This year's event made it clear that as AI agents scale across enterprises, we must solve ownership, delegation, least privilege, and auditability before production risk grows.

In 1931, construction began on the Hoover Dam. Workers arrived in the Las Vegas desert by the tens of thousands, triggering the valley's first real population boom. Before the dam, the community managed itself through familiarity. Everyone could be known by sight and by daily routine. When the workforce scaled overnight, informal recognition stopped working, and formal systems of accountability had to replace it. Scale created the identity problem. Once enough people arrived, trust by recognition became structurally impossible.

The same shift around identity is underway within every enterprise deploying agentic AI, and it was very top of mind at Identiverse 2026. More than 3,800 identity professionals came together in Las Vegas for four very full days of conversations, sessions, panels, and workshops. There were over 250 speakers covering a wide range of identity topics, but from the opening remarks through the final panel, it was clear we have entered a new era, and the industry is still facing familiar questions about ownership, lifecycle, and least privilege, at scale. The ratio of NHIs and agents to humans will grow faster than any governance program operating at human speed can keep pace with. Fortunately, we are not alone in this fight, as there is a whole community dedicated to the cause.

Here are just a few highlights from this year's 17th edition of Identiverse.

Ownership Is The First Unanswered Question

The entire event opened with The NHI and Agentic AI Summit, which itself began with a panel titled "The New NHI Risk Reality - When AI Agents Start Making Decisions." It posed a question most organizations cannot currently answer. Don D'Souza, Director of Cybersecurity and IAM at Fannie Mae, joined Andrej Safundzic, CEO and Co-Founder of Lumos, Ashay Raut, Principal Engineer at Amazon, and Sriram Santhanam, Chief Cyber Officer at Human Managed for this opening, scene-setting discussion. The quartet posed a question most organizations cannot currently answer. Don described familiar identity governance risks now appearing at hundreds of thousands of instances rather than dozens. Andrej shared a customer environment he recently encountered, with 70,000 NHIs, most of which lacked clear ownership. Ashay identified choke points as the practical path forward: govern at credential creation, not after discovery, and tie rotation to re-attestation so lifecycle management is embedded from the start. 

The accountability question surfaced repeatedly and went unresolved on stage: who is responsible when an agent causes harm after the employee who deployed it has left? The panel's consensus was that a single named human owner must exist for every agent, reachable when something goes wrong.

Without an ownership record, governance programs have nothing to attach controls to. A named owner for every agent is the lowest possible bar before any other control can function.

Sriram Santhanam, Andrej Safundzic, Don D'Souza, and Ashay Raut

Agent Identity Needs To Exist Before Agents Reach Production

Sachin Nayyar, CEO of Saviynt, and Jamil Farshchi, CTO of Equifax, held a keynote fireside chat on the third day of the event, "The New Frontier of Identity Security for AI." They started with a demand that NHIs must be first-class citizens with the same depth of controls applied to human identities. Jamil described watching 150 new applications per week appear in some customer environments, most of which had no clear ownership defined. He called for built-in auditability from day one as the only responsible path. Fine-grained policy management applied after deployment cannot keep pace with the rate of creation. Sachin named three foundational requirements: agent identity, removal of copyable credentials from environments, and agent accountability. 

Accountability means a reconstructible chain from intent to action to verifiable proof, not just a log entry recording that something happened. Regulators are going to demand that chain, and the infrastructure to produce it broadly does not exist yet. The governance gap here compounds quickly. Every week of new deployments without accountability infrastructure built in is a week of future remediation work accumulating at production scale.

Jamil Farshchi and Sachin Nayyar

API Keys Were Never Sized For Delegation Chains

Adane Tetemke, Senior Manager at Capital One, and Anoop Gopi, Senior Manager of Software Engineering at Capital One, built their session, "Stop Giving AI Agents API Keys: Intent‑Scoped, Just‑in‑Time Access," around a gap easy to overlook until something goes wrong. Agents carry authorization to act. The token carries no transaction context, no velocity limits, and no support for mid-action revocation. A single manipulated input can produce a full account takeover with no perimeter breach and no stolen credentials, purely because authority was scoped too broadly at provisioning. Their answer is architecture built around declared intent per request, sender-constrained tokens, and explicit authority recording at every hop in the delegation chain.

Three zones can enforce this. First, in the workload plane, agents are attested and ephemeral. In the decision plane, policy and risk are evaluated before any action. In the resource plane, APIs log the full chain. 

The test for any deployment comes down to three questions. Can every request be traced to a specific trigger? Is there enforcement between the agent and the API? Can a grant be revoked mid-transaction? If any answer is no, the delegation scope is too broad.

Adane Tetemke and Anoop Gopi

Eliminate Secrets. Do Not Rotate Them.

Dmitry Izumskiy, Principal Software Engineer and Chief Architect for Security R&D at Intuit, walked through a multi-year workload identity build spanning AWS, GCP, and internal infrastructure. The architecture rests on three jobs that must stay separate: attest, identify, and authorize. The previous state is familiar. Long-lived CI tokens, pipeline runners able to reach any secret, and audit records that say only "the build did it." The after state uses SPIFFE-based attestation and per-workflow OIDC tokens to produce a trail answering who took what action and why.

Rotation creates a recurring window for teams to replace static credentials with short-lived ones, or even better, workload identity-based mechanisms. Eliminating the need for secrets removes that window entirely. Making the right path invisible proved essential to adoption: if teams have to opt in, some will route around it. If they can't opt out, you have won.

Making the secure path the only available path is an architecture decision. Policy erodes under pressure. Architecture, built well, persists.

Dmitry Izumskiy

Citizen Developers Are Learning From The Wrong Defaults

The panel "Secure by Design - Baking Identity Controls into the AI Agent Development Lifecycle," assembled Jesse Minor, Identity Security Expert at KPMG, David Chan, Director of IAM at the University of California, and Henrique Teixeira, SVP of Strategy at Saviynt, along with Shashwat Sehgal, Co-Founder and CEO of P0 Security. Henrique described watching an AI coding tool recommend that a developer copy an API key into an ENV file, much to his horror and surprise. He said "Citizen developers are being taught by AI to bootstrap agents with static credentials." This is a problem that is going to spike the already alarming numbers around secrets sprawl. Gartner data shows that CISOs estimated 90% internal AI adoption at some level, while only 8% of leaders could confirm agents in production. 

The distance between perceived readiness and what has actually been built is where bad defaults take hold and compound. Shashwat identified the structural change agentic identity requires: when an agent calls another agent, the provenance of who authorized the original action must travel with the delegation chain rather than be discarded at the first handoff. The organizational fix is a clear agent policy specifying URL-based bootstrapping over API keys, short-lived tokens from a central authority, and an identity record that tracks what each agent does.

Bad defaults compound quietly. The governance cost of correcting them scales with the number of agents already in production. It will not be cheap or easy to fix when auditors force the issue.

Jesse Minor, David Chan, Henrique Teixeira, and Shashwat Seghal

Zero Standing Privilege Has To Fire Before The First API Call

In their session, "Governing Non‑Human Identity for AI Agents in CIAM: Zero Standing Privilege in Practice," Manikandan Rajaram, Director of Software Engineering at Capital One, and Anji Yalla, Senior Director of Software Engineering for CIAM at Capital One, reframed the blast radius problem with a specific observation that a misconfiguration tolerable for a single human user becomes a high-frequency failure when an autonomous agent repeats the same action a thousand times per hour. Their Zero Standing Privilege framework rests on four principles that must all fire before the first API call. No power without proof. No access without purpose. No privilege without expiry. Everything logged. 

Every layer of the system treats token revocation at any step as a full stop, with no replay and no abuse of ambient authority. The 90-day starting point for any team is discovery and blast radius measurement. That means mapping every agent, every delegated right, and every surface that could be misused. The success metric for a mature program is that every provisioned action is time-bound, policy-authorized, and evidence-logged.

Agents amplify whatever access they carry. Scoping that access to the minimum necessary before the first deployment is substantially cheaper than scoping it down after an incident.

Manikandan Rajaram and Anji Yalla

"Trust Later" Is Not An Architecture

The panel with the longest title for the week, "A Vendor, Two Practitioners, and an AI Agent Walk Into a Bar - We'll Figure Out Trust Later Is Not an Architecture," brought together Steve Hutchinson, VP of Modern Infrastructure and Security Architecture at MUFG, Sean O'Dell, Distinguished Engineer of Identity and Security at CVS Health, and Pieter Kasselman, VP of Open Standards at Defakto on the same stage. While the name was fun, the real risk they talked about was not. They said that FOMO is very real and driving the extreme pace of AI adoption. Executives believe their peers have already solved agentic identity, and that pressure is pushing teams to deploy before they can answer basic provenance questions. The antidote the trio discussed was a return to fundamentals. 

Peter reminded the room that agents are just workloads doing math, and SPIFFE handles workload identity at a billion-credential-per-day scale without long-lived secrets, using dynamic attestation proven in large production systems for nearly a decade. The inventory is the control plane in this architecture. Knowing where agents are, who owns them, and what rights have been delegated is the prerequisite for every governance control that follows. 

Trust built retroactively is remediation at a higher price. The teams making visible progress had started with a single verified workload and built from there. The practical advice from all three was to start with one team, one workload, and ship it. Get small wins now rather than solving for future edge cases that might never materialize.

Pieter Kasselman, Sean O'Dell, Stephen Hutchinson

The Invisible Workforce Already Has Credentials

The panel "The Invisible Workforce: Agentic AI from Risk to Results" gathered the collective brain power and experiences of Jody Hunt, Senior Solution Strategy Architect at Palo Alto Networks; Baber Amin, VP of NHI Access Product Management at Saviynt; Katie Boswell, Managing Director of Cyber Security at KPMG; and Jake Pszonowsky, VP of Security and Identity at Universal Music Group. The panel was hosted by Grace Sands, Managing Director at KPMG

Jody called out GitGuardian by name as a useful starting point for NHI inventory and discovery work. The delegation chain analysis that followed put the harder problem in context. Agents extend the familiar "human calls the service which calls another service" pattern further and faster, with no clear audit trail. That is, unless the design intent is explicit. Jake described monitoring 600 agents and 65 million tokens as a baseline, using week-over-week metrics as the only honest signal of progress. Katie described a red team engagement in which assessors could manipulate and impersonate any person at a financial institution via a chatbot that was not tested for delegation chain vulnerabilities. The institution had to take the system offline and incur unexpected costs to remediate the design.

Discovering a delegation chain vulnerability in a red team engagement costs time. Discovering it in production costs substantially more, and remediation occurs under pressure rather than through deliberation. Building in clear delegation as you design the architecture saves everyone a lot of effort and, ultimately, money better spent elsewhere.

Jake Pszonowsky Baber Amin, Jody Hunt, Katie Boswell, and Grace Sands

Ownership Has Become a Security Control

The question asked in nearly every session was not which protocol to use or which vendor to evaluate. It was "Who is accountable when an agent causes harm?" At scale, every organization will encounter orphaned agents left behind by departed employees. Agents whose permissions were never scoped below the initial grant. Agents whose actions cannot be reconstructed because no audit trail was built into the deployment. 

A named human owner for each agent, accountable for its behavior and reachable when something goes wrong, is the minimum viable accountability structure for any production deployment. Without that record, governance programs have nothing to attach controls to.

The Credential Is the Attack Surface

Secrets sprawl across code repositories, developer environments, and pipeline configurations. The picture from Identiverse confirmed what GitGuardian research shows. Static, long-lived credentials are the attack surface that agents inherit and amplify. When an agent is bootstrapped with an API key, that key carries the full blast radius of its permissions everywhere the agent goes, including into sub-agents the original developer never anticipated. 

Cryptographically attested, short-lived, scope-bound tokens issued at runtime address the root cause. Rotation programs only defer it.

Discovery Still Precedes Every Other Control

Most organizations do not yet have a complete picture of their non-human identity surface. Shadow agents built on low-code platforms, orphaned agents left running after employee departures, and agents deployed across cloud environments without central registration are all invisible to governance programs that have not solved discovery first. 

The first, unanimous step across every session was to take a full inventory of your identities. Teams needed to know every agent's owner, its registration record, and its link to the identity system of record before any other control could be applied.

Governance Requires Proof, Not Just Policy

Knowing who owns an agent establishes accountability in theory. Knowing what the agent did and who authorized each step establishes it in practice. Multiple sessions returned to the same gap. Most organizations can produce a log entry recording that something happened. Very few can produce a reconstructible chain from the triggering intent through every delegation hop to the final action. Engineers need that chain to debug. Auditors need it to attest. Regulators will require it. 

Teams building agent deployments today are creating an audit obligation for tomorrow that will be far more expensive to satisfy if the architecture was not designed for it from the start.

The Invisible Workforce Needs Visible Controls

Identiverse 2026 made our next steps extremely clear. Agentic AI cannot scale safely on informal trust, static credentials, or audit trails that only prove something happened after the fact.

Every agent needs a named owner. Every request needs scoped, short-lived access. Every delegation chain needs to preserve intent from the first trigger to the final action. Inventory comes first because governance cannot protect what it cannot see.

The enterprises that move now will not solve every edge case on day one. They do not have to. They need to make the secure path the default, prove what agents are allowed to do, and build accountability into production before the invisible workforce becomes too large to unwind.