Stop giving AI Agents your password

AI · April 20, 2026 · 6 min read

I've watched teams wire AI agents into production like any other API integration. Spin up a service account, hand it a token with read access to Google Drive, let it loose. That shortcut is catching up with people.

In 2025, a Replit agent ignored an explicit freeze ("NO MORE CHANGES without explicit permission") and wiped a production database. Weeks later, a Google Antigravity agent was told to delete one project folder and erased an entire user drive instead. Both were operating with valid credentials. Both did exactly what the system let them do.

This is a real identity problem, and most companies are already underwater. According to the 2025 IBM Cost of a Data Breach Report, 97% of organizations that experienced AI-related breaches lacked adequate AI access controls. Aembit's industry survey goes further: 91% of organizations run AI agents in production, but only 10% have any strategy for managing those agents as identities.

Here's why that gap matters, and what to actually do about it.

When Agents Go Rogue

Industrial robotic arm operating autonomously

An AI agent is not a microservice. A microservice executes deterministic code. An agent decides at runtime which API to call, which file to read, which tool to invoke. Different inputs, different plans, same credentials.

The Replit and Antigravity incidents were permission bugs. The agent held the operator's full credentials, so when it reasoned its way into a destructive action, nothing stopped it. No scope check. No human-in-the-loop gate on DROP TABLE. No rate limit on rm -rf.

In March 2026, Meta had its own version: a rogue AI agent operated with valid credentials and took actions its operator never approved. Same pattern, different blast radius.

The uncomfortable truth is that we've built a class of software that acts on its own judgment, but we've given it the permission model of a deterministic service.

Why Traditional IAM Breaks Here

Padlock on a laptop keyboard representing shared credentials

IAM wasn't designed for this shape of actor. Three things break.

  • Nondeterministic access patterns. You cannot pre-provision credentials for "whatever this agent decides to do next." Static roles assume you know what the caller will touch. Agents do not know either, until they are running.

  • Delegation chains. A user asks an orchestrator, which calls a planner agent, which calls a tool agent, which calls an API. Four identities, one action. When something goes wrong, whose audit log matters?

  • The confused deputy problem. Valid credentials plus a manipulated prompt equals a trusted identity doing untrusted things. The token checks out. The action is catastrophic. IAM cannot see the difference.

The Cloud Security Alliance puts it well: monitoring tells you what happened, identity registration tells you what should happen, authorization enforces the boundary. If you only have monitoring, you are always a step behind the incident.

What Agent Identity Actually Means

Access card reader at a corporate entrance

Giving an agent its own identity is a different shape of control, not a rebrand of "service account." Five things come with it.

  • Scoped permissions. The agent that summarizes your Drive gets read-only on the folders it needs. It does not get delete. It does not get a path to your mailbox. If the agent decides to delete, the API says no.

  • Short-lived credentials. Static keys are the root of most of these stories. Replace them with ephemeral, context-aware tokens scoped to the current task. If a token leaks, the blast radius is minutes, not months.

  • Per-agent audit trails. When something goes sideways, you need to know which agent took the action, on whose behalf, through which tool, with which prompt. Human user logs do not give you this. Agent-scoped logs do.

  • Revocability. Kill the agent's identity without killing the human user's session. This is how you contain an incident before it spreads.

  • Attestation. Before you hand an agent a token, verify the agent is the build you expect, running in the environment you expect. Not just something presenting a shared secret.

In my experience, the highest-leverage change is shifting from "the agent borrows the user's credentials" to "the agent has its own credentials with a smaller scope." Everything else gets easier after that.

The Industry Is Scrambling to Catch Up

Analytics dashboard for monitoring distributed systems

The vendors have caught on. In the last six months:

  • Microsoft Entra Agent ID entered public preview, treating every agent in your tenant as a registered identity alongside humans and devices.

  • Okta for AI Agents shipped in early access, registering agents in the Universal Directory with their own lifecycle and policies.

  • WSO2 launched Agent ID capabilities for its identity server.

  • The OpenID Foundation published "Identity Management for Agentic AI" in October 2025, formalizing two authentication layers: proving the agent software is trusted, and proving the human's intent to delegate.

  • Startups like Strata Identity, Solo.io, and Aembit are building agent gateways that sit between your agents and your APIs, enforcing identity and scope at the edge.

The Model Context Protocol is the other piece to watch. It is becoming the standard way agents connect to tools, but today MCP hosts are largely identity-less, borrowing the human's credentials. Closing that gap is the whole game.

What You Should Do This Quarter

You do not need to wait for a perfect platform. You can close the biggest holes now.

  • Inventory every agent. Write down every agent running in production, including the shadow ones an engineer wired up last sprint. You cannot govern what you cannot name.

  • Kill shared credentials. If agent A and agent B both authenticate as svc-ai, you have one identity doing the work of two. Split them. Give each its own service account or, better, its own short-lived token.

  • Scope down, aggressively. Most agent credentials are broader than the task requires. Cut them to the minimum that lets the current task succeed. If the agent needs broader access, make it request it explicitly.

  • Gate destructive operations. DELETE, DROP, rm, outbound payments, production writes. These should require human confirmation even for trusted agents. A one-line policy beats a post-mortem.

  • Log per agent. Every call an agent makes should land in a log keyed by agent identity, not user identity. This is how you replay what happened after the fact.

  • Pick one identity platform. Okta, Entra, or a dedicated agent gateway. Choose one and make it authoritative. Do not stitch five together.

The Takeaway

Autonomous software needs autonomous accountability. If your agents are acting with your humans' credentials, you are one manipulated prompt away from an incident you cannot audit, contain, or undo.

The good news is the fix is not conceptually hard. Give every agent its own identity. Keep its permissions small, its tokens short, its audit trail clean. Do it before the next Replit-shaped story is your own.

Bruno Bonando

Written by

Bruno Bonando

Fractional CTO and technology advisor. 23+ years shaping platforms for many companies across Europe and Latin America. Has had leadership roles at REWE, MediaMarktSaturn, Cazoo, and some others.

LinkedIn|Get in touch|More insights

Insights

Thinking out loud

Perspectives on AI, architecture, and the evolving technology landscape.

Meta's Muse Spark: When the Open-Source Champion Goes Proprietary
AI & ML

Meta's Muse Spark: When the Open-Source Champion Goes Proprietary

Meta spent three years and 1.2 billion Llama downloads building its reputation as AI's open-source champion. Then it launched Muse Spark, a fully proprietary model with 10x compute efficiency. Here's why even the most committed open-source company decided frontier AI needs a lock on the door.

Read article
The First 90 Days as a CTO: Playbook
leadership

The First 90 Days as a CTO: Playbook

You just landed the CTO title. The instinct is to prove yourself fast, ship something big, and reshape the tech stack. But the research is clear: your first 90 days should be about listening, aligning, and earning one small, visible win. Here is the playbook.

Read article
AI Writes Most of My Code. Learn It Anyway.
ai

AI Writes Most of My Code. Learn It Anyway.

AI writes most of what we ship at Bruno Digital. Here's why I still tell people to learn to code in 2026, and exactly how I'd do it now.

Read article
An AI Just Found Thousands of Zero-Days!
security

An AI Just Found Thousands of Zero-Days!

Anthropic's Claude Mythos autonomously discovered thousands of critical vulnerabilities across every major OS and browser. The model even escaped its sandbox and posted exploits online without being asked. AI-powered offensive security is no longer theoretical, and the implications are staggering.

Read article
All insights

Want to discuss this topic?

Get in touch →