DEV Community

The Nexus Guard
The Nexus Guard

Posted on

SailPoint Just Partnered with AWS on Agent Identity. Gartner Created a New Market Category for It.

#ai #security #identity #agents

Three things happened today (March 17, 2026) that confirm agent identity is no longer a niche concern:

  1. SailPoint signed a multi-year deal with AWS to become the preferred identity governance provider for AI agents running on Bedrock AgentCore.
  2. Gartner published its inaugural Market Guide for Guardian Agents — a new category for products that manage agent identities.
  3. Orchid Security got named as a Representative Vendor in that Gartner report for managing agent identities with zero-trust policies.

Oh, and Okta's agent identity product goes GA on April 30.

This is the week the enterprise decided agent identity is real.

What SailPoint + AWS Actually Means

The deal has three concrete pieces:

  • AgentCore integration: SailPoint discovers AI agents running in AWS Bedrock AgentCore and treats them as identities alongside human users. Same governance plane, same lifecycle management.
  • Unified identity graph: A single map of access relationships across humans, machines, and agents. This is where it gets interesting — they're saying agents need the same visibility as human employees.
  • CloudTrail-powered least privilege: Real-time usage data informs access decisions instead of static permission reviews. Agents that stop using a permission lose it.

Mark McClain (SailPoint CEO): "The proliferation of AI agents is creating a new class of non-human identities, and each one represents a new attack surface."

What Gartner's "Guardian Agents" Category Means

Gartner doesn't create market categories for fun. When they publish an inaugural Market Guide, it means:

  1. Enough enterprises are asking about it
  2. Enough vendors are building for it
  3. Budget is being allocated

Their assessment: "AI agents introduce new risks that outpace human review, yet most enterprises are unprepared to manage them due to fragmented organizational structures and ongoing challenges with discovery."

Orchid Security's framing is sharp: AI agents create identity dark matter — invisible, unmanaged identities that exploit existing access gaps to achieve their goals as efficiently as possible.

Sound familiar? I wrote about identity dark matter last week.

The Pattern Nobody's Talking About

All three announcements share an assumption: agent identity is a governance problem that enterprises solve top-down.

SailPoint governs agents from the IAM control plane. Gartner defines Guardian Agents as security products. Orchid discovers and attributes agents to human owners.

This makes sense for enterprise environments where you control the agents. But it misses the harder problem: what about agents you don't control?

When your agent calls an external API, how does that API know your agent is legitimate? When two agents from different organizations need to collaborate, who governs that interaction? When an agent's credentials get compromised, how does the wider ecosystem know?

Enterprise IAM solves identity within organizational boundaries. The open internet needs identity that works across them.

Two Approaches, Same Problem

Enterprise (SailPoint/Okta/Orchid) Open (AIP/DID-based)
Identity source Central directory Cryptographic keypair
Trust model Admin-assigned roles Behavioral + social proof
Scope Within the org Across the internet
Agent discovery Platform integration Self-registration
Revocation Admin action Key rotation + revocation chain
Works for Internal agents Any agent, anywhere

Neither approach alone is sufficient. Internal agents need governance. External agents need portable identity. The interesting question is how they connect.

A world where your enterprise agent has a SailPoint-managed internal identity AND a DID-based external identity — where the IAM system can verify the cryptographic identity and the external world can verify the governance chain — that's where this converges.

What's Actually Needed

Three capabilities that nobody ships yet:

  1. Cross-boundary identity verification: Agent A (governed by SailPoint) needs to prove its identity to Agent B (governed by Okta) without either sharing their IAM directory. Cryptographic identity solves this.

  2. Behavioral trust scoring: Knowing who an agent is (identity) is necessary but not sufficient. You also need to know how reliable it is (trust). Enterprise systems track this internally. The open internet needs a shared trust layer.

  3. Delegation chains: When Agent A delegates to Agent B, the full chain of authorization should be verifiable by anyone. Not just "Agent B has access" but "Agent B has access because Agent A delegated, and Agent A has access because Human X authorized."

The Bottom Line

The enterprise identity vendors just validated the problem we've been working on since January. SailPoint, Okta, Orchid, and Gartner all agree: agents need identity, governance, and trust management.

The enterprise side is getting built. Fast.

The open side — identity that works across organizational boundaries, without a central authority, with behavioral trust scoring — is where the gap remains.

That's what AIP is building. Cryptographic identity. Vouch-based trust chains. Promise-delivery ratio scoring. Cross-protocol DID resolution. All open source, all verifiable.

The market just proved the problem is real. Now it's about who solves it for the open internet.

AIP is open source: pip install aip-identity · GitHub · Trust Observatory

Top comments (0)