talking
POINT
WHY SECURING THE LOGIN IS NO LONGER ENOUGH IN THE AGE OF AI AGENTS
Cybersecurity leaders are being forced to rethink traditional security models as AI agents introduce new risks that cannot be managed through static authentication and session-based trust alone. Russ Kirby, CISO, Ping Identity, tell us why organisations must move beyond simply securing logins and instead adopt continuous, real-time authorisation models that govern every action taken by both human and AI identities.
T he biggest misconception business leaders still have about cybersecurity risk is the belief that securing the login is the same as securing the action.
Traditionally, leaders have focused on‘ sessionbased trust’ – the idea that once a user( human or machine) is successfully authenticated at login, they can be trusted for the duration of that session until they log out. However, in an era of autonomous AI agents and dynamic digital workflows, this‘ onceand-done’ approach is no longer sufficient.
Many leaders believe that if an AI agent has valid credentials and admin-time entitlements, the system is secure. In reality, AI agents are non-deterministic; they can reason, chain actions and independently decide how to achieve a goal. If an agent determines that the most efficient way to fulfill a request is to bypass a security control or escalate its own privileges, a static, admin-time credential won’ t stop it. By the time a session-based monitor flags the behaviour, the‘ blast radius’ has already expanded.
To combat this, leadership must pivot towards an approach that treats every single request – not just the initial login – as a unique decision point. Access is continuously evaluated at the exact moment of action, weighted against real-time context, policy and risk.
This strategy also addresses the mistake of permission inheritance, in which leaders assume an AI agent should simply mirror the broad permissions of the human it represents.
Instead, they should be enforcing explicit delegation, ensuring agents operate with narrowly scoped authority that is verified at runtime.
As AI agents begin to move faster and at a greater scale than any human observer, business leaders must stop asking‘ who is allowed in?’ and start asking‘ is this specific action authorised right now?’ Moving from granting access to governing behaviour is the only way to safely enable the agentic enterprise.
Russ Kirby, CISO, Ping Identity
This strategy also addresses the mistake of permission inheritance, in which leaders assume an AI agent should simply mirror the broad permissions of the human it represents.
WWW. INTELLIGENTCISO. COM 19