You gave your AI agent its own identity and you were told that was the hard part. You registered it, issued it a credential, maybe put it behind Okta. Then you connected it to Slack, Gmail, and Stripe with the same broad token a human operator would carry, and moved on. The identity is real. The access sitting behind it is still a house key.

That gap is the whole problem, and OWASP spent its 2026 report describing it.

Identity tells you who. It doesn't tell you what.

Authentication answers who an agent is. That part has a healthy market and it mostly works. You can issue every agent a distinct, verifiable identity and attach a certificate to it.

Authorization answers a different question: what is this authenticated agent allowed to do right now, on whose behalf, and for how long. OWASP ASI03, Identity and Privilege Abuse, lives almost entirely in that second question. An agent with a perfectly valid identity can still reuse a cached token across sessions, pass its credentials to a lower-privileged helper agent, or act on a borrowed user session three hops from where the request started. The name on the request was never the issue. The standing access behind it was.

OWASP moved the goalposts in 2026

The State of Agentic AI Security and Governance 2026, published on 1 June, gives agent identity its own chapter and calls it a control plane. A control plane is just the place where you decide and enforce what something can do. Identity is that place for agents, because policy, audit, and revocation all hang off it.

The numbers behind the framing are worth keeping:

  • Non-human identities outnumber humans by around 100 to 1. Service accounts, workloads, and agents now vastly outnumber people, and agents are the fastest-growing slice.
  • About 37 percent of organizations have any policy to manage AI or detect shadow AI. That figure is from a survey OWASP cites. Most teams cannot yet see the agents already running on their data.
  • ASI03 has the widest readiness gap of any category. It scored the largest distance between how severe the risk is and how prepared anyone is for it.

Put those together and you get a layer that every company now depends on and almost nobody governs.

Two axes, and most teams only watch one

The report ships a maturity model with two axes, and the point is to compare them.

  • Adoption tier, AT0 to AT8. What are you running. AT0 is shadow AI, unmanaged usage already on your data. The scale climbs through vendor assistants, citizen-developer flows, code-executing agents, agents wired to external tools over MCP, up to AT8 federated systems that cross organizational boundaries.
  • Governance maturity, Level 0 to 4. How well can you see and stop it. Level 0 is ad hoc and unaware. Level 4 is real-time oversight with kill switches and machine-readable policy.

Then you cross them. An AT8 federated deployment sitting on Level 0 governance reads as do not deploy. Shadow AI at AT0 reads as critical, because you cannot govern usage you have not found. Most teams obsess over the deployment axis, ship the impressive agent, and never once score their governance against it.

When governance can't keep up, shrink the agent

OWASP gives two ways to close a gap. Raise governance maturity, which costs real time and budget. Or reduce the agent's permissions and autonomy until the controls you already have are enough.

The second one you can do this afternoon. An agent wired to external tools at AT6, scoped to a single system, a single user, and a five-minute credential, behaves like a contained AT2 deployment from a governance standpoint. You lowered its effective tier by scoping its authority, without ripping it out.

This is the principle OWASP calls least agency. Least privilege limits what an identity can reach. Least agency limits how far it can act before it has to check back. Scoping autonomy is the lever that moves an agent down the deployment axis.

What to do instead

If you are wiring agents into real systems, this is the order that actually reduces your blast radius:

  1. Find your shadow AI first. Assume AT0 exposure exists until proven otherwise. You cannot govern an agent you have not discovered.
  2. Give every agent its own identity. Stop agents borrowing a human's OAuth session, which drags a person's full standing access into every action.
  3. Scope the credential and make it short-lived. Bind it to one user, one set of endpoints, and a tight window. Keyless, so there is no standing secret to copy or replay.
  4. Decide per user, not per agent. Authorization should answer what this agent may do on behalf of this specific person. A blanket per-agent grant cannot express that, and it is where borrowed access quietly becomes over-access.
  5. Gate the expensive actions behind a human. Sending mail, moving money, deleting records. A push approval confirmed with a biometric beats hoping the prompt held.
  6. Keep an audit trail that names names. Agent, user, action, target system. If you cannot answer who did what after the fact, you do not have authorization, you have logging.

This is the point where a broker earns its keep. AgentValet sits between your agents and the platforms they call, and hands each one a scoped, short-lived, keyless credential instead of a raw API key. Permissions match down to the endpoint, a per-user policy engine decides what each agent can do for each person, high-impact actions wait on a push approval confirmed with a biometric, and every call lands in an audit trail. It is self-hostable, which matters when the entire goal is to stop credentials from spreading.

Identity is the starting line

Once every agent has a name, the question that decides your exposure is what that name is allowed to do, for whom, and for how long. That is the control plane, and issuing identities is only the moment you reach it. A clean directory of agents that can each do anything is not governance. Put the authorization decisions on the identity, enforce them at runtime, and the control plane starts earning the name.

To see where your agents sit today, the Agent Exposure Scorecard runs this as an eight-question check mapped to the 2026 OWASP agentic risks, and shows your exposure score with no email.