We are in the middle of a massive shift in how software operates. We aren't just building applications anymore; we are orchestrating autonomous systems. But as someone who spends a lot of time overseeing large-scale distributed infrastructure and big data AI initiatives, I see a terrifying pattern emerging across the industry.
We are building incredibly advanced Agentic AI systems, but we are securing them using 2010-era access models.
If you are passing long-lived PostgreSQL credentials or AWS access keys into an AI agent's environment variables, you are sitting on a ticking time bomb. Letβs talk about why uncontrolled AI is an identity crisis, and how the new concept of Agentic Identity is fixing it.
π£ The "Borrowed Access" Nightmare
Right now, most engineering teams treat AI agents like glorified cron jobs. If an agent needs to query a database to fetch context, we give it a shared service account or let it impersonate a human developer.
This means the agent doesn't actually have an identity; it has borrowed access.
Why is this dangerous?
- Non-Deterministic Behavior: Unlike a traditional microservice that executes a predictable CRUD operation, LLM-powered agents plan and execute dynamically. You cannot guarantee exactly what SQL query an agent will generate.
- Lateral Movement Risk: If an agent has a static API key with standing privileges, a clever prompt injection attack can trick that agent into dropping tables, exfiltrating user data, or moving laterally across your Node.js backend.
- Zero Auditability: When an agent impersonates a service account, your audit logs just show the service account acting. You have no idea which sub-agent executed the destructive action or why it made that decision.
π‘οΈ Enter "Agentic Identity"
To solve this, infrastructure security is evolving. Companies like Teleport recently launched architectures specifically designed for this: treating AI agents as first-class identities.
Instead of static keys, we need a zero-trust model built for autonomous actors. Here are the three pillars of Agentic Identity:
1. Unique Cryptographic Identity
Every time an agent spins up to execute a task, it shouldn't read a .env file. It should be issued a unique, cryptographically signed certificate. The infrastructure knows exactly who the agent is, what parent process spawned it, and what it is authorized to do.
2. Just-In-Time (JIT) Access
Agents should have zero standing privileges. If an agent needs to write to a PostgreSQL database, it requests elevation for that specific table. The access is granted dynamically and expires automatically the moment the task finishes (or after a strict timeout).
3. Structured Audit Trails
Every prompt, tool call, and database query is logged and tied to the agent's cryptographic identity, creating a 100% auditable timeline.
π» Code Example: The Old Way vs. The Agentic Way
Let's look at how this impacts your architecture when building with a modern stack like TypeScript and Node.js.
β The Old Way (Static Credentials)
This is how most agents are wired up today. Itβs simple, but highly insecure for autonomous systems.
import { Client } from 'pg';
import { Agent } from 'ai-framework';
// DANGER: Agent has permanent, standing access to the database
const dbClient = new Client({
connectionString: process.env.DATABASE_URL
});
await dbClient.connect();
const myAgent = new Agent({
systemPrompt: "You are a data analysis agent.",
tools: [new SQLQueryTool(dbClient)]
});
// If the agent goes rogue, it can query anything.
await myAgent.execute("Analyze user behavior");
β The New Way (Agentic Identity & JIT Access)
In this pattern, the agent has no credentials by default. It must request a short-lived, scoped certificate via an identity broker (like Teleport) right before it acts.
import { IdentityBroker } from 'infrastructure-security';
import { Agent } from 'ai-framework';
const myAgent = new Agent({
id: 'agent-analytics-worker-01',
systemPrompt: "You are a data analysis agent."
});
myAgent.on('tool_call_request', async (toolRequest) => {
if (toolRequest.type === 'database_query') {
// 1. Agent requests Just-In-Time (JIT) access for a specific resource
const shortLivedCert = await IdentityBroker.requestJITAccess({
agentId: myAgent.id,
resource: 'postgres-analytics-db',
duration: '5m', // Expires in 5 minutes
scope: 'read-only'
});
// 2. Broker grants a temporary, cryptographically signed client
const secureDbClient = await IdentityBroker.connect(shortLivedCert);
// 3. Execute tool safely
return await secureDbClient.query(toolRequest.query);
}
});
await myAgent.execute("Analyze user behavior");
In the secure pattern, if the agent tries to execute a DROP TABLE or access an unauthorized microservice, the request is blocked at the infrastructure level because its certificate lacks the specific scope. Even if the certificate leaks, itβs useless 5 minutes later.
π The Takeaway for Engineering Teams
As we push Agentic AI into production environments, we have to stop treating them like static scripts. Uncontrolled AI is an identity crisis waiting to happen.
By adopting Agentic Identity, we can give agents the autonomy they need to execute complex, multi-step tasks while tightly containing their blast radius.
How is your team handling access control for AI agents? Are you still using static API keys, or are you moving toward dynamic credentials? Letβs discuss in the comments below! π
If you found this breakdown helpful, drop a β€οΈ and follow for more deep dives into the architecture, infrastructure, and security of modern AI systems.
Top comments (0)