Identity Security: In the Critical Path for Agent Deployment

April 2026

Author: Jim Routh, ICIT Fellow

Enterprises, large and small, are under significant pressure to leverage AI capabilities to fundamentally

improve business opportunities by both lowering operating costs and driving business growth. Critical path for agent deployment at scale includes a fundamental redesign of identity security capabilities.

Legacy identity governance platforms and processes were designed to manage human identity access by humans making decisions: provision, certify, and deprovision. The consequences of this record-keeping architecture include increased costs and wait time as the business grows. Enterprises have a backlog of application integration projects. Existing processes are unable to handle non-human identities, which outnumber human identities by as much as 80 to 1 today, and this is projected to be 400 to 1 in a few years due to agent deployment.

The architecture of identity security to meet today’s requirements, including the implementation of AI agents, must be a data lake of entitlement usage attributes that enable every identity (human and non-human) to be registered, risk-scored, and with policy applied to block specific transactions while enabling others.

The result of the redesign of identity security is an increase in the volume of transactions at a lower cost, with higher satisfaction for stakeholders, supporting the concept of “least privilege” to improve cyber resilience. The business case for this transformation is enabled through dynamic provisioning (lowering costs while increasing capacity) and ultimately realized with a layer of continuous validation applied to privilege access management that operates in real time. Controls will be enforced using AI agents to govern the capabilities of AI agents operating within the enterprise, in addition to agents from third parties.

VIEW AND DOWNLOAD THE PAPER

Jim Routh

Jim Routh serves on the Boards of Savvy Security, Accountable Digital Identity Association, and the Global Resiliency Federation. He is the former Board Chair for the Health Information Sharing & Analysis Center (H-ISAC) and former Board member for the Financial Services Information Sharing & Analysis Center (FS-ISAC). Jim is the Chief Trust Officer for Saviynt. Jim is a former CSO/CISO for American Express, DTCC, KPMG, Aetna, CVS, and MassMutual. Jim brings a vast business and technology background to the boards and senior executives and is considered a digital and cyber security industry expert and thought leader. Jim is an advisor for Wiz, Netskope, Armis, Transmit Security, Security Scorecard, Gurucul, Data Theorem, Panaseer, Legit Security, CodeZero, Picnic, and Rekin. He serves in an advisory capacity and is an investor for cyber-specific venture funds including Syn Ventures, CyberStarts, Security Leadership Capital, Ballistic Ventures, and Rain Capital. Jim is an ICIT Fellow and an adjunct faculty member, and he teaches cybersecurity at the NYU Tandon School of Engineering. Jim also mentors over 90 cybersecurity professionals and students.

About ICIT

The Institute for Critical Infrastructure Technology (ICIT) is a nonprofit, nonpartisan, 501(c)3think tank with the mission of modernizing, securing, and making resilient critical infrastructure that provides for people’s foundational needs. ICIT takes no institutional positions on policy matters. Rather than advocate, ICIT is dedicated to being a resource for the organizations and communities that share our mission. By applying a people-centric lens to critical infrastructure research and decision making, our work ensures that modernization and security investments have a lasting, positive impact on society. Learn more at www.icitech.org.