How to handle access in the time of Agentic AI

There's been a lot of consternation in the IAM space lately about the question of "how do we deal with the access agentic AI requires". This consternation is overblown; everyone should be less consterned (take that word of the day calendar!). The access that agentic AI should be granted is easily enough defined, the implementation will have to vary from organization to organization, but no one should be wringing their hands over trying to figure out what it should ultimately look like. It is a tool. It is used by people. The access it has should be gated in the same manner as you are gating the access of your people. If you are not currently controlling the access of your people, then resume your consternation because you're already behind and now you have a larger issue.

But assuming you are in fact controlling the access of your people, let's talk about how you should be controlling the access of their tools because that's what agentic AI is. Understanding this greatly simplifies the question of "What Access Should this Tool have?". Starting from the position of the agent's user's access, rather than assuming that their AI agent should start from a different position, we also start with a body of knowledge and guidance that we have been developing for years. We already know, for example, that a doctor should not be able to access medical records for people that are not their patients, the AI agent that they use to make updates to medical records should not be able to see other patients' data either. The segregation of duties policies that we already make and enforce to prevent the possibility of fraudulent charges in financial systems would already be in place. If an AI agent needs to access multiple systems that are usually granted that access in a disparate fashion, it should only be doing so at the behest of a person who already has that level of approval. That may mean that such an agent can only exist at very senior levels within an organization. That makes sense because it is performing more delicate and more risk-fraught activities, this is not something that should be done by a new hire.

Beginning with the access of the AI agent's deployer is a good start, it is not, however, the end of what should be done, because there are things that no AI should be doing even with the access of an individual employee. There are two reasons for this: 1. Privacy and 2. Governance.

The privacy part is the worker's privacy. Unless the purpose of the Agentic AI Tool is to manage part of the individual's privileged information (for example, coordinating their work calendar with their medical needs) it should not have access to the individual's protected information. HR is your ally in determining what information should automatically be protected, but the individual in question should also have the further ability to restrict the access of their AI tools.

The second piece is governance, specifically governance around what actions an AI agent should be capable of performing without human intervention. The recent case of PocketOS losing their production database due to an AI agent making guesses about the response of an API should be giving adopters pause to reflect on the permissions their agents are given. Unfortunately, the solution initiall chosen to deal with this issue clearly expresses a limitation of AI controls, the AI itself was told to never guess and never perform destructive actions and it did both, resulting in a 30-hour downtime for the company that deployed it. This capability should be beyond AI agents, and for that matter, most employees. But for the individuals empowered to make such changes to a codebase or database, their AI agents should not be able to execute them. If you wouldn't trust that capability to your junior programmer, why would you trust an AI with it?

Finally, the individual employees should be empowered to further remove access from their AI agents. They are the ones responsible for the work that their AI agents perform. They are the ones who will be praised when it allows them to do great work, they are the ones who will be held responsible when it does not. If they do not want the AI to be choosing the font on the quarterly report, that's their decision. You were already trusting them to make it before they employed an AI, they should be allowed to write-protect the files they don't want their AIs to touch or implement that decision in whatever manner they see fit. They should not be able to add access, but they should be able to take it away.

If you follow the guidance above, you will arrive at a place where your employees can confidently utilize agentic AI to enhance their productivity without creating new risks for the organization. Achieving this will, however, further drive the need to make sure that your employees have the correct access to do their jobs and not more, but this is something that you should already be striving for because that is what Identity Governance demands. If you're looking to ensure the access of your people and their tools is correct,  reach out to us at Thornton Data Solutions and we'll be happy to help you get there!