Agentic and Non-Human Identity at EIC 2026

1. Introduction: when Software becomes Staff#

If you had to name the theme that ran through EIC 2026, it was this: AI agents are becoming first-class actors in the enterprise, and the identity stack was not built for them. Across two dozen sessions, the same question kept surfacing. When software can plan, call tools and act on its own, who is it, what is it allowed to do and who is accountable when it goes wrong.

Compared with the passkey and EUDI themes we covered, this one was lighter on adoption numbers and heavier on frameworks, though a few hard figures still cut through. That is itself the signal: the industry is still defining the primitives. The bridge to the rest of identity is direct, since the same phishing-resistant thinking that secures humans now has to extend to machines. Here are the sessions that pushed the thinking forward.

1.1 Sessions and Speakers covered#

• When Software Becomes Staff - Nat Sakimura, OpenID Foundation
• AIdentity framework session - Martin Kuppinger, Jonathan Care, Matthias Reinwarth and Darran Rolls, KuppingerCole
• Navigating the Agentic AI Landscape - Jonathan Care, KuppingerCole
• Setting Boundaries for Agentic AI - Gal Helemski, PlainID
• A Blueprint for IAM in the Age of AI Agents - Adam Rusbridge, Ping Identity
• Agentic AI control-plane keynote - Alex Wilson, StrongDM / Delinea
• AI identity economy keynote - Bryant Nielson, Quantum Core Institute
• Breaking down the Agentic AI AuthN and AuthZ challenges - Rogério Rondini, PwC
• The Laws of AIdentity - Patrick Parker, EmpowerID
• What 29 Million Leaked Secrets Mean for Your Identity Program - Stanislas Crepin, GitGuardian
• Non-Human identity sessions - NHI Management Group, GitGuardian, Teleport, IKEA, ANZ, Rabobank and others
• Orchestrating Non-Human Identity - Okta, EnBW and DigiCert
• When Regulation Meets Reality: Running Non-Human Identity at Scale - DigiCert
• When Your AI Agents Need Passports: The Non-Human Identity Crisis - Jonathan Care, KuppingerCole
• Delegating Digital Identity: Enabling Trusted AI Agents in Transactional Flows - Queue-it, Dai Nippon Printing and Meeco
• Artificial Counter Intelligence - OWASP-related session
• OWASP Agentic AI update - Inbar Raz
• Are You Ready for Mythos? - Silverfort
• Shaping AIdentity Standards: Beyond OAuth and OIDC? - David Brossard, Martin Kuppinger, Alex Laurie, Eve Maler and Darran Rolls
• On Beyond OAuth: Adapting Security to a Dynamic World - Justin Richer

2. Framing: Software is now Staff#

Nat Sakimura, chairman of the OpenID Foundation, set the tone with "When Software Becomes Staff". His argument: AI agents behave like digital employees. They plan, they invoke tools, and they act, but their identity boundaries are unstable. That breaks the assumptions behind delegated authority, agent registration, ownership and accountability. His prescription was to build an "evidence infrastructure" so that what an agent did and on whose authority it acted can be reconstructed and trusted downstream.

The KuppingerCole analyst team (Martin Kuppinger, Jonathan Care, Matthias Reinwarth, Darran Rolls) wrapped this into what they call "AIdentity", a framework describing roughly ten shifts AI brings to identity and security, from the rise of non-human identities to new trust, control and governance requirements.

3. Mainstage Signal: Agentic AI everywhere#

The clearest signal was placement. Agentic AI was not tucked into a side topic, it ran right across the keynote stage on multiple days. Jonathan Care opened one morning with "Navigating the Agentic AI Landscape", and a string of vendor keynotes circled the same control problem from different angles:

• PlainID (Gal Helemski) on "Setting Boundaries for Agentic AI", framing data exposure as the enterprise-scale risk
• Ping Identity (Adam Rusbridge) with "A Blueprint for IAM in the Age of AI Agents"
• StrongDM / Delinea (Alex Wilson) arguing identity needs "a control plane, not just login" when authorization fails at cloud speed
• Quantum Core Institute (Bryant Nielson) on the new "AI identity economy" once models, not people, run the business

Read together, the message was that authorization, not authentication, is the part of the stack that agentic AI breaks first.

4. Hard Numbers (the few that exist)#

A handful of sessions actually quantified things.

PwC (Rogério Rondini), in "Breaking down the Agentic AI AuthN and AuthZ challenges", gave the most concrete data and standards mapping:

• A 33% growth projection for agentic AI through 2028
• OAuth 2.1 as the baseline
• MCP and A2A as the emerging agent-to-agent and agent-to-tool protocols
• A pointed critique of using Dynamic Client Registration as the agent-registration mechanism

EmpowerID (Patrick Parker), in "The Laws of AIdentity", delivered the other memorable session. His core point: today's agent governance only checks at registration time, which leaves a runtime blind spot. The missing layer is runtime authorization, evaluating policy per action. He proposed six "Laws of AIdentity" (split actor, generated intent, bounded agency, authorization as a loop, least exposure, justifiable action), pointed to OpenID AuthZEN as the runtime authorization primitive and cited what he described as the "OpenClaw incident", a reported exposure of around 42,000 unprotected gateways.

GitGuardian (Stanislas Crepin) added the number that lands with security teams: "What 29 Million Leaked Secrets Mean for Your Identity Program". That 29 million figure is the backdrop for everything agentic, because agents inherit and multiply exactly this kind of secret sprawl.

5. Scale Problem: Machines already outnumber Humans#

The non-human identity sessions made the structural case. Across sessions and EIC materials, the recurring line was that service accounts, API keys, workloads and AI agents vastly outnumber human users. The public EIC framing put the scale at 25 to 50 times more machines acting like users, with most still lacking proper governance. That is what drives over-privileging and unclear accountability.

Crucially, this is now a compliance problem, not just hygiene. The "Orchestrating Non-Human Identity" sessions (Okta, EnBW, DigiCert) mapped NHI management onto NIS2, DORA, CRA, GDPR and eIDAS 2.0 and argued for ephemeral, just-in-time access for AI agents instead of long-lived credentials. "When Regulation Meets Reality: Running Non-Human Identity at Scale" (DigiCert) made the same point from the operations side.

6. Agent Passports and Delegation#

If agents are staff, they need credentials you can issue, scope and revoke. Jonathan Care's "When Your AI Agents Need Passports: The Non-Human Identity Crisis" is where the "agent passport" framing came from: a first-class, verifiable identity for each agent rather than a borrowed service-account key.

The harder half is delegation. "Delegating Digital Identity: Enabling Trusted AI Agents in Transactional Flows" (Queue-it, Dai Nippon Printing, Meeco) looked at how an agent acts on a human's behalf in a real transaction, where the chain of "who authorized what" has to survive into the payment or checkout step and stay auditable afterwards.

7. Agents as an Attack Surface#

The theme also had a sharp adversarial edge. The OWASP angle, including "Artificial Counter Intelligence" and an OWASP Agentic AI update with Inbar Raz, treated agents as both target and weapon: prompt-driven systems that can be manipulated into misusing their own privileges. Silverfort's "Are You Ready for Mythos?" pushed the same theme of protecting identities and access "at the speed of AI".

Put next to GitGuardian's 29 million leaked secrets, the conclusion is uncomfortable but simple: an over-privileged agent sitting on top of sprawling secrets is a far larger blast radius than any single human account.

8. Standards Debate: beyond OAuth and OIDC#

A recurring open question was whether today's protocols are enough. The panel "Shaping AIdentity Standards: Beyond OAuth and OIDC?" (David Brossard, Martin Kuppinger, Alex Laurie, Eve Maler, Darran Rolls) put that tension on stage, and Justin Richer's "On Beyond OAuth: Adapting Security to a Dynamic World" argued the bearer-token model strains once agents act dynamically on their own. The consensus was not to discard OAuth but to extend it, with MCP, A2A and AuthZEN filling the agent-to-tool, agent-to-agent and runtime-authorization gaps that OAuth alone does not cover.

9. Recurring Proposals#

Listen across these sessions and a rough consensus on what agents need starts to form:

1. An identity, not a shared secret. Agents need first-class, verifiable identities, the "agent passports" from Jonathan Care's session, not borrowed service-account credentials.
2. Runtime authorization, not just registration. Parker's point echoed widely: check every action, not just the sign-up. AuthZEN and per-action policy evaluation came up repeatedly.
3. Delegation you can trace. Sakimura's "evidence infrastructure" and the idea of signed, auditable receipts of what an agent did and why.
4. Standards over bespoke glue. OAuth 2.1, MCP, A2A and OpenID work were the named building blocks, with warnings against bending old primitives like Dynamic Client Registration to fit.

The diagram below condenses those proposals into the identity stack an AI agent actually needs before it can act safely in production.

10. What to take away#

The agentic identity conversation is roughly where passkeys were a few years ago: the problem is clear, the standards are forming and the production case studies are not here yet. For teams building consumer and workforce identity, the practical move is to start treating AI agents and non-human identities as identities you must govern, with their own lifecycle, least-privilege access and runtime authorization, rather than as scripts that happen to hold a key.

The phrase that stuck from Berlin: when software becomes staff, it needs an identity, a manager and a paper trail.

11. Conclusion#

EIC 2026 showed that agentic and non-human identity is the next frontier the identity stack has to absorb. The frameworks, the Laws of AIdentity, the OpenID work on evidence infrastructure and the standards mapping around OAuth 2.1, MCP and A2A, are converging on a clear message: agents need first-class identities, runtime authorization and traceable delegation.

The teams that will be ready are the ones already running phishing-resistant, well-governed human identity today, because the same principles of strong authentication, least privilege and auditability are what non-human identities will demand at far greater scale.

About Corbado

Corbado is the Passkey Intelligence Platform for CIAM teams running consumer authentication at scale. We help you see what IDP logs and generic analytics tools can't: which devices, OS versions, browsers and credential managers support passkeys, why enrollments don't turn into logins, where the WebAuthn flow fails and when an OS / browser update silently breaks login, all without replacing Okta, Auth0, Ping, Cognito or your in-house IDP. Two products: Corbado Observe layers observability for passkeys and any other login method. Corbado Connect adds managed passkeys with analytics built in (alongside your IDP). VicRoads runs passkeys for 5M+ users with Corbado (+80% passkey activation). Talk to a Passkey Expert →

Frequently Asked Questions#

What is agentic AI identity?#

Agentic AI identity is the practice of giving AI agents first-class, verifiable identities so their actions can be authenticated, authorized and audited. At EIC 2026, OpenID Foundation chairman Nat Sakimura framed agents as digital staff that plan, invoke tools and act, which breaks existing assumptions about delegated authority, agent registration and accountability.

What are the Laws of AIdentity from EIC 2026?#

EmpowerID's Patrick Parker proposed six Laws of AIdentity: split actor, generated intent, bounded agency, authorization as a loop, least exposure and justifiable action. His core point is that today's agent governance only checks at registration time and leaves a runtime blind spot. Runtime authorization evaluating policy per action is the missing layer, with OpenID AuthZEN named as the primitive.

Which standards apply to AI agent authentication and authorization?#

PwC's session named OAuth 2.1 as the baseline, with MCP and A2A as the emerging agent-to-tool and agent-to-agent protocols. It also gave a 33% growth projection for agentic AI through 2028 and warned against using Dynamic Client Registration as the agent-registration mechanism, since it was not designed for that purpose.

Why do non-human identities outnumber human identities?#

Service accounts, API keys, workloads and now AI agents proliferate far faster than human users. EIC 2026 materials framed the problem as 25 to 50 times more machines acting like users, and the non-human identity sessions we focused on stressed that most lack proper governance, leading to over-privileging and unclear accountability.

What do AI agents need from an identity stack?#

The recurring proposals at EIC 2026 were first-class verifiable identities rather than shared secrets, runtime authorization that checks every action rather than just registration, traceable delegation through an evidence infrastructure of signed receipts and reliance on standards like OAuth 2.1, MCP and A2A instead of bending old primitives such as Dynamic Client Registration.

What is an agent passport?#

An agent passport is a first-class, verifiable identity issued to an individual AI agent so it can be authenticated, scoped and revoked like a member of staff, rather than reusing a borrowed service-account key. The framing comes from Jonathan Care's EIC 2026 session "When Your AI Agents Need Passports", and it pairs with traceable delegation so the chain of who authorized what survives into the actual transaction.

Which regulations apply to non-human identities?#

At EIC 2026 the "Orchestrating Non-Human Identity" sessions mapped NHI and AI agent governance onto NIS2, DORA, CRA, GDPR and eIDAS 2.0, treating machine identities as a compliance problem rather than just hygiene. The recommended pattern was ephemeral, just-in-time access for agents instead of long-lived credentials, so access can be granted per action and audited afterwards.