A customer asks an AI agent to update their shipping address. The agent, being helpful, also notices an unpaid balance, retries a payment against a saved card, and cancels a pending order it flags as a duplicate. The customer never asked for any of that. The canceled order was legitimate. The payment retry overdrafts their account.
Who authorized those actions? Stephen Cox, CTO of identity security firm Strivacity, poses this scenario in a Forbes Tech Council piece published June 4. His answer: most enterprises deploying AI agents today could not produce evidence of authorization even if they wanted to.
The Authorization Chain Is Broken
The core problem Cox identifies is structural. Identity infrastructure has spent decades solving one problem: proving that a human is who they claim to be and granting them access. Authentication, authorization, audit trails. All designed around a human at the keyboard.
AI agents break that assumption. When an agent acts on a user’s behalf, autonomously across multiple systems, “the authorization chain is no longer a moment in time,” Cox writes in Forbes. “It’s a sequence of decisions, each of which carries legal weight. None of which were made directly by the human who initiated the session.”
Most agentic deployments today operate on broad, static permissions. OAuth scopes or API keys grant access to entire systems rather than specific, user-confirmed actions. Cox argues this gap is “currently being papered over rather than solved.”
The Regulatory Exposure
Current data protection frameworks were not designed for autonomous language-model-driven delegation, Cox argues. GDPR, CCPA, and the EU AI Act all assume traceable human authority behind processing decisions. GDPR’s lawful basis requirements are likely to be the sharpest edge: “legitimate interest” faces serious scrutiny when the processing decision was made by a language model operating on broad delegation, not by a person, according to Cox’s analysis.
Cox predicts that the first high-profile consumer lawsuit naming a company (not a compliance framework) will force the issue. The accountability default is clear: if an enterprise cannot demonstrate that its agent acted within explicitly granted, user-confirmed scope, liability defaults to the deploying organization.
The Scale of the Gap
The exposure is not hypothetical. Gravitee’s 2026 report found 88% of enterprises have already experienced AI agent security incidents, with over half of deployed agents operating with no security logging. Gartner projects that 40% of enterprise applications will embed task-specific AI agents by end of 2026, up from less than 5% in 2025. Deloitte found 74% of companies planning agentic deployment within two years, yet only 21% have a mature governance model in place, as cited by SoftwareSeni’s governance analysis.
Three Requirements for Agent Identity
Cox outlines three infrastructure requirements that he argues should be treated as deployment prerequisites, not roadmap items:
First, every agent capable of consequential actions needs a distinct, authenticated identity, separate from the user it acts for and not inherited from their session. Second, permissions must be scoped to what the user actually consented to in that specific interaction, not carried over from broad standing grants. Third, every consequential action must be logged with the authorization context that permitted it.
The building blocks exist. What’s missing, Cox argues, is “the organizational will to treat this as a deployment requirement instead of a road map item.”
Microsoft’s Agent Control Specification, released at Build 2026, addresses parts of this problem with portable policy files governing agent behavior. But policy files describe intended behavior. The gap Cox identifies is in proving, after the fact, that an agent stayed within bounds. That requires identity infrastructure, audit infrastructure, and consent infrastructure that most enterprise agent deployments have not built.
For teams building or deploying agents: Cox’s three-question test is worth running before your next deployment goes live. Can you prove, with a complete audit trail, what your agent was authorized to do? Can you demonstrate each action was within explicit user consent? Have you mapped your agent’s data processing against GDPR, CCPA, and EU AI Act obligations? If the answer to any is no, the exposure is real and growing.