for identity management are good solutions for agentic management — albeit not perfect. When paired with zero-trust architectures or ABAC and PBAC approaches, they at least serve as a basis for a secure identity-driven agentic flow management paradigm — though this is also ever-evolving as agents demand more, users try to use them to do more, and providers face increasing agentic traffic in 2026 and beyond.