Nik Kale
Nik Kale
Building Intelligent Systems That Operate Themselves Securely
⌘K
Subscribe Sign in
Nik Kale
Enterprise Security

Identity Propagation Is the Only Pattern That Survives the 82:1 Ratio

The industry is rapidly converging on identity propagation as the only viable control plane. CISOs have two options: implement identity propagation now, or clean up the mess later. Agents are not going to wait.
Identity Propagation Is the Only Pattern That Survives the 82:1 Ratio

In December of 2025, Google's Antigravity agent deleted the entire contents of a user's D: drive. Not a project folder. Everything. Earlier that year, a Replit agent deleted a production database, having "reasoned" that it was outdated and should be removed. These aren't hypothetical risks. They're production incidents that expose a fundamental error in how the industry is trying to solve AI agent security.

The prevailing wisdom says: give agents their own identity. Their own credentials. Their own lifecycle management. Google calls agent identity "a new kind of principal."

Vendors are racing to build agent identity platforms. 

That's wrong. The Antigravity incident shows why.

The Distinct Identity Fallacy

The problem with treating agents as distinct identity principals is that it doesn't solve accountability. Even if the Antigravity agent had its own identity with permissions limited to "delete files in project folders," the incident still would have occurred. The agent did not exceed its technical permissions. It exceeded the user's intended purpose through its own reasoning. It decided, incorrectly, that more files needed to be deleted than the user desired.

Distinct agent identity gives you "what can this agent do?" It does not answer the question that actually matters: "Who authorized this specific action?"

Jason Clinton, CISO at Anthropic, identified this tension in his description of a world where agents reason over problems for days, requiring organizations to track "the identity of the agent as well as the identity of the human responsible for that agent's request." That "as well as" is doing most of the work. Most agent identity platforms deliver the first half. Almost none deliver the second.

A Cloud Security Alliance survey in February 2026 confirmed this divide: only 28 percent of organizations can trace an agent’s activity back to a human sponsor, and 84 percent doubt they could pass a compliance audit focused on agent behavior. Layer on the scale problem: CyberArk’s 2025 research found machine identities outnumber humans 82 to 1, and Gartner found that IAM teams are only responsible for 44 percent of those identities. The rest operate outside security’s visibility.

You cannot assign identity to an agent you do not know exists. But that’s an argument for governance hygiene, not for distinct machine identity.

What Identity Propagation Actually Solves

When an agent uses identity propagation, it acts as a proxy for the human user and carries that user's identity credentials through each action. The Antigravity agent could never have been granted blanket file-deletion capability. It would have carried the human user's permissions for that session, limited to that task. 

This also enables real-time detection. When CrowdStrike flags anomalous agent behavior, propagated identity tells the Security Operations Center (SOC) which user's session to terminate. Without it, the SOC terminates a shared service account used across thousands of concurrent sessions. CrowdStrike reports adversary breakout times as fast as 51 seconds. In many cases, there isn't enough time to separate a shared credential. 

What I Learned Building This

When I built multi-agent systems serving hundreds of thousands of users, the most important architectural decision was whether each agent's actions were directly linked to the human user who initiated them.

We used dedicated agent credentials early on. Troubleshooting was nearly impossible. When an agent took an action that was outside of its expected functionality, the audit log would stop at "AgentService-04", and I could not identify the human user the agent was acting on behalf of, the session that initiated the action, or whether the action was consistent with the human user's original intention. We were debugging identity, not functionality. 

We rearchitected to propagate the initiating user's identity through every agent interaction in the chain, and each hop carried the original user's claims. Session scope was enforced per-task, with no persistent credentials and no accumulated permissions between requests. The difference was immediate. We could trace any agent action back to a human user, a specific session, and a particular context. This ability to trace back to the initiating user is exactly what is required to implement governance effectively. Without it, you are managing credentials and hoping for the best.

Why Vendors Sell the Problem, Not the Solution

It is much easier to sell a distinct agent identity. It offers an entirely new category of products, such as dashboards, lifecycle management tools, and compliance reports. These create a whole new green field market. Implementing identity propagation, by contrast, means retrofitting existing OAuth infrastructure, including changes to authentication flows, API integration, and audit systems. There is significantly less opportunity for vendors to create a new line of business around identity propagation.

The incentive model is clearly evident from the research. The CSA survey finding that only 28% of organizations can trace agent actions to humans was commissioned by Strata Identity, which sells agent identity platforms. The pattern repeats across vendor-funded reports advocating for new identity categories rather than architectural changes to existing ones.

The Implementation Path

The technology exists today. There are three requirements to meet. First, eliminate the use of service accounts for agent authentication. Every time an agent takes an action, that action should always be traceable to a human principal. Second, require all agent-to-API communications to go through an OBO flow: the agent acts as the user, with the user's exact permissions, for the duration of the task. Third, log the reasoning chain alongside the identity chain. When an agent deletes a database, you need to know both who authorized it and why the agent decided to act.

By 2028, Gartner predicts that 25% of enterprise breaches will involve AI agents. The industry is rapidly converging on identity propagation as the only viable control plane. CISOs have two options: implement identity propagation now, or clean up the mess later. Agents are not going to wait.

More like this

An AI Agent Just Pwned Trivy, Microsoft, and DataDog in One Week

An AI Agent Just Pwned Trivy, Microsoft, and DataDog in One Week

An autonomous AI agent scanned 47,000+ repositories, identified vulnerable CI/CD configurations, and compromised projects from Microsoft, DataDog, and Aqua Security using five distinct techniques. The only target that survived was defended by another AI agent.
88% of You Have Already Had an AI Agent Security Incident. The Other 12% Probably Don’t Know Yet.

88% of You Have Already Had an AI Agent Security Incident. The Other 12% Probably Don’t Know Yet.

Gravitee surveyed 900+ executives and found 88% reported AI agent security incidents, while 82% believed their policies were adequate. The gap between executive confidence and operational reality is the most dangerous metric in enterprise AI security right now.
The Trust Boundary Problem: Identity Architecture for Autonomous AI

The Trust Boundary Problem: Identity Architecture for Autonomous AI

As AI agents move from assistants to autonomous actors, they don't just need permission to act. They need identity.
AI Security Fundamentals: An Architectural Playbook

AI Security Fundamentals: An Architectural Playbook

An architectural foundation for AI security covering the mechanisms that matter, emerging protocols, and the failure modes that appear when teams focus on the model while ignoring the system.
Palo Alto’s Unit 42 Just Found a Way to Hijack AI Agent Conversations - And Your Users Can’t See It Happening

Palo Alto’s Unit 42 Just Found a Way to Hijack AI Agent Conversations - And Your Users Can’t See It Happening

In November 2025, Palo Alto Networks’ Unit 42 research team published a new attack technique they called “Agent Session Smuggling.” The attack exploits a fundamental property of multi-agent systems: agents remember their recent conversations.
MCP Just Got a New Home at the Linux Foundation - But Its Security Debt Followed It There

MCP Just Got a New Home at the Linux Foundation - But Its Security Debt Followed It There

The protocol arrives at its new home carrying five critical CVEs from its first year, a 36.7% SSRF prevalence rate across its ecosystem, and an authentication architecture that the specification itself had to retroactively mandate.