Stage 4
Advanced and agentic
Human identity is handled. Now it is service accounts, API keys, and AI agents acting on their own, identities that do not fit the joiner-mover-leaver model and do not wait for an access review. This is the frontier, and most of the field is improvising.
This is you if
- Service accounts and API keys nobody fully owns
- AI agents or copilots with broad OAuth scopes
- Non-human identities outnumber humans
- You need an audit trail for what an agent did
Who this is for: Mature identity teams and security architects.
The path
- 1API keys are not managed identitiesField noteThe most common non-human identity, and why it survives offboarding. Start here.
- 2AI agents are identities nowPlaybookWhat is genuinely new about agent identity versus a traditional service account.
- 3The confused deputy is backPlaybookThe classic attack, applied to multi-agent systems, and how to break the chain.
- 4SPIFFE answers who. Intent answers why.PlaybookThe two-layer architecture for agent identity, and where each layer fits.
- 5How agents earn or lose scopePlaybookTrust as a primitive: how access decisions adapt to an agent's behavior.
- 6Threat modeling Claude Code in productionPlaybookA concrete STRIDE walkthrough for a real agent deployment, with what to enforce where.
When you're done
Govern your first AI agent end to end, and stand up the trust chain behind it.
See how Iden does this