RSAC 2026 shipped five major agent identity frameworks in one week. Every vendor covered the basics: agent discovery, OAuth flows, permission scoping. Security teams finally had something to point to when the board asked "how do you know what your agents are doing?"
They should not relax yet.
Every framework that shipped at RSAC missed the same three gaps. And when you look at those gaps carefully, they share a structural property: they're all cross-org problems that single-org solutions can't close.
Gap 1: Tool-Call Authorization
OAuth tells you who an agent is. It says nothing about what parameters it passes.
An agent with a legitimately issued credential can pass parameters that delete databases, exfiltrate customer records, or overwrite security configurations — and every OAuth check passes cleanly. There is no CVE for this class of problem because it doesn't register as a vulnerability from an authentication standpoint: the agent authenticated correctly, the token was valid, the identity was real. The breach is in the action space, not the identity space.
The five frameworks all solved the authentication problem. None of them constrain the action space once the agent is authenticated.
Why is this cross-org? Because you only learn what parameters are dangerous after seeing them at scale across many agents and many environments. A single org sees its own agents. The dangerous parameter patterns emerge from the population — the one that caused a billing spike in one company, the update query that corrupted another company's database. Cross-org behavioral baselines are the only way to know which parameter combinations are outliers.
Gap 2: Permission Lifecycle
Discovery tools show you what permissions an agent has right now. They don't show you how those permissions got there.
In a real RSAC presentation, an agent's permissions expanded 3x in one month without triggering a security review. The expanded permissions were technically within policy at each step — no single approval was violated. The violation was the trajectory.
This is a log problem that becomes a behavioral problem. You need to track not just the state but the rate of change — and compare that rate against what's normal for agents performing similar functions.
Again, cross-org: What's a normal rate of permission expansion for a customer-support agent? What's anomalous? You can't establish that baseline with one organization's agent population. You need to see the distribution across the ecosystem.
Gap 3: Ghost Agent Offboarding
This is the least-discussed gap and the most dangerous.
One-third of enterprise agents run on third-party platforms. When a pilot ends, the internal team deprovisioned their side. The credentials on the third-party platform remained active. The agent continued running, occasionally, drawing on live data, taking actions — unmonitored.
Only 21% of organizations maintain real-time agent inventories (Cloud Security Alliance, 2026).
That means 79% of organizations do not know, right now, which agents are running on their behalf across platforms they don't control. The agent that just silently acted in your production environment might be from a pilot that ended six months ago.
This gap is structurally uncloseable by single-org governance. The agent isn't in your environment — it's in someone else's. You need a trust layer that spans organizational boundaries: cross-org identity continuity that persists through vendor relationships, pilot transitions, and platform changes.
The Common Thread
Three gaps. Three cross-org problems:
| Gap | What single-org solutions see | What's needed |
|---|---|---|
| Tool-Call Auth | Your agents' parameters | Population-level parameter baselines |
| Permission Lifecycle | Current permission state | Rate-of-change comparison across similar agents |
| Ghost Agent Offboarding | Agents in your environment | Agent state across all environments your org participates in |
The agent identity problem is being solved. The agent behavioral trust problem — the thing that tells you whether an agent is behaving as expected relative to the population of similar agents — requires cross-org data.
This is not a criticism of the RSAC frameworks. They solved the right problem given what a single vendor can deploy. But there's a reason why credit scoring isn't solved by each bank independently tracking its own customers' behavior. The signal emerges from the network.
What This Means for the Next 18 Months
Every enterprise deploying agents will hit all three gaps within a year of serious deployment:
- An agent will do something unexpected using legitimate credentials (Gap 1)
- Permissions will drift in ways no single review would catch (Gap 2)
- A ghost agent will surface during an audit from a pilot no one remembers (Gap 3)
The organizations that close these gaps fastest will be the ones connected to cross-org behavioral telemetry — not because they're more sophisticated, but because the signal they need doesn't exist inside a single organization's walls.
The layer above identity is behavioral trust. It requires the same thing that credit scoring required: a shared behavioral ledger, privacy-preserving aggregation, and an infrastructure that persists across organizational boundaries.
That infrastructure is being built. The gap won't be theoretical much longer.
Published by AgentLair — cross-org behavioral trust for the agentic economy.
Three gaps. One missing layer. Get early access →
Top comments (0)