Agents are identities you never issued.
For security and IAM — credential governance for the machines acting on your behalf.
Agents pick up static API keys, consumer OAuth tokens, and credentials no one rotates. They aren't bound to your org, they don't expire, and if one leaks, you can't say how far it reaches.
Machine identity, ungoverned.
Every standard you hold humans to — provenance, rotation, revocation, least privilege — quietly doesn't apply to the agents.
Credentials off-standard
Static keys and personal OAuth tokens stand in for org-backed, revocable identity. You can't centrally cut them off.
No rotation, no expiry
Credentials older than ninety days keep working. Nothing forces a refresh, and nobody is watching the clock.
Unknown blast radius
When a credential leaks, you can't say which systems it unlocks or which agent was holding it.
Bring agents up to your credential standard.
Trace provenance
See where each agent's credential came from and whether it meets the standard — org-backed and revocable, versus a static key.
Flag the stale and the weak
Surface credentials past their rotation age, and raise a compound badge when a weak credential sits on a dangerous agent.
Close the binding gap
Track org-binding coverage so you can move the fleet toward identities you can rotate, audit, and revoke centrally.
Treat agents as first-class identities.
Provenance, rotation, and revocation — for the machines, not just the people.