Surviving the Chaotic Era: Three Things We Learned at Identiverse 2026
Identiverse is a good barometer for where identity security is heading and this year, the tone was set with Tuesday morning’s opening keynote by our CEO, Dr. John Pritchard, on “The Three Identity Problem: Surviving the Chaotic Era.”
His argument borrowed a problem from physics. Two bodies orbiting each other move predictably; introduce a third and the system tips into chaos — exquisitely sensitive to small changes, impossible to forecast with the old tools. Identity has lived with two bodies for years: human identities, and the non-human identities (NHIs) that quietly outnumber them. Now agentic AI arrives as the third body, and the system tips into genuine chaos. The destabilizing variable isn’t a sophisticated attacker but rather ordinary business users spinning up AI agents inside their everyday tools, without identity controls or visibility.
The sessions I attended for the rest of the week confirmed that metaphor. Across very different talks from very different corners of the industry, three big themes kept surfacing:
- Agentic AI and NHIs are now first-class citizens in IAM. They need unique identities, lifecycle management, and governance just like human users.
- Continuous identity and real-time authorization are becoming the new normal. The field is moving past periodic reviews and static entitlements toward per-request, context-aware decisions.
- Ownership and governance are the foundation. Every agent, service account, and human needs a clear owner. Most failures trace back to weak ownership, orphaned identities, and partial coverage.
Here’s what each of those looked like on the ground.
Agentic AI and NHIs are first-class identities now
For years, machine identities were an afterthought; service accounts were provisioned once and then identity teams tried not to think about them again. That era is over. The strongest theme of the week was that agents and NHIs need the same things human users do: unique identities, lifecycle management, scoped authorization, and governance.
The recurring test for when an agent crosses into needing its own identity came up in the same form again and again: can it write, modify, or delete data? Can its decisions affect other users’ behavior? Does it act autonomously, or on behalf of a human? If the answer is yes, it has to be governed like a digital worker. And the more autonomy an agent has, the stronger the requirements become for the identity, scoped authorization, observability, and runtime controls like intent analysis, a kill switch, and audit.
Across the sessions, I saw remarkable consistency in how the industry is converging on these operational patterns:
- Discover every agent, including the shadow AI already running across client-side tools, SaaS apps, and internal platforms.
- Register them in an agent registry with rich metadata: owner, purpose, scopes, environment, linked tools, and security posture.
- Broker short-lived, delegated credentials (OAuth2 token exchange, SPIFFE/SPIRE) instead of long-lived keys or shared secrets.
- Enforce authorization at runtime through an access gateway or control plane that evaluates context, agent intent, and policy on every call.
The cleanest summary I heard all week was this: agents are digital workers, so govern them like employees: ephemeral credentials, explicit delegation chains, and revocation on demand. That delegation-chain piece matters more than it sounds. A human kicks off a task, an orchestrator agent delegates to subagents, and those subagents call tools and other agents in turn. Every hop inherits access, and every hop is a place where accountability can quietly evaporate.
Continuous identity is the new normal
If theme one was who needs an identity, theme two was how we make decisions about them over time — and the answer was continuous identity. The repeated message was to move away from a one-time login plus static roles and toward always-on, context-aware evaluation: contextual (decisions based on rich business, identity, and security data), consistent (the same logic everywhere), and continuous (re-evaluated when it’s actually needed).
The diagnosis of why we’re stuck was sharp. Access reviews today have quietly degraded into bulk “approve all” exercises — not because reviewers are careless, but because they lack the context to decide anything else. The proposed fix kept coming back to the same substrate: a unified data fabric, or identity graph, that fuses identity, business, and security telemetry to drive just-in-time entitlements and real policy decisions. Several speakers framed authorization itself as a graph-traversal problem, recommending a centralized graph model spanning humans, NHIs, and the relationships between them, with authorization externalized into infrastructure (a policy decision point plus enforcement points) and driven by modern signals like CAEP and the Shared Signals Framework. Bearer tokens that can’t be easily revoked, and siloed authorization that doesn’t scale, were the things people were explicitly trying to leave behind.
There was also a useful reminder that a clean login proves very little. Login plus MFA tells you who showed up at the door; it says nothing about what happens once they’re inside. The push was toward detecting intent within the session — flagging anomalous navigation, an unexpected device, or a strange geolocation mid-stream, rather than trusting the front-door check and moving on.
And lest anyone think this is purely a futuristic agentic problem, one of the most packed rooms of the entire conference was about the least glamorous topic imaginable: the legacy Active Directory infrastructure that more than 90% of enterprises still run, that roughly 44% of identity-based attacks target, and that almost no one is actually decommissioning. Visibility into it is genuinely poor, made worse by sprawl and years of custom configuration. For a session about technology this “old” and “boring,” the standing-room crowd was a gut-check: we are layering autonomous agents on top of a foundation we still haven’t tamed.
Ownership and governance are the foundation
The third theme was the quietest and, honestly, the most important. Several speakers made the same uncomfortable point: we are still not great at the basics. Joiner/mover/leaver lifecycle problems for human identities remain unsolved at many organizations — and NHIs and AI agents don’t fix those flaws, they inherit and amplify them.
The numbers were sobering. At a typical organization, only around 40% of applications are meaningfully governed. The rest is a long tail of shadow apps, unowned service accounts, and now agents — the same blind spot repeating across all three populations. The most dangerous version is the orphaned one: an agent created by a human who later changes roles or leaves, still holding live credentials, still acting, owned by no one. That’s the uncontrolled inheritance chain John warned about in the keynote, showing up in practice.
The prescription was refreshingly unglamorous and consistent from talk to talk. Assign explicit ownership first — to humans, service accounts, and agents alike — because nothing gets governed without a named owner. Fix the foundation (inventory, ownership, lifecycle, de-provisioning) before layering advanced AI and agent controls on top. And use discovery tools to surface shadow AI and to map the human-to-NHI-to-data access chains in a graph, so you can finally see who and what is reaching your data. Ownership, as one speaker put it, isn’t a feature you buy — it’s a decision someone has to make.
Surviving it
What made the week cohere is how tightly these three themes connect. Agents and NHIs need real identities. Deciding what they can do has to happen continuously and in context. And none of it works without clear ownership and a governed, well-mapped foundation. Pull on any one of these and you immediately need the other two.
While the agentic sprawl feels like a new and expanding chaos, the reassuring part is that surviving the chaotic era doesn’t require reinventing identity security. Radiant Logic has been helping companies solve challenges caused by human identity-sprawl for decades, and now we’re solving agentic sprawl with the same fundamentals:
- Unify the data so you can see the entire picture across systems, hyperscaler repositories, and more.
- Observe it continuously, instead of relying on delayed visibility snapshots.
- Govern every identity — human, machine, and agent — with a named owner and a real lifecycle.
The agentic era doesn’t rewrite those fundamentals. It just punishes you much faster for ignoring them. The chaotic era needs a central system core, and I’m proud to be part of the Radiant Logic product team that is delivering just that.
