This is on the same theme.
If you’ve been around long enough, you start to recognise patterns. Things never really disappear in this industry; they just come back wearing a slightly different outfit. Like flared trousers. I’m keeping my wide lapel, double breasted blazer because its time will return.
AI agents and large-scale automation feel very modern because they are. The speed, scale and potential impact are new and represent a real shift in human capability, but the underlying identity challenge is one we’ve seen before.
Back in the mid-2000s when SaaS started taking off properly, organisations went through a very similar phase. Applications were adopted directly by departments, accounts were created inside every platform, credentials lived in spreadsheets and ownership of access was often vague at best. Everyone did what they needed to in order to access these new services. Security didn’t suddenly break; it simply hadn’t caught up with the pace of adoption.
Over time we worked it out. Federation became normal, provisioning standards emerged and identity and governance platforms matured. We formed and defined process around ownership, certification and compliance. SaaS never slowed down but it stopped being a chaotic collection of disconnected identity islands and became something we could actually manage. We even changed (in some places) procurement processes to ensure that once in shape, shadow IT couldn’t then break our mostly governed organization.
Guess what? What we’re seeing now with AI agents looks uncannily familiar.
Agents don’t interact with systems the way humans do. They don’t log in through corporate portals, they don’t pass neatly through browser-based controls, and they rarely touch the Zero Trust layers built. All of those gateways are bypassed, and they authenticate directly to APIs and services, create service accounts, generate tokens and store secrets wherever the developer finds convenient, often with whatever permissions they can grab. They don’t come to your security services, and they know nothing about your IAM platform because they don’t need in order to get their work done.
Which is exactly how humans interacted with SaaS in 2006.
The difference, of course, is that what once happened gradually across projects now happens and at scale and speed. A small team experimenting with automation can create more Non-Human Identities in weeks than entire organisations created human SaaS accounts in the early cloud era. Much of that activity also lives outside the identity fabric we’ve carefully built over the last decade, not because those platforms have failed, but because they were designed around human access patterns.
This isn’t something to panic about. It’s simply the early stage of another technology wave.
We don’t have a beautifully mature model for governing AI agents at scale. We do, however, already have some strong building blocks and vendors and the industry are moving super-fast. Okta, for example, is rolling out new capability around securing AI at a pace our own team can barely keep up with. Service-to-service authentication is improving rapidly, with private key signed JWTs replacing static secrets, mutual TLS providing strong trust between workloads, and cloud workload identity models reducing credential sprawl altogether. We’re starting to move from the human shaped solutions to targeted solutions for our new NHI overlords. Skynet is on hold.
You’ll also start hearing more about XAA (Cross-domain Authorization Architecture). If SAML and OIDC were about standardising who you are, XAA is about standardising how authorization decisions get made and shared across systems. SSO solved the “one login everywhere” problem. XAA is trying to solve the “one policy brain, everywhere” problem. It will also drive your AI to your Identity service to get those tokens, and that starts to give you control back. This is OIDC foundations, so again, not new.
What’s still forming is the broader governance layer that historically follows every identity shift. Ownership models are emerging. Visibility is improving via dedicated NHI tooling (Clutch and Okta ISPM are our choices here). Policy frameworks are evolving. Standards will follow, just as they did for SaaS and vendors are introducing new products and capabilities all the time. The new ISO42001 is already being applied to give companies frameworks to apply rather than roll their own approach. If you would like to discuss that framework to shape your approach, come and talk to us. It’s useful even if you have no intention of achieving the ISO.
There’s also a very natural temptation right now to move fast and worry about structure later. YOLO. Enable the AI platform, trust the defaults, assume the vendors have thought about the hard bits, and focus on the value being created. That’s exactly how SaaS and cloud adoption unfolded. What history shows us is that control always catches up.
The identity industry is actually very good at turning sprawl into structure. We’ve done it with directories, with SaaS, and with cloud workloads. The brains that solved those challenges are still here and will solve these new challenges. We understand federation, lifecycle management, entitlement modelling, governance and policy enforcement deeply. AI agents aren’t introducing a new category of problem; they’re reintroducing a familiar one at much higher velocity.
The encouraging part is that we already know the path from chaos to control. We don’t need to invent the playbook from scratch; we just need to adapt it quickly enough to match the pace of AI adoption. It won’t take ten years like SaaS did because it can’t.
In many ways, 2026 really does look a lot like 2006. The scale is bigger, the automation is faster, and the impact is broader, but the underlying identity challenge is the same one we’ve solved before.
The trousers may be wider this time, but we’ve tailored this outfit before