Identity security is undergoing its biggest transformation in decades as enterprises shift from managing human users to governing vast numbers of AI agents.
In this interview, Saviynt Chief Trust Officer Jim Routh explains why traditional identity governance architectures are becoming obsolete, how organizations should build AI governance around specific business use cases, and what enterprises must do to securely manage autonomous AI agents as they become a permanent part of the workforce.
Core Takeaways
Identity Governance Must Be Rebuilt for AI: Traditional identity governance systems were designed to manage human access decisions, but enterprises now face an explosion of AI agents. Routh argues that legacy architectures are no longer sufficient and that AI-native identity security platforms are required.
Start AI Governance with Individual Use Cases: Rather than attempting to create a comprehensive AI governance framework from the outset, organizations should build governance incrementally around specific AI use cases, applying appropriate controls to each before expanding across the enterprise.
Continuous Authentication Improves Security: Identity security relies on behavioral analytics that continuously evaluate user activity rather than trusting a single login event. Detecting deviations from normal behavior enables organizations to identify compromised accounts and automatically respond in real time.
AI Agents Need Ownership and Lifecycle Management: As enterprises deploy thousands of AI agents, every agent must be registered, assigned an owner, governed by policy, and eventually deprovisioned or reassigned. Unmanaged AI agents represent one of the largest emerging risks in enterprise security.
Key Quotes
Legacy Identity Systems Are Becoming Obsolete
“We’ve spent really 30 to 35 years building transaction processing systems to manage a human decision to allow a human access to resource. Today we’ve kind of outgrown that model. Matter of fact, that model and the architecture to it is a bit obsolete. We shouldn’t be looking at a transaction processing record keeping function of identity access governance as the solution for enabling identity protection for agents and non-human accounts. That requires different capabilities, newer capabilities, and frankly requires AI to be part of the solution.”
Build AI Governance One Use Case at a Time
“The first thing I start with is you need a governance model for AI that balances the strategic imperatives for the business with the right control capability. The best model that I’ve found is using use cases. Each use case represents a strategic business need that requires some level of control. We design those controls for that use case, then move to the next one, and the next one. Over time you’re creating a building block approach to an enterprise governance model for AI.”
Behavioral Analytics Enables Continuous Authentication
“We can take attribute information about an individual’s IT usage and establish behavioral patterns. Those patterns can be represented numerically. When we detect a deviation, we measure that difference and trigger automated workflows that operate in milliseconds. If the deviation is significant enough, we may revoke the entitlement because it’s likely not the person who originally had that entitlement that’s using it anymore.”
Every AI Agent Must Have an Owner
“What’s happening today is enterprises are releasing agents that are not owned. Not because people have bad intent, but because the controls don’t exist. Those agents are unmanaged, and that’s the challenge enterprises face. Identity security has to evolve to detect agents in the environment, register those agents, identify their linkage to individuals who are responsible for them, and ultimately manage their entire lifecycle. Otherwise, we’re setting ourselves up for much higher costs—or worse, a significant compromise.”
