AI agents are quietly revolutionizing business processes, from procurement to data analysis. In parallel, they are also creating a new, largely invisible layer of risk. SailPoint, a well-known player in identity security, has responded to this challenge by unveiling its Agentic Fabric platform, specifically designed to manage AI agents and other non-human identities. As Matt Mills, President at SailPoint, stated:
“AI agents are transforming how work gets done, but they are also introducing a new class of identity risk that most organisations are not prepared for.”
Do you have a question about AI security? You can reach us here:
The root of the problem is that traditional identity security was built for people, not for autonomous software. Agentic Fabric aims to fill this gap, complementing the company’s existing Identity Security Cloud platform, which manages human identities.
From Discovery to Protection: How Agentic Fabric Works
SailPoint’s platform is built on three fundamental pillars to provide complete visibility and control over non-human identities.
1. Discovery
The first and most crucial step is to establish visibility. The platform maps AI agents, machine identities, and applications operating in the environment. From this, it builds an identity graph that visually links agents to the data and systems they touch. This capability is key to tackling the phenomenon of “shadow AI,” where organizations are unaware of AI tools operating outside their oversight.
2. Governance
Visibility alone is not enough. The governance layer ties every single agent to a human owner. This chain of responsibility is essential for accountability. The platform provides lifecycle controls and policy-based access, allowing organizations to define precisely what each agent can access.
3. Protection
The third pillar is proactive protection. The system enforces the principle of least-privilege access through real-time authorization. It also includes threat detection and automated response to prevent the misuse of privileges or damage caused by compromised agents.
SailPoint is introducing two commercial packages: Agentic Business provides foundational governance with least-privilege access across all identity types, while Agentic Business Plus adds zero-standing privilege and just-in-time access for even tighter enforcement controls.
The AIQ Perspective: Why This is Critical for EU Companies
In a corporate context, this announcement is more than just a new product launch. From an AIQ standpoint, it clearly signals an industry shift to extend identity management beyond human users. This has particular significance in the European Union’s regulatory landscape.
- GDPR Compliance: If an AI agent processes personal data, who is the responsible data controller or processor? Agentic Fabric’s mechanism of tying agents to a “human owner” helps answer this question and establishes the accountability required by the GDPR. An ownerless, autonomous agent represents a serious compliance risk.
- EU AI Act Readiness: The soon-to-be-fully-enforced AI Act imposes strict requirements on high-risk AI systems, including robust risk management and human oversight. A platform that provides visibility, policy-based control, and a human chain of responsibility over AI agents directly supports compliance with these requirements.
Connecting the Dots to the OWASP LLM Top 10
From an AIQ standpoint, SailPoint’s new platform directly addresses risks identified in the OWASP LLM Top 10, particularly one of the most dangerous ones.
- LLM08: Excessive Agency: This risk arises when an LLM-based agent is given more permissions than necessary and can perform harmful or unintended actions autonomously. The governance and protection features of Agentic Fabric—the principle of least privilege, policy-based access, and real-time authorization—are designed precisely to mitigate this risk.
- LLM10: Unmanaged Assets: The “shadow AI” phenomenon is a perfect example of unmanaged assets. The platform’s Discovery feature is specifically for finding these hidden, unregistered applications and agents, which is the first step toward managing their risk.
Audit Takeaways and Next Steps
The key takeaway from this announcement for security and technology leaders is that their identity management strategies must be urgently re-evaluated. It is no longer sufficient to focus only on human users.
AIQ suggests that companies should take the following first steps:
- Take Inventory: Take advantage of the free Discovery Tool trial offered by SailPoint, which is available now. This will help assess the current situation and identify hidden AI tools. The trial is open to new customers as a standalone product and to existing users of IdentityIQ and Identity Security Cloud.
- Adopt the “Human Owner” Principle: Begin embedding into the organizational culture that every automated process, every agent, must have a clearly designated human accountable for it.
- Plan Ahead: Although the general availability of Agentic Fabric and the full agentic packages is scheduled for summer 2026, preparations must start now. Transforming identity management systems is a time-consuming process.
According to Chandra Gnanasambandam, EVP of Product and CTO at SailPoint, “As this new identity landscape takes shape, organisations need a way to govern and protect human, machine and AI identities together.” This statement perfectly summarizes the challenge of the future, one that every forward-thinking organization must prepare for.