• Agentic AI is introducing a whole new class of enterprise identity: autonomous, non-human agents operating at machine speed.
• Traditional IAM platforms were designed for human users and point-in-time-authentication, leaving critical gaps for AI agents and stress around performance, cost, and data sovereignty. 
• Organizations will need an identity platform based on open standards, capable of operating within sovereign deployment models with microservices that can scale fast.

Having worked in the Identity space for longer than I can remember, I’ve architected, deployed, and advised on IAM platforms through multiple massive technology shifts—from client-server architectures to N-tier architectures.

Each wave pushed infrastructure to its limits. But what I’m hearing in recent conversations feels different. The next paradigm shift is already upon us. This time, it's not just about a new device type or another migration to the cloud. We’re talking about an entirely new class of enterprise “user”: agentic AI.

Agentic automation is forecasted to enhance capabilities in over 40% of enterprise applications by 2027, according to the IDC’s 2026 FutureScape report. Capgemini’s 2026 research determined that agentic AI has officially shifted from basic experimentation to a critical business imperative—and Fortune Business Insights predicts the market value of agentic AI will increase to fifteen times the size it is now by 2034.

What’s the business appeal? Unlike your homosapien employees, AI agents don't take vacations, and they certainly don't operate at human speed. They independently formulate plans, request access to secure systems, and execute complex workflows.

But it raises a critical question for every identity leader: Is your existing IAM platform genuinely equipped to handle the functional capabilities, operational performance, and scale required by agentic AI?

From what I’ve seen so far, many organizations relying on legacy or rigid SaaS IAM platforms may find the answer is a resounding "no."

The functional gap: Securing the autonomous workforce

Traditional IAM platforms were built around human behavior: logins, sessions, and relatively predictable patterns of activity. Agentic AI turns these legacy models on its head. And securing these new users requires a fundamental rethink of how we issue access. 

Meet your new team: non-human identities 

Security leaders frequently tell me they are deeply concerned about introducing AI securely into their enterprise. Traditional identity models focus heavily on human user experience, but organizations must now design systems that support the coexistence of human identities with the massive evolution of non-human identities (NHIs). 

For AI agents, point-in-time authentication simply isn’t enough. Because these agents operate autonomously and continuously across different systems, identity systems must incorporate ongoing risk assessment deeply into our authentication journeys. If an agent's behavior drifts from its baseline intent, the IAM platform needs to instantly recognize the anomaly and revoke or restrict access.

Access that matches the job 

Supporting new, modern authentication types also presents an immediate hurdle. AI agents work best with  modern authentication frameworks that rely on short-lived, tightly scoped tokens. Agents are only doing their job when they reason that they need additional data, but should they have access to that data, possibly across data boundaries, or even cross-organization? To avoid the risk of overreach, platforms should issue a short-lived, tightly scoped token, specific to the task the agent (or child agent) is undertaking. 

Traceability across agent workflows

Agentic applications frequently spawn additional agents to complete subtasks which in turn spawn multiple child agents of their own, creating complex decision execution chains. Organizations need a complete chain of evidence from start to finish. Without that traceable record, understanding how decisions were made becomes an unnecessary challenge. 

Scale changes everything

While the productivity capabilities are a boon, the operational realities of agentic AI are what keep enterprise architects awake at night. Major challenges to consider include:

Machine-speed scale

An AI agent can fire off hundreds of parallel API requests, or spawn hundreds of child agents in the time it takes a human to type a password. That kind of machine-speed activity places enormous pressure on identity infrastructure. Legacy IAM architecture will buckle under the sheer volume of concurrent machine-speed authentication requests.

To handle this agentic traffic without inflating your Total Cost of Ownership (TCO), a transition to a microservices architecture offers a more sustainable path forward. Instead of scaling an entire monolithic system just because authentication requests spike, microservices allow you to auto-scale only the specific identity components under load.

Keeping operations sustainable

With this massive increase in authentication activity, comes greater complexity and greater pressure on High Availability and Disaster Recovery (HA/DR). At the same time, many organizations are under increasing pressure to reduce operational costs.

The only viable path forward is a modern, cloud-native, microservices-based foundation that can scale dynamically without demanding armies of administrators to maintain it. Deploying this level of resilience isn't the operational nightmare it used to be. My own experience deploying a modern, cloud-native, container-based IAM platform proved remarkably straightforward.

The regulatory reality of AI

This is perhaps the most urgent operational hurdle. As AI agents process vast amounts of sensitive enterprise data, deciding exactly where your identity data and policy resides is no longer just a preference—it’s often a strict legal mandate. A recent 2026 Data Sovereignty Report by Kiteworks revealed a startling reality: 1 in 3

organizations experienced a sovereignty-related incident in the past twelve months, despite nearly half (44%) of companies claiming to be very well informed about sovereignty requirements.

This anxiety is justified by the current regulatory landscape. The Digital Operational Resilience Act (DORA), fully enforceable for the EU financial sector since January 2025, mandates strict management of ICT supply-chain risks. In many cases, achieving DORA-compliant resilience often requires maintaining single-tenant, in-country deployments to ensure operational independence. 

Meanwhile, as the EU AI Act reaches full implementation in August 2026, organizations will need to guarantee that the data feeding their AI agents remains within specified jurisdictional borders. This means organizations must keep direct control over the identities they manage—and where the associated data lives. That level of sovereignty an opaque legacy SaaS providers simply cannot offer.

What this means for your IAM strategy 

IT modernization is rarely ever easy. But ignoring the wave of agentic AI may be far more fatal (and costly). The massive scale of autonomous machine identities, combined with the security risks and regulatory complexities they introduce, means that "good enough" IAM is now a liability. 

Organizations that want to harness the power of AI safely will need identity platforms built for this new reality—prioritizing open standards, in-country deployment options, and robust microservices that can scale at machine speed. 

The agentic AI wave isn’t coming. It’s already here. And a modern IAM strategy built for it starts with the right architecture. Explore how Broadcom IDSP supports non-human identities securely and at scale.