Non-Human Identity

AI Agents Have an Identity Crisis And It's a Familiar One

AI Agents Have an Identity Crisis And It's a Familiar One
Written By
Janos Matyas
Published On
Jul 13, 2026

AI Agents Have an Identity Crisis And It’s a Familiar One

Organizations spent a decade eliminating static secrets and enforcing least privilege. AI agents are quietly undoing all of it. Every agent is a new identity with broad access, no supervision, and credentials it was never designed to protect.

This isn’t a theoretical risk. It’s the current state of production agentic AI.

The problem security leaders already recognize

The pattern is familiar. A workload needs access to a service, so it gets a credential. That credential gets stored somewhere — a config file, an environment variable, a process’s memory. It persists longer than it should, gets shared wider than intended, and eventually becomes the thing an attacker is looking for.

For a decade, security organizations have fought this pattern with secrets management, short-lived tokens, just-in-time access, and zero trust architectures. Real progress was made.

Now AI agents have reintroduced the same problem at a dramatically larger scale. A single agent session might connect to a SaaS productivity tool through MCP, authenticate against a cloud provider API, call an AI model endpoint, and query an internal database — all in one task, all autonomously. Each of those connections requires a credential. And in virtually every agentic framework today, those credentials end up stored inside the agent — accessible to anything that can compromise the process.

The attack surface isn’t one stolen key. It’s dozens of delegated credentials, scattered across autonomous workloads, with no centralized visibility into what’s been issued, what’s active, or what’s been exposed.

Why AI agents make this worse than traditional workloads

Traditional services are relatively predictable. They run in known environments, connect to known endpoints, and operate within well-understood boundaries. Security teams can reason about the blast radius.

AI agents are different in ways that matter for credential security.

They are autonomous and unpredictable. An agent decides at runtime which tools to call, which services to connect to, and in what sequence. The access pattern can’t be fully anticipated at deployment time.

They are ephemeral and dynamic. Agents spawn sub-agents, delegate tasks, and terminate — sometimes in seconds. Each one needs credentials, and each one represents a window of exposure.

They act on behalf of humans. When an agent connects to a third-party service, it carries a user’s delegated authorization — an OAuth token that represents that user’s permissions. If the agent is compromised, the attacker doesn’t just get the agent’s access. They get the user’s.

And critically, they are vulnerable to a new class of attack. Prompt injection — where malicious instructions are embedded in data the agent processes — can cause an agent to exfiltrate its own credentials without any traditional exploit being needed. No vulnerability, no CVE, no patch cycle. The agent simply follows instructions it shouldn’t have received.

The combination creates a risk profile that existing credential management tools were never designed to address.

What a structural solution looks like

The core insight behind the Riptides platform is that the problem isn’t how credentials are managed — it’s that credentials are in the agent’s hands at all.

Riptides takes a fundamentally different approach: the agent never holds the real credential. Not in memory, not in a config file, not in an environment variable. The actual tokens that grant access to services live in the operating system kernel — a layer beneath the application that the agent process cannot reach or tamper with.

When an agent makes a request to an external service, the kernel intercepts it, verifies the agent’s identity, looks up the appropriate credential, and injects it into the outgoing request at the network level. The service on the other end sees a fully authenticated request. The agent never knew what credential made it possible.

An agent that can be prompted into leaking its credentials cannot leak credentials it does not possess. This is a structural guarantee, not a best-practice recommendation.

Two identities, one request — full accountability

Every interaction in a Riptides-managed environment carries two distinct, cryptographically verifiable identities.

The first is the agent’s own identity — a non-human, workload-level identity based on the SPIFFE standard, issued automatically when the agent process starts and bound to that specific process. This identity answers the question: which agent is making this request?

The second is the human’s delegated identity — the OAuth-based authorization of the user on whose behalf the agent is acting. When an agent needs to access a third-party service (such as an MCP-connected SaaS tool), the user goes through a standard authentication flow. But instead of handing the resulting access token to the agent, Riptides brokers the exchange, stores the real token in the kernel, and gives the agent a proxy credential that is meaningless outside the system.

These two identities travel together but remain distinct. They can be audited independently, revoked independently, and governed by separate policies. The audit trail answers not just “what happened” but “which agent did it, on behalf of which user, at what time, and under what policy.”

For security leaders responsible for compliance, incident response, and access governance, this dual-identity model provides the kind of granularity that agentic workloads have been missing entirely.

No code changes, no agent cooperation required

One of the most significant operational properties of the Riptides approach is that it requires nothing from the agent itself. No SDK integration, no library imports, no code modifications of any kind. The platform operates at the kernel level of the Linux operating system, which means it works with any agent — regardless of programming language, framework, or orchestration model.

A Python agent built on LangChain, a TypeScript MCP client, a Go-based orchestrator, or Claude Code running from a terminal — all receive the same identity, the same credential protection, and the same policy enforcement, without any of them being aware of it.

This matters for two reasons. First, it eliminates the dependency on development teams to “integrate correctly” with a security tool. The enforcement happens beneath the application, not inside it. Second, it means security posture doesn’t degrade as agent frameworks evolve — and they evolve fast. The kernel doesn’t care what framework is running above it.

Continuous verification, not point-in-time trust

Traditional workload identity systems verify a workload once — when it starts — and trust it for the duration of its certificate’s lifetime. In the AI agent context, this is insufficient.

Riptides continuously validates the posture of every managed process. If an agent’s binary changes after attestation, if its runtime environment drifts from the expected baseline, or if its behavior deviates from established patterns, its access can be restricted or revoked in real time. The system doesn’t assume that because an agent was trustworthy when it launched, it remains trustworthy now.

This continuous enforcement model is particularly relevant given the prompt injection risk. An agent’s behavior can change mid-session without any change to its process signature. Continuous posture management is the mechanism that detects and responds to that drift.

Federation without credential distribution

As AI agents increasingly connect to external AI providers, cloud platforms, and third-party services, the challenge of managing federated credentials grows. Riptides handles this transparently.

When an agent needs to authenticate against an external provider — whether that’s Anthropic’s Claude API, an AWS service, a GCP endpoint, or a third-party MCP server — Riptides manages the federation flow, acquires the necessary credentials, and injects them at the kernel level. No API keys are distributed into containers. No long-lived secrets are pushed into environment variables. The credential lifecycle — issuance, rotation, renewal, revocation — is managed centrally and enforced automatically.

This extends the same secretless model across every external dependency an agent touches, creating a consistent security posture regardless of how many services are in the chain.

What this means for security governance

For security leaders evaluating how to govern agentic AI workloads, the Riptides model addresses several critical requirements simultaneously.

Credential exposure is eliminated architecturally. The most discussed AI-specific attack vector — prompt injection leading to credential theft — is neutralized by ensuring credentials never exist in the agent’s address space. This isn’t a mitigation; it’s a removal of the attack surface.

Auditability is built into the architecture. Every credential issuance, every access decision, every identity binding is tied to both a verifiable workload identity and a verifiable user identity. This isn’t a logging layer bolted onto the side — it’s inherent to how every request flows through the system.

Policy enforcement is centralized and tamper-proof. Access policies are defined centrally and enforced at the kernel level, beneath the application. The agent cannot bypass, misconfigure, or be prompted into circumventing its own access controls.

Operational overhead is minimal. Deployment requires no agent code changes, no sidecar containers, no framework-specific integrations. Security teams can enforce consistent posture across diverse and rapidly evolving agent environments without creating a bottleneck for development teams.

The bottom line

AI agents represent the next generation of non-human identities — more autonomous, more dynamic, and more broadly connected than anything that came before. The credential management patterns that worked for traditional workloads are insufficient for workloads that can be manipulated into acting against their own security.

The solution isn’t better secret management. It’s removing secrets from the equation entirely — ensuring agents can authenticate, participate in authorization flows, and make fully authenticated requests, without ever possessing the credentials that grant access.

That’s the architecture Riptides was built around. And as agentic AI moves from experimentation to production, it’s the architecture that the scale and risk profile of these workloads demand.


To see kernel-level agent identity and secretless credential management in action, request a demo. Follow Riptides on LinkedIn and X for more.

Free Resource

How exposed are your workloads?

Run the NHI Security Audit Checklist, 8 questions to map your credential exposure, attribution gaps, and lateral movement surface across your own environment. Takes about 15 minutes.

Run the Checklist

Follow us on LinkedIn and X for more updates.

Security AI Agents Credentials Non-Human Identity Prompt Injection

Secure the agents you're
already running.

Identity, access control, and a full audit trail for every agent and service — enforced on the host, with no code changes. Up and running in an afternoon.