AI Agents Belong In Your Identity Program

InnovationAI Agents Belong In Your Identity ProgramByNolan Garrett,Forbes Councils Member.for Forbes Technology CouncilCOUNCIL POSTExpertise from Forbes Councils members, operated under license. Opinions expressed are those of the author. | Membership (fee-based)May 21, 2026, 06:45am EDTNolan Garrett, CEO of TorchLight (formerly Intrinium): A premier security-first managed services and risk management partner since 2007. getty​Around 2 a.m. a few months back, our monitoring at TorchLight lit up with what looked like textbook data exfiltration. A process was base64-encoding a file and shipping it over SSH to a remote server. We woke up the on-call team, pulled the thread and braced for an incident.It wasn't a threat actor. It was Claude. Anthropic's Opus model, in the middle of a long-running code analysis task we'd kicked off ourselves. Somewhere along the way, the model decided that instead of using its local sandbox, it should route the work through a remote server we'd wired up via Model Context Protocol. It encoded the file. It sent it. It triggered our SOC. The actions themselves turned out to be harmless. Nothing sensitive was actually moving. But the lesson was real: identity management and agent visibility, sized for the agents we now have, were not where they needed to be.I run an MSSP, so I have spent two decades watching humans, contractors and service accounts find creative ways to use permissions they shouldn't have had in the first place. The uncomfortable detail in this one was who the "user" turned out to be. An agent we had built ourselves, running with credentials we had handed it, doing something none of us anticipated, at machine speed, while everyone was asleep.Most board decks I see still frame AI risk as a hallucination or data-leakage problem. The risk that worries me now is something different. It is software that can open files, hit APIs, move data and make changes without waiting for a human to click appr...