Cole Grolmus is not just someone on the internet. He's the founder of Strategy of Security, one of the sharper independent voices covering the cybersecurity market. And he just published findings from months of primary research into AI agent identity that read like they were pulled from our internal strategy deck.
They weren't. That's what makes it interesting.
When an independent analyst arrives at the same conclusions you've been building a company around, you pay attention. So we read his AI Agent Identity Market Landscape analysis, compared it to our own architecture decisions, and found the overlap striking. Not because he's picking favorites. Because the problem, studied honestly, keeps leading people to the same place.
The Core Finding: Nobody Owns This Problem Yet
Grolmus's central observation is blunt and correct. The foundational model companies are not going to solve agent identity. Anthropic isn't going to fix your access controls. Neither is OpenAI. Agent identity is a cybersecurity problem, and the cybersecurity industry is still figuring out who gets to own it.
His research surfaced a market that's fragmented, noisy, and moving fast. Identity providers, security incumbents, and startups are all repositioning around agent identity. Most of them are updating marketing pages. Fewer are shipping product. Practitioners looking for real solutions can't easily tell the difference.
None of that is surprising if you've been watching the authorization market over the last few years. OPA became the open-source standard for policy-as-code, and still the market kept splintering. Now add AI agents to the mix. The fragmentation gets worse before it gets better.
Why Does Agent Authorization Differ From Human Authorization?
Grolmus nailed something the market still underestimates. Non-deterministic behavior is the key difference between agent and human authorization. Humans follow stable workflows. Agents reason through new ones on every run.
Same prompt, different execution path.
If you're still thinking about agent permissions the way you think about human permissions, with static roles and coarse-grained scopes assigned at session start, those assumptions do not hold. A human user who has access to the customer database will generally do the same kinds of things with it day after day. An AI agent with that same access might query a single record on one run, dump an entire table on the next, and chain those results into a downstream API call on the third. Intent changes. Behavior changes. Risk profile changes. Your RBAC policy? It didn't change at all.
We built EnforceAuth around this exact insight. Authorization for agents cannot be a gate you check once at login. It has to be a continuous evaluation of every action, in real time, against contextual policy that accounts for what the agent is actually doing right now.
How Do OAuth's Limitations Affect Agent Security?
One of Grolmus's sharpest points concerns OAuth. Scopes are too coarse for task-level constraints. Tokens are too static to adapt to behavior. There's no action-level audit. It was built for a different era.
He is right. And the fact that this needs to be said in 2026 tells you how far behind the infrastructure layer is.
OAuth was designed for a world where a human clicked "Allow" and a third-party app got a token. Scope was broad because the app's behavior was predictable and bounded. An agent's behavior is neither predictable nor bounded.
When Grolmus says "we're just making the best of it for now," that's generous. What most organizations are actually doing is duct-taping OAuth scopes onto agent workflows and hoping nobody asks hard questions about what happens when an agent decides, mid-execution, that it needs access to something the original token didn't anticipate.
Task-level scoping is emerging as the answer, and Grolmus flagged this too. Agents should only access what they need for the specific request at hand. Not everything they might need across all possible tasks. Least privilege, but more granular and more dynamic than anything the industry has implemented at scale.
At EnforceAuth, task-scoped, ephemeral authorization is not a roadmap item. It is the architecture. Every agent action gets evaluated against policy that considers the specific task, the specific resource, the delegation chain, and the current operational context. Sub-50ms. Every time.
Delegation Chains and the Accountability Problem
Grolmus raised delegation chains as a growing complexity challenge. Agents act on behalf of users. Or on behalf of other agents. Or on behalf of automated workflows that were triggered by a user three hops back. Mapping actions to a clear principal and understanding who authorized what is, as he put it, "a lot harder than it sounds."
He's right about that, too.
Security teams at Fortune 500 companies are running multi-agent orchestration in production and cannot answer a basic question: when this agent accessed that customer record, who was the original authorizing principal? Was it a human? Another agent? A scheduled workflow? Did the permissions granted at each hop actually authorize what happened at the end of the chain?
Most of them don't know. Not because they're negligent, but because the tooling doesn't exist in their current stack to track it.
Our AI Security Fabric maintains the full delegation chain for every agent action. From the original human principal through every intermediate agent or system, with policy enforcement at each hop. If permissions don't propagate cleanly through the chain, the action gets denied. The entire chain is logged for audit and compliance.
DORA's operational resilience requirements for financial services already demand ICT audit trails, and it is hard to see how agent delegation chains wouldn't fall under that umbrella. The EU AI Act's obligations for high-risk systems take full effect in August 2026, pushing traceability requirements even further. Organizations that can't produce this chain of custody are going to have an uncomfortable conversation with regulators.
Humans Were Already Over-Permissioned. Now What?
Grolmus saved maybe his best observation for last. Humans are routinely over-permissioned. He referenced upcoming research from Oso on this exact problem, then noted the irony: that's a terrible starting point for the shift to agents.
Terrible is the right word.
Most enterprises spent a decade giving humans more access than they needed because it was easier than getting permissions right. Role sprawl. Standing privileges. Broad OAuth scopes that never get reviewed. Not malicious. Just organizational inertia meeting the path of least resistance.
Now those same organizations are deploying AI agents that inherit those over-permissioned identities. An agent running with a developer's credentials doesn't just get access to the repos that developer works in. It gets access to everything that developer accumulated over four years of role changes and never-revoked permissions.
And the agent will actually use all of it.
Agents don't have the social norms that keep humans from poking around in systems they technically have access to but never touch. Agents explore. They optimize. They find the fastest path to completing a task, and if that path runs through a database they were never intended to touch, they'll take it without hesitation.
We built EnforceAuth because authentication was never the hard problem. Knowing who someone is does not tell you whether what they're about to do should be allowed. The gap between "authenticated" and "authorized to take this specific action right now" is what we call the Authorization Gap, and it is growing faster than any other risk surface in enterprise security.
Who Controls the Narrative Controls the Category
Grolmus made another observation worth sitting with. The winner in agent identity won't necessarily be the best solution. It will be whoever controls the narrative first.
There's realism in that. But narrative without substance doesn't survive the demo. Practitioners are smart enough to tell the difference between marketing copy and working product once they sit down with it.
Our narrative at EnforceAuth is simple. Authentication tells you who they are. Authorization tells you what they should be allowed to do. For AI agents operating autonomously, that authorization needs to be continuous, task-scoped, intent-aware, and enforced across every identity, human and non-human alike.
The AI Security Fabric category is being defined right now. Not in three years. Not next quarter. Right now. Every week that passes without decision-level governance on your agents is a week of accumulated risk that compounds.
What Does Independent Validation Actually Mean?
We want to be clear about why this research matters. Grolmus did not endorse EnforceAuth. He's mapping a market, not picking favorites. What matters is that an independent analyst, working from publicly available information and months of primary research, arrived at the same set of conclusions that drove our founding.
His core findings, arrived at independently, line up with our architecture point by point:
- Agent authorization is fundamentally different from human authorization
- OAuth scopes and static tokens are insufficient for non-deterministic agent behavior
- Task-level scoping is necessary, not optional
- Delegation chains need enforcement at every hop, not just logging
- Real-time intent awareness is the next frontier
- The starting point, a world where humans are already over-permissioned, makes everything exponentially harder
Every one of those findings maps directly to a design decision in our architecture. Not because we read his research and built accordingly. Because the problem, when you study it honestly, leads you to the same place.
The companies that figure this out won't be the ones who slapped "AI" on their existing access control products. They'll be the ones who rethought authorization from the ground up.
Who controls the authorization layer controls the AI.
If you're deploying agents without decision-level governance, we should probably talk.
Common Questions About AI Agent Identity and Authorization
What is the Authorization Gap for AI agents?
The Authorization Gap is the space between authenticating an agent's identity and governing what that agent can actually do at runtime. Most enterprises have solved authentication. Authorization, especially continuous, task-scoped authorization for non-deterministic AI agents, remains largely ungoverned.
Why can't OAuth handle agent authorization?
OAuth was designed for human-initiated, predictable application interactions. Its scopes are too coarse for task-level constraints, its tokens are too static to adapt to agent behavior mid-session, and it lacks action-level audit capabilities. Agents need dynamic, ephemeral authorization evaluated per action, not per session.
What are delegation chains in multi-agent systems?
When agents act on behalf of users, other agents, or automated workflows, the chain of principals that authorized each action becomes difficult to trace. Delegation chain enforcement means tracking the original authorizing principal through every intermediate hop and verifying permissions at each step. Regulations like DORA and the EU AI Act are making this traceability a compliance requirement.
About EnforceAuth
EnforceAuth is the AI Security Fabric for the agentic era. We provide decision-centric authorization across applications, infrastructure, data, and AI workloads. Write policy once. Enforce everywhere.