Skip to content
feed: live about
>_ 0dayNews
vendor advisory
Analysis

IGA was built around employment records. Agents don't have those.

A contributed piece to The Hacker News from Orchid Security lays out where the joiner-mover-leaver model quietly fails for AI agents. Vendor-adjacent, but the gap analysis holds.

IGA was built around employment records. Agents don't have those.
Photo: Ministry of Communications / Wikimedia Commons · GODL-India
Dave "Kilobaud" Ferris · Published · 4 min read

The Hacker News ran a contributed piece on Wednesday from Orchid Security arguing that identity governance and administration — the joiner-mover-leaver machinery that most enterprises rely on for provisioning, entitlement review, and offboarding — has no working model for the AI agents now being deployed inside those same enterprises. It is a vendor-sponsored writeup, and the sponsor is in the business of selling a product that addresses the gap it describes. Both of those things can be true, and the gap analysis is still worth reading on its own terms.

Where the model breaks

The piece names five structural failures. None of them is exotic. All of them follow from the same root: the vocabulary of identity governance assumes a person with an employment record, a manager, and a departure date, and the population being provisioned no longer has any of those.

No authoritative source. The Orchid write-up notes that “agent provisioning typically happens through a developer committing a configuration file” — a LangChain workflow, an AutoGen scaffold, an AWS Bedrock Agent — and that “none of those events touches an IGA platform.” Workday and SuccessFactors don’t have a row for the agent. Neither does the IdP.

Dynamic runtime scope. An agent shipped to summarize internal documents may, over the course of its actual runtime, end up “querying APIs it wasn’t explicitly provisioned for.” The permission set at deploy time is not the permission set at three in the morning six weeks later. IGA reviews the deploy-time snapshot. The runtime surface is invisible to it.

Multi-environment instantiation. The same logical agent can run as “dozens of parallel instances across cloud environments,” each carrying its own credential set, none of which the IGA platform correlates as a single principal. The audit report says the agent has one identity. The reality is a swarm.

Missing lifecycle events. Joiner-mover-leaver produces the signals that IGA depends on: a hire triggers provisioning, a role change triggers entitlement recalculation, a termination triggers deprovisioning. Agents produce none of those signals. There is no HR event when a LangChain workflow gets committed; there is no HR event when it stops being called.

Stale credential persistence. And so, as the piece puts it, “retired agent credentials persist in secrets managers… long after the workload they served stopped running.” AWS Secrets Manager, Azure Key Vault, whatever’s holding the OAuth refresh token — the credential outlives the workload because nothing in the environment is watching for the workload to die.

Why the framing has merit even given the sponsor

Vendor-contributed pieces on The Hacker News should be read the way sponsored analyst reports get read: the framing exists to sell you the framing’s solution. Fine. That doesn’t automatically make the framing wrong.

Two things about this one are worth taking seriously.

First, it is describing something we are already seeing in adjacent reporting. Kaspersky’s ToddyCat/Umbrij writeup documents an APT that self-grants Google Workspace OAuth tokens through a hijacked Chromium session; the tokens outlive the intrusion and, in the M365 direction, the ConsentFix and ClickFix consent-phishing families do essentially the same thing to Microsoft tenants. Those grants — machine-shaped, developer-scoped, deployed outside the HR-driven lifecycle — are precisely the population Orchid is talking about. The attacks are already in the wild. The governance model is behind.

Second, the class of problem is old. The service-account discourse of the 2010s made the same argument for a similar population: process-owned credentials that no HR system knew about, that no offboarding workflow touched, that accumulated over years and stayed valid long past the last person who remembered creating them. Robotic process automation replayed the problem a few years later with a different vocabulary. AI agents are the third pass. The pattern is not new. The scale is.

That is the sentence to hold onto: this is the same mistake, different decade. Every time a new class of non-human principal shows up in the environment, the governance layer treats it as an edge case that a person can chase in a spreadsheet, and the population outruns the spreadsheet inside a year.

What the piece recommends

Stripped of the vendor prescription, the five recommendations map cleanly to the five gaps.

  • Continuous, automated discovery across IAM systems, OAuth authorization servers, Kubernetes, and secrets managers — because the deploy-time picture is not the runtime picture, and the runtime picture is where the credentials actually live.
  • Attribute modeling for non-human principals: owning team, operational purpose, bounded system list, deployment timestamp, expected operational lifetime. Fields that only make sense once you accept that the agent is a principal, not a shadow of the human who wrote its config.
  • Policy-driven provisioning at credential issuance: “define the minimum access the agent requires to perform its documented function, enforce that scope through policy” — least privilege as an issuance-time invariant, not an audit-time cleanup.
  • Behavioral monitoring: “tracking what each agent actually calls, comparing observed access against the provisioned entitlement set.” The dynamic-runtime-scope problem, restated as an observability problem.
  • Inactivity-based deprovisioning: usage logs drive review, quiet credentials get pulled. The joiner-mover-leaver signals are not going to arrive from HR for this population, so they have to come from somewhere else.

None of that is Orchid-specific. None of it is proprietary. It is what any competent identity team building this in-house would build.

The part the analyst has to notice

The audit report will not surface this. The audit report will show a clean IGA export, a mapped set of human identities, an entitlement review completed on schedule. The auditors will sign off. The compliance frameworks — SOX, HIPAA, PCI — will be satisfied on paper, because their scope was written before the agent population existed, and the wording still lines up.

The environment will keep drifting. The delta between what IGA can see and what the environment actually contains will keep widening. Someone in the SOC will notice a stale token doing something interesting six months from now, and the after-action will describe an agent that nobody remembers deploying, calling a service nobody remembers granting it access to, with a credential nobody remembers issuing.

That is the shape of the failure. Watching for it is not a compliance problem. It is a curiosity problem — the same one Talos was writing about earlier this week, in a different register. The dashboard will not raise a hand. Someone has to.

Found this useful? Share it.