Artificial intelligence is already part of the day-to-day operations of most organizations and has significantly contributed to improving operational efficiency. This is evident in tools that analyze large volumes of data, as well as in systems capable of automating tasks and making decisions without human intervention.

According to a McKinsey study, 62% of organizations report that they are experimenting with AI agents in their operations.

However, there is a critical aspect that still does not receive the attention it deserves: AI agents are not just autonomous systems, they represent new identities within organizations.

Just like human identities, these identities must also be managed, controlled, and audited.

This is a new challenge for organizations, and one we will explore throughout this article.

What is an AI agent and why should it be considered a digital identity?

An AI agent is a system capable of interpreting information, making decisions, and executing actions autonomously or semi-autonomously.

More than simply executing tasks based on prompts or isolated automations, these agents interact directly with processes, applications, and corporate data.

Within an organization, their main capabilities include:

  • Connecting to applications and interacting with critical infrastructures
  • Accessing corporate and confidential data to perform their processes
  • Executing actions on behalf of the organization

In practice, an AI agent performs functions similar to those of a human employee. For this reason, it makes sense to treat it as a non-human digital identity that requires the same level of:

  • Security
  • Control
  • Traceability
  • Governance

 

What is the main risk associated with AI agents?

The biggest risk associated with AI agents does not lie in the technology itself, but in uncontrolled access to corporate systems and the lack of proper identity management. In practice, this can result in:

  • Agents with excessive permissions
  • Access to sensitive information without proper oversight
  • Difficulty in tracking which actions were performed by each agent

Practical example

Imagine an AI agent connected to a software company’s GitHub repository. This agent can:

  • Read all source code
  • Identify bugs
  • Suggest improvements

If access is not properly defined, the risk lies not in the agent’s function, but in the level of permissions granted to it. In this scenario, some key questions arise:

  • Can we ensure that accessed information will not be shared or exposed?
  • Are the granted permissions truly necessary, or do they exceed the agent’s scope?

How does the lack of control over AI identities impact security?

The absence of governance over AI agent identities directly affects an organization’s security. Key risks include:

  • Use of agents as an attack vector
  • Risk of identity hijacking or spoofing
  • Unauthorized access with elevated privileges

Additionally, the lack of control reduces the organization’s ability to respond to situations such as:

  • Improper actions executed by the agent
  • Automated operational errors
  • Lack of visibility over active agents (shadow AI)
  • This can lead to significant impacts, including:
  • Leakage of confidential data (financial information, customer data, source code, etc.)
  • Operational disruptions

According to a Gravitee report, 88% of organizations that implemented AI agents have confirmed or suspected security incidents.

If an AI agent accesses corporate systems or executes actions, it must have a strong, verifiable, and revocable identity. Otherwise, the organization’s attack surface increases significantly.

Why include AI agents in an identity management model?

Many organizations already adopt Identity and Access Management (IAM) solutions, but most of these frameworks were designed primarily for human users.

According to a CyberArk report, only 32% of organizations have adequate identity security controls. This means that non-human identities, such as AI agents, are also left unmanaged. Consequences of this gap:

  • Lack of visibility over agents and their access
  • Absence of specific control policies
  • Difficulty in auditing and traceability

In other words, when not integrated into a governance model, AI agents operate as unmanaged identities.

This issue becomes even more critical considering that, according to the Cloud Security Alliance, 68% of organizations cannot accurately distinguish between actions performed by AI agents and those performed by human users.

As automation and AI adoption grow, so does the number of agents, and consequently, the number of identities that need to be managed.

Limits applied to artificial intelligence should not be seen as barriers, but as essential mechanisms to ensure control, security, and governance.

Digital certificates: an essential mechanism for control and traceability

The question is no longer whether AI agents should be controlled, but how to do it effectively.

One of the most efficient approaches is to treat them like any other user within the organization by assigning each agent a digital identity based on a digital certificate.

Benefits of using digital certificates for AI agents

  • Unique and unambiguous identification of each agent
  • Clear definition of access policies
  • Easy revocation and adjustment of permissions
  • Detailed auditing of executed actions
  • Control over the duration of access to resources

Building architectures that allow organizations to manage, monitor, and audit which agents access specific resources, and for what purpose, is essential.

Without this level of control, artificial intelligence stops being a competitive advantage and becomes an operational and security risk.

Digital certificates play a central role in this process, as they enable authorization, authentication, and auditing of actions, ensuring the level of trust required for the secure adoption of AI agents within organizations.

If your organization is using AI agents, ask yourself:

Do you know exactly what each agent is accessing?
Are you fully aware of what it can do and where its limits lie?
Can you clearly prove which actions it has performed?

If the answer to any of these is “no,” then you likely don’t have full control over your AI agents.