The Age of AI Agents: How to Guard Against 'Agentic Identity Theft'

When AI Agents Hold 'Digital Identities,' New Security Threats Follow

An unmistakable trend is accelerating across enterprise IT: AI agents are moving from the lab into production environments, replacing humans in an ever-growing number of automated tasks — from code deployment and customer service to financial approvals. They need to call APIs, access databases, and log into SaaS platforms, which means they must hold real digital credentials.

However, when a non-human entity begins holding usernames, passwords, API keys, and OAuth tokens just like a human employee, an entirely new attack surface opens up. In a recent in-depth interview, 1Password CTO Nancy Wang defined this threat as "Agentic Identity Theft" and warned that if enterprises fail to establish identity security governance frameworks for AI agents quickly, the consequences will be far more severe than traditional identity theft.

The Security Dilemma of Local Agents: Credential Exposure Risks Dramatically Amplified

Nancy Wang pointed out that current enterprise AI agent deployments fall into two main categories: cloud-hosted and locally run. Compared to cloud-based solutions, local agents present particularly thorny security challenges.

First is the credential storage problem. Local agents often need to cache access credentials on endpoint devices to execute tasks offline or with low latency. Once these credentials are extracted by malware, attackers can move laterally under the agent's identity, accessing all system resources the agent is authorized to use. Unlike stealing a single employee's password, a credential breach of a high-privilege agent could mean the compromise of an entire business process chain.

Second is the blurring of permission boundaries. Human employee behavior typically follows predictable patterns — logging in during business hours, accessing specific systems, and performing limited operations. Agents, by their very nature, exhibit high-frequency, multi-system, round-the-clock behavior patterns, rendering traditional anomaly detection mechanisms virtually ineffective. Security teams find it extremely difficult to distinguish between an agent's "normal high-frequency operations" and "malicious behavior after being hijacked."

Third is the supply chain trust propagation risk. An enterprise may simultaneously run dozens of agents from different vendors, and these agents may have inter-calling relationships. When Agent A invokes Agent B to complete a subtask, credentials and permissions are passed down through the proxy chain layer by layer, and a vulnerability at any link could become an attack entry point.

Zero-Knowledge Architecture: Building an 'Invisible' Vault for Agent Credentials

To address these challenges, Nancy Wang proposed an agent credential governance framework based on Zero-Knowledge Architecture. The core principle is that even the credential management platform itself cannot view or decrypt the keys and sensitive information stored by users.

Under zero-knowledge architecture, agent credential governance follows these key principles:

Dynamic least-privilege granting. Agents no longer hold long-lived static credentials. Instead, each time they execute a task, they request temporary, scope-limited access tokens from the credential management system through an encrypted channel. Once the task is completed, the token automatically expires. This fundamentally reduces the blast radius of credential leaks.

End-to-end encrypted credential injection. Throughout the transfer process from the vault to the agent's runtime environment, credentials remain in an end-to-end encrypted state. Even if the transmission channel is intercepted by a man-in-the-middle attack, the attacker only obtains undecryptable ciphertext. The agent itself decrypts and uses credentials only within a Secure Enclave, never writing plaintext credentials to accessible areas of disk or memory.

Complete audit trail for credential usage. Every credential request, grant, use, and revocation is recorded in an immutable audit log. Enterprise security teams can precisely trace which agent accessed which system, at what time, with what permissions, and what operations were performed. This provides a solid foundation for forensic investigation and compliance auditing.

Trust isolation across agents. Credentials and permissions between different agents are strictly isolated. Even if Agent A needs to invoke Agent B's capabilities, it does not directly pass its own credentials. Instead, the credential management system acts as an intermediary for delegated authorization, ensuring the chain of trust does not expand in an uncontrolled manner.

Agent Intent Recognition: The Next Frontier of Security Defense

Beyond technical architecture, Nancy Wang placed special emphasis on a deeper challenge — the recognition and governance of Agent Intent.

As agents powered by large language models develop increasingly autonomous decision-making capabilities, a critical question surfaces: How do we determine whether an agent's behavior aligns with its design intent? Furthermore, if an agent's behavioral logic has been tampered with through a Prompt Injection attack, it may appear to perform "legitimate" operations on the surface while actually collecting sensitive data or establishing persistent backdoors for attackers.

Nancy Wang likened such threats to "an automated version of insider threats." Traditional insider threats require a disgruntled or compromised employee, but in the age of agents, attackers only need to find one vulnerability to tamper with an agent's decision logic to achieve the same effect — at greater scale, higher speed, and with far less chance of detection.

To address this challenge, the industry is exploring multiple technical approaches:

• Behavioral baseline modeling: Establishing statistical baselines for each agent's normal behavior, automatically triggering alerts and permission freezes when its operational patterns deviate beyond a threshold.
• Intent declaration and verification: Requiring agents to submit an "intent declaration" to the governance system before executing high-risk operations, with an independent verification module determining whether the stated intent is consistent with the agent's authorized scope.
• Multi-agent cross-auditing: Deploying dedicated "supervisory agents" to review the behavior logs of other agents, leveraging AI's analytical capabilities to detect AI anomalies, forming a system of checks and balances.

Enterprise Governance Frameworks Urgently Need an Upgrade

From a broader perspective, the threat of "agentic identity theft" exposes a fundamental deficiency in current enterprise Identity and Access Management (IAM) systems — existing frameworks are designed almost entirely around human users and are severely lacking in their ability to manage Non-Human Identities.

Industry estimates suggest that in a typical enterprise environment, the number of non-human identities (including service accounts, API keys, bot credentials, etc.) already outnumbers human identities by tens of times, and the large-scale deployment of AI agents will cause this ratio to surge further. Yet most enterprises still manage these non-human identities using primitive methods: manual registration, static keys, and a lack of rotation.

Nancy Wang recommends that enterprises begin building identity governance frameworks for the agent era across the following dimensions:

1. Unified identity directory: Incorporate all AI agents into the enterprise's unified identity management platform, assigning each agent a unique, traceable digital identity.
2. Tiered authorization policies: Implement differentiated permission management strategies based on each agent's functional role and risk level. Agents performing low-risk tasks can be granted broader autonomous permissions, while those involving sensitive data and critical systems require stricter approval and monitoring.
3. Lifecycle management: Establish full lifecycle management processes for agents — from creation, deployment, and operation to retirement — ensuring credentials and permissions are properly governed at every stage.
4. Continuous compliance monitoring: Integrate agent behavior into the enterprise's compliance monitoring framework to ensure operations comply with industry regulations and internal policy requirements.

Looking Ahead: The Balancing Act Between Security and Efficiency

AI agents are reshaping enterprise operating models and productivity frontiers — a trend that is irreversible. But as Nancy Wang emphasizes, if security governance fails to keep pace with agent deployment, enterprises will face an unprecedented risk: their most trusted digital "employees" could simultaneously be the most dangerous attack vectors.

Zero-knowledge architecture provides a solid technical foundation, but technology alone is far from sufficient. Enterprises need to establish clear agent governance accountability structures at the organizational level, drive the development of non-human identity management standards at the industry level, and advocate for the creation of regulatory guidance frameworks for AI agent security at the policy level.

The introduction of the concept of "agentic identity theft" is, in essence, a timely wake-up call for the entire industry: as we eagerly embrace the efficiency gains that AI agents deliver, we must never forget — every agent granted permissions is a key that must be safeguarded with care. In a future where agents are ubiquitous, identity security will become one of the most critical pieces of infrastructure underpinning enterprise digital transformation.