AI Security

Defending Autonomous AI: Why Identity Graphs Are the Missing Control Plane

AI agents are the new workforce. They authenticate, access data, make decisions, and act — all at machine speed. Legacy security was never built for this.

SR
Setu Research
February 18, 2026·14 min read

The Agent Workforce Has Arrived — Security Hasn't Kept Up

Seventy-two percent of organizations are actively using or testing AI agents. Forty percent are running multiple agents in production. And more than half of those deployed agents are not actively monitored or secured.

These are not chatbots answering FAQs. These are autonomous systems that authenticate with real credentials, traverse real data stores, invoke real APIs, and make decisions that affect production environments — all at machine speed, all without a human in the loop.

The security industry's response has been to extend legacy controls — firewalls, static DLP rules, CASB policies — to cover this new surface. It doesn't work. Not because these tools are poorly built, but because they were designed for a fundamentally different threat model: deterministic software operated by human users at human speed.

AI agents are probabilistic. They reason. They synthesize novel outputs from retrieved context. They delegate sub-tasks to other agents. And they do all of this in milliseconds. The gap between what legacy security can see and what agents actually do is where breaches happen.

Six Problems That Define the New Threat Landscape

Before we discuss architecture, it's worth being precise about what's actually going wrong. These aren't theoretical risks — every one of them has been demonstrated in production.

1. Shadow AI and Ungovernered Agent Sprawl

Eighty-six percent of workers use AI tools weekly. Fifty-eight percent use external, unapproved AI services. When Samsung employees pasted proprietary source code, meeting notes, and hardware specifications into a public LLM on three separate occasions, the breach didn't come from a sophisticated attack. It came from an organizational policy gap that no perimeter tool could have caught.

Shadow AI isn't a firewall problem. It's a visibility problem. You can't govern what you can't see, and you can't see agents that were never provisioned through your identity infrastructure.

2. Logic-Layer Prompt Control Injection

Traditional prompt injection is a user attacking a model. Logic-Layer Prompt Control Injection (LPCI) is far more dangerous: malicious payloads embedded in the data an agent naturally processes — its vector stores, tool outputs, or long-term memory. The agent executes rogue actions while believing they're legitimate.

A zero-click remote code execution vulnerability in a popular AI coding IDE demonstrated this perfectly. No user interaction required. The attacker hid instructions in data the agent retrieved independently, and the agent executed them. Every retrieval became execution-adjacent.

Static DLP rules can't detect this. Regex-based filters can't detect this. You need behavioral baselines and intent analysis operating at the reasoning layer, not the network layer.

3. Non-Human Identity Explosion

In a typical enterprise, non-human identities outnumber human users 45 to 1. Service accounts, API keys, OAuth tokens, CI/CD credentials, and now AI agent identities — each one is an authentication principal with real access to real resources. Most are never rotated. Many are orphaned. Some have admin-level privileges that were granted for a one-time task and never revoked.

When a nation-state operation used jailbroken AI coding assistants to automate reconnaissance, exploit crafting, and credential theft, the attack didn't target human users. It targeted the machine credentials that no one was watching.

4. Delegated Authority Without Delegated Oversight

When a Chevrolet dealership's chatbot accepted a $1 offer for a new vehicle, it wasn't a system failure in the traditional sense. The agent had been delegated authority — the ability to negotiate with customers — without delegated oversight. No guardrails on what constituted an acceptable outcome. No behavioral boundaries. No ECI awareness.

This pattern repeats across every enterprise deploying agents: authority is delegated at provisioning time, but the security implications of that delegation are never computed. What can this agent access? If it's compromised, what's the ECI? What's the worst-case financial exposure? These questions are rarely asked, let alone answered in real time.

5. Machine-Speed Attacks vs. Human-Speed Response

The window from vulnerability disclosure to active exploitation has compressed to approximately five to fifteen minutes. AI-accelerated attacks — automated reconnaissance, polymorphic payloads, adaptive exploitation chains — operate at speeds that make human triage physically impossible.

When your detection-to-response window is measured in hours and the attack completes in minutes, you don't have a staffing problem. You have an architecture problem.

6. Regulatory Convergence Without Unified Controls

The EU AI Act requires transparency, human oversight, and comprehensive logging for high-risk AI agents — fully applicable by August 2026. HIPAA mandates strict PHI safeguards with six-year audit retention. The SEC requires material incident disclosure within four business days. NIST's AI Risk Management Framework demands map-measure-manage-govern processes. ISO 42001 codifies AI-specific governance. OWASP now publishes a Top 10 for LLMs and Agentic Applications.

Each regulation addresses a real risk. None of them can be satisfied by a point product. Compliance requires a unified view of every identity, every data flow, every access path, and every agent action — continuously audited, continuously enforced.

Why Legacy Architectures Fail

The core assumption of traditional security is that software is deterministic: given the same inputs, it produces the same outputs. Every tool built on this assumption — signature-based detection, static policy enforcement, perimeter-based access control — breaks when applied to probabilistic systems.

Legacy AssumptionAI Agent Reality
Software behavior is deterministicAgent outputs are probabilistic and context-dependent
Access is controlled by human authenticationAgents authenticate with machine credentials at machine speed
Data moves in predictable patternsAgents synthesize, recontextualize, and generate novel data
Threats target code vulnerabilitiesAttacks target reasoning, memory, and tool chains
Detection operates at network/endpoint layerThreats manifest at the logic and intent layer
Response operates at human speedExploitation completes in minutes

Extending these tools to cover AI agents isn't a configuration problem. It's a category error. You can't inspect what an agent is thinking by watching its network traffic.

The Identity Graph as Control Plane

The security industry has been asking the wrong question. Not "how do we secure AI agents?" but "how do we extend the identity control plane to include AI agents as first-class citizens alongside humans and machines?"

This reframing matters because it connects agent security to something enterprises already understand: identity and access management. Every agent authenticates. Every agent has permissions. Every agent accesses resources. The problem isn't that agent security is a new domain — it's that existing identity infrastructure doesn't model agents with the same rigor it models human users.

What a Unified Identity Graph Looks Like

At Setu, the identity exposure graph is the foundation. Every identity — human, service account, API key, OAuth token, AI agent — exists as a node. Every permission, group membership, role binding, and resource policy exists as an edge. Every resource — cloud workload, database, SaaS application, API endpoint, AI model — exists as a node.

This graph is continuously updated. Not daily snapshots. Not weekly scans. Continuous API-level enumeration across cloud providers, identity providers, SaaS platforms, and now AI agent frameworks.

When an AI agent is provisioned, it enters the graph immediately. Its credentials, its permissions, its tool access, the data stores it can reach, the APIs it can invoke — all of it is mapped and scored before the agent processes its first request.

ECI Scoring: From Permissions to Impact

Traditional access reviews ask "what can this identity access?" The identity exposure graph answers a harder question: "what happens if this identity is compromised?"

Every identity — human or autonomous — receives an ECI score from 0 to 100, computed via Personalized PageRank over real attack paths through the graph. Not theoretical permissions. Not policy documents. Actual, traversable paths from the identity through role bindings, group memberships, transitive trust relationships, and cross-boundary access to every resource it can reach.

An AI agent with read access to a low-sensitivity document store and no lateral movement paths might score a 15. The same agent type with access to a vector store that feeds a customer-facing model, plus transitive access to the production database through an over-privileged service account, might score an 87.

This distinction is invisible to static policy enforcement. It's visible in the graph.

Defending the Six Attack Classes

Each of the problems described above has a specific architectural response. Here's how graph-native security addresses them.

Shadow AI: Discovery Before Governance

You can't write policies for agents you don't know exist. Setu's discovery engine continuously enumerates AI assets across the enterprise: LLMs, embedding models, MCP servers, agent frameworks, vector stores, and the credentials that connect them.

Every discovered asset is automatically:

  • Classified by type and risk tier
  • Mapped into the identity exposure graph
  • Scored for ECI
  • Checked against governance policies (EU AI Act risk categories, NIST AI RMF controls, ISO 42001 requirements)
  • Flagged if operating outside sanctioned boundaries

Discovery isn't a one-time audit. It's a continuous process that catches the agent your ML team spun up on Tuesday before it processes its first customer record on Wednesday.

LPCI and Prompt Injection: Intent-Aware Runtime Defense

Setu's AI-SPM layer ships a runtime prompt-injection detector that matches against the OWASP LLM Top 10 attack categories at the request tier. Vendor-reported accuracy numbers in this space are notoriously tenant-dependent; we report measured precision and recall per-tenant rather than a headline figure. Detection alone isn't sufficient for logic-layer attacks.

The roadmap target is intent analysis: understanding not just what data is moving, but why. A production intent-analysis layer is Q3 2026 on our roadmap; what ships today is the retrieval-plus-graph-context substrate that makes it learnable. When an agent requests access to a sensitive financial document, the system evaluates:

  • Data sensitivity: What classification level is the document? What regulatory controls apply?
  • Behavioral baseline: Is this request consistent with the agent's normal patterns? Has it ever accessed this data category before?
  • Identity context: What is the agent's ECI? What else can it reach from here?
  • Environmental factors: What triggered this request? Is it part of a legitimate workflow or an anomalous chain?

The same document access request might be approved for an agent operating within its established behavioral envelope, quarantined for an agent that's never accessed this data type before, or blocked entirely if the request correlates with known LPCI patterns.

This is fundamentally different from DLP rules that can only match patterns in the data itself. Intent analysis operates at the reasoning layer, where logic-layer attacks actually manifest.

NHI Lifecycle: From Discovery to Decommission

Setu discovers, inventories, and manages non-human identities across 20+ platforms — cloud providers, DevOps tools, SaaS applications, container registries, and AI agent frameworks. Every NHI gets the same treatment as a human identity:

  • Risk scoring based on actual permissions and ECI
  • Orphan detection for credentials attached to departed employees or decommissioned services
  • Over-privilege analysis comparing actual usage patterns to granted permissions
  • Rotation tracking with alerts for credentials that haven't been rotated within policy thresholds
  • Lifecycle management from creation through active use to automated decommission

When the graph reveals that a CI/CD service account created for a one-time migration two years ago still has production database admin access and an ECI score of 74, that's not a finding in a quarterly report. It's a real-time remediation candidate with a pre-computed fix: "remove these three role bindings to reduce ECI by 61 points across 8 connected identities."

Delegated Authority: Sandbox Before You Ship

Before deploying an agent to production, Setu's identity sandbox lets you simulate the security implications. Add the agent's proposed credentials and permissions to the graph, and immediately see:

  • What the agent can reach — every access path, every resource
  • What the ECI score would be
  • What toxic permission combinations exist (e.g., read access to secrets + write access to production configs)
  • What the financial exposure is if the agent is compromised
  • What the minimum-privilege configuration looks like to achieve the same functionality

This is the "test before breaking" principle applied to agent security. Instead of deploying an agent and discovering six months later that it accumulated admin-equivalent access through transitive role bindings, you compute the exposure before the agent goes live.

Machine-Speed Response: Closed-Loop Remediation

When detection-to-exploitation windows are measured in minutes, the remediation path can't route through a ticketing system. Setu's closed-loop remediation operates in under five minutes from detection to fix:

  1. Detection: Behavioral anomaly, prompt injection attempt, or exposure threshold breach
  2. Graph traversal: Immediate computation of all affected identities, resources, and access paths
  3. Impact assessment: ECI change, affected downstream identities, production dependency check
  4. Remediation execution: Automated permission revocation, credential rotation, or agent isolation — across IAM, cloud, and network in a single action
  5. Validation: Post-remediation graph recomputation confirming exposure reduction

No human in the critical path for time-sensitive responses. Full audit trail for every automated action. Human review for complex, multi-system remediations where the ECI of the fix itself needs assessment.

Regulatory Compliance: One Graph, Every Framework

Each compliance framework asks a variant of the same questions: What identities exist? What can they access? How is access controlled? How are incidents detected and reported? Is there an audit trail?

The identity exposure graph answers all of these from a single data model:

FrameworkWhat the Graph Provides
EU AI ActAI asset inventory, risk classification, human oversight documentation, comprehensive logging
NIST AI RMFMap (asset discovery), Measure (ECI scoring), Manage (remediation), Govern (policy enforcement)
HIPAAPHI access paths, Business Associate mapping, six-year audit retention, access minimization evidence
SOC 2 + ISO 42001Access control evidence, change tracking, AI governance documentation
SEC Cyber RulesMaterial incident detection, four-day disclosure support with pre-computed impact assessment
OWASP LLM Top 10Runtime coverage across all 10 categories with detection metrics

This isn't compliance theater — generating reports that describe controls. It's compliance as a natural byproduct of continuous security operations. The same graph that detects threats also produces the evidence that auditors need.

The Contextual Trinity: Identity, Data, Intent

The vendors that will define the next generation of security platforms are those that can correlate three dimensions simultaneously:

  1. Identity: Who or what is acting? Human, service account, or AI agent? What's the ECI? What's the behavioral baseline?
  2. Data: What's being accessed or generated? How sensitive is it? What regulatory controls apply? Where does it flow?
  3. Intent: Why is this action happening? Is it consistent with established patterns? Does it align with the agent's legitimate purpose?

Any two of these without the third produces blind spots:

  • Identity + Data without Intent: You know who accessed what, but you can't distinguish legitimate access from exfiltration. This is where legacy DLP lives — and why it generates false positives at scale.
  • Identity + Intent without Data: You know who is doing what and why, but you don't know if the data being touched is a public brochure or PII. This is where pure UEBA lives.
  • Data + Intent without Identity: You know what data is moving and why, but you can't attribute it to a specific identity or compute the ECI if the action is malicious. This is where data-centric security lives.

Setu's graph natively models all three. Every node has identity context, data sensitivity context, and behavioral context. Every edge has intent attribution. Every traversal crosses all three dimensions.

From Reactive Detection to Predictive Exposure Management

The industry's default posture is reactive: wait for something bad to happen, detect it, respond. With autonomous agents operating at machine speed, reactive security means you're always responding to breaches that already completed.

Setu's graph enables a fundamentally different approach: predictive exposure management. Instead of waiting for an agent to be compromised, continuously compute what would happen if it were:

  • Which agents have ECI scores above your risk threshold?
  • Which NHIs have toxic permission combinations that would allow lateral movement?
  • Which access paths connect low-privilege entry points to high-value targets?
  • Which recent permission changes increased exposure across the most identities?

These aren't alerts about things that happened. They're pre-computed exposures about things that could happen, ranked by actual ECI and financial impact. Remediate the highest-exposure paths before an attacker finds them.

This is the difference between asking "were we breached?" and asking "where are we most likely to be breached, and what's the fastest way to reduce that likelihood?"

The Learned Layer: What Ships, What's Roadmap

Traditional anomaly detection relies on rules and thresholds. Setu is building a Graph Neural Network pipeline on PyTorch Geometric that operates directly on the identity exposure graph. Honest breakdown of the stack:

  • Behavioral baselines per identity, per resource, per access pattern — shipping today via per-tenant baselining over the entity graph; the thresholds that convert baselines into alerts are tunable rules, not physics.
  • Community detection for clusters of identities with similar access patterns — shipping today via deterministic graph clustering; the GNN-learned version is roadmap.
  • Temporal pattern analysis detecting slow-and-low privilege accumulation — shipping today via timestamped entity graph with first-seen / dormancy / déjà-vu rules; the learned temporal-graph layer (TGN-style streaming embeddings) is Q4 2026 roadmap.
  • Causal inference distinguishing root causes from symptoms — research bet, not shipping. This is an active R&D direction; nobody ships genuine causal inference on enterprise identity graphs today, including Setu.

When the learned layer catches up to the substrate, a GNN will flag access patterns that have deviated from a behavioral cluster without exceeding any hand-coded threshold. Until then, the substrate — timestamped entity graph plus tunable rules — is the load-bearing thing, and the learned layer is the additive force multiplier.

What Implementation Actually Looks Like

Theory is useful. Architecture is essential. But security leaders need to know what deployment looks like in practice.

Week 1: Discovery and Baseline

Connect identity providers, cloud platforms, SaaS applications, and AI agent frameworks. The graph begins populating immediately — every identity, every permission, every access path. Initial ECI scores are computed across all identities. Shadow AI assets are discovered and cataloged.

Typical findings at this stage: 40-60% of NHIs are over-privileged. 15-25% are orphaned. 3-8 AI agents or tools are operating outside governance boundaries.

Week 2: Policy and Governance

Map discovered assets to regulatory frameworks. Establish behavioral baselines. Define ECI thresholds by identity type and resource sensitivity. Configure remediation playbooks for common exposure patterns.

Week 3: Active Defense

Enable real-time prompt injection detection. Activate closed-loop remediation for high-confidence, low-risk actions (orphaned credential removal, expired token cleanup). Enable sandbox for pre-deployment agent security assessment.

Ongoing: Continuous Posture Management

The graph is never "done." Every permission change, every new agent deployment, every credential creation updates the graph and recomputes affected ECI scores. Exposure trends are tracked over time. Remediation effectiveness is measured not in tickets closed but in aggregate ECI reduced.

Summary

The security perimeter dissolved years ago. The human-only identity model is dissolving now. What remains is the graph: every identity, every access path, every resource, every intent — modeled, scored, and defended in real time. The enterprises that build this control plane will secure their autonomous workforce. The ones that don't will learn, expensively, that you cannot defend probabilistic systems with deterministic tools.

SR

Setu Research

Setu Security Research