Agent Identity Sprawl

Problem

Identity creation happens at machine speed and identity governance happens at human speed, and the gap compounds. Over-broad, long-lived credentials are minted faster than anyone scopes, rotates, or retires them; tokens outlive the agents they were issued for; ownership of a given credential becomes unknown. The attack surface grows week over week because nothing reconciles created identities against active, owned, and least-privileged ones, and no human-speed approval process can keep pace with the rate of creation. The result is a population of orphaned, over-privileged non-human identities that no one is tracking and no one can confidently revoke.

Solution

Make identity lifecycle keep pace with identity creation. Issue short-lived, least-privilege credentials by default rather than broad long-lived ones; bind every identity to an owning agent and a retirement trigger so it is revoked when the agent is decommissioned; continuously reconcile created identities against active, owned, scoped ones and flag orphans. The mechanism to fix is the creation-versus-revocation rate mismatch, so the controls must themselves run at machine speed. Mitigation patterns: agent-credential-vault for scoped, rotated, brokered secrets per agent; delegated-agent-authorization for narrowly scoped, time-bound grants. This is the fleet-scale lifecycle failure those per-agent patterns do not by themselves prevent.

When to use

• An agent fleet provisions identities and credentials faster than they are scoped, rotated, or retired.
• Auditing standing access reveals orphaned or over-privileged non-human identities of unknown ownership.
• Identity governance runs through human-speed review while creation is automated.