SecureFLO has published a CISO playbook on Security Boulevard arguing that AI agents need their own identity class, separate from human users and traditional non-human identities like service accounts and API keys. The playbook introduces the AGENT framework, a set of named control primitives covering attestation, governance, enforcement, and tracking, along with a 30/60/90-day implementation roadmap and a procurement questionnaire for enterprise buyers evaluating agent platforms.

The framework builds on four existing standards: OWASP’s Top 10 for Agentic Applications 2026, SPIFFE identity standards, RFC 8693 (OAuth 2.0 Token Exchange), and ISO 42001 (AI Management Systems). According to the playbook, the next enterprise audit, deal, and insurance renewal will measure AGENT compliance.

Why Existing Identity Models Break

Traditional identity and access management systems were designed for two categories: human users who authenticate through credentials, and non-human identities like service accounts that authenticate through static API keys or certificates. AI agents fit neither category cleanly.

Agents make autonomous decisions at runtime, deciding which tools to call, which APIs to access, and what actions to take based on context rather than predetermined scripts. They interact with enterprise systems in ways that traditional IAM models don’t contemplate: an agent might read a calendar, interpret an email, query a database, and execute a shell command in a single task chain, with each step requiring different access permissions.

The scale compounds the problem. Palo Alto Networks noted that the average enterprise now faces an “82:1 machine-to-human identity ratio,” citing CyberArk research. Every agent deployed creates additional non-human identities requiring API access and machine-to-machine authentication.

OWASP Ranks Identity Abuse in Top Three

The OWASP Top 10 for Agentic Applications 2026 ranks Identity and Privilege Abuse (ASI03) as the third most critical risk for autonomous agent systems. According to Palo Alto Networks’ analysis of the OWASP list, the shift represents a governance challenge “unlike anything seen before.”

“When agents make decisions, call tools and handle sensitive data without human oversight, traditional security models simply can’t guarantee control,” Palo Alto Networks wrote. “The fear is no longer ‘What if an LLM says something wrong?’ but ‘What if an agent does something wrong?’”

The OWASP list also highlights tool misuse (ASI02), where agents use legitimate tools in unsafe ways due to ambiguous prompts or injection, and memory manipulation, where agents’ persistent context can be poisoned through compromised data.

SPIFFE as the Agent Identity Layer

The SecureFLO playbook points to SPIFFE (Secure Production Identity Framework for Everyone) as a foundational standard for agent identity. SPIFFE provides cryptographic identities to workloads without requiring them to manage secrets directly.

HashiCorp has already moved on this. In its Vault Enterprise 1.21 release, HashiCorp added native SPIFFE authentication support, described as “streamlining and expanding how non-human identities, like AI agents, are authenticated.” Vault now issues X.509-SVIDs (SPIFFE Verifiable Identity Documents) to agent workloads, providing cryptographic attestation of agent identity at the infrastructure level.

The combination of SPIFFE for identity attestation, RFC 8693 for token exchange between agent-to-agent interactions, and ISO 42001 for organizational AI governance gives enterprises a standards-based stack for agent identity management.

The Procurement Angle

SecureFLO’s playbook includes a procurement questionnaire for enterprise buyers, framing agent identity management as a vendor evaluation criterion. The message is explicit: enterprises should be asking agent platform vendors how they handle identity attestation, privilege scoping, and audit trails before deploying agents with production access.

For teams building on platforms like OpenClaw, Claude Code, or OpenAI’s agent infrastructure, agent identity controls are becoming a hard requirement for enterprise sales. The question is no longer whether agents need their own identity primitives, but how quickly vendors implement them.