The enterprise identity world converged on Las Vegas last week for Identiverse 2026, and one theme dominated every keynote, every hallway conversation, and every vendor demo: AI agents. Not the chatbots of yesterday. These are autonomous, decision-making digital workers that can provision cloud resources, approve expense reports, or lock down a compromised endpoint—all in milliseconds, without a human in the loop. The big question: how do you authorize something that acts at machine speed before it outruns your identity systems?

Conference organizers dedicated an entire track to “agent governance,” a term that barely existed a year ago. The exhibition floor was dotted with startups and incumbents pitching registries, control planes, gateways, and governance fabrics—each claiming to be the missing link that will let AI agents roam enterprise systems without causing chaos. Meanwhile, identity giants like Microsoft, Okta, and Ping Identity showcased their own spins, often centered on extending existing identity and access management (IAM) platforms to these non-human actors.

The stakes are enormous. A typical enterprise might deploy hundreds of AI agents within the next two years, each with different scopes, privileges, and risk profiles. A coding agent that pushes to a repository needs fine-grained permissions that differ wildly from a procurement agent that can place orders. Getting that wrong means either stifling innovation with too many roadblocks, or opening the door to a breach that moves faster than any human responder could ever react.

The rise of the non-human identity

Before the show even started, a pre-conference workshop titled “When Your Bot Has More Privileges Than Your CEO” set the tone. The premise: service accounts and workload identities have existed for years, but those were largely static, tightly scoped, and managed by IT. Modern AI agents are dynamic; they learn, they chain actions, and they interact with other agents. They can accumulate privileges in real time, creating access paths that no security architect ever anticipated.

Microsoft used its keynote slot to double down on what it calls “workload identity governance.” The company pointed to the rapid adoption of its Entra Workload ID Premium, which now protects over 10 million non-human identities across Azure, Microsoft 365, and third-party apps. But the audience’s probing questions revealed a collective anxiety: can a governance model built for predictable, known workloads really handle agents that behave like stochastic parrots with admin rights?

Vendors on the floor were quick to offer answers. One startup, AgentAuth (formerly a stealth project at a major bank), drew crowds with a live demo of its “continuous risk evaluation engine.” The system intercepts every API call an agent makes, evaluates context—time, location, data sensitivity, behavior history—and issues a just-in-time token that expires within seconds. The demo ended with the crowd applauding when an agent trying to exfiltrate data after hours was silently blocked, while a legitimate bulk transfer went through with zero friction.

Other vendors showcased registries. Think of an agent registry as an app store for AI bots, except every entry comes with a machine-readable manifest describing exactly what the agent can do, which datasets it accesses, and which other agents it can talk to. Several large banks in attendance said they are already requiring internal teams to register all agents—whether homegrown or from SaaS providers—before they can connect to any production system. “If it’s not in the registry, it’s not on the network,” one CISO told me during a coffee break. “Harsh, but it’s the only way we sleep at night.”

The gateway wars and the control plane dream

The loudest buzzword at Identiverse 2026 was “AI gateway.” Like API gateways before them, these new products sit between an agent and the enterprise backend, inspecting requests, enforcing policies, and maintaining an immutable log. But unlike traditional API gateways, they must understand the semantics of agent intent. An agent that says “run this SQL query” is different from one that says “train this model,” even if both use HTTP. Gateways must parse the payload, check the agent’s authorization context, and decide in under 10 milliseconds—or risk agents timing out and breaking business processes.

During a packed panel, engineers from three different gateway startups debated the right architecture. One camp pushed for a centralized control plane that aggregates policies across all agents, all APIs, and all identity providers. Another argued for a decentralized mesh where each service enforces its own policies, citing the failure of previous “centralized identity” dreams. The audience, made up mostly of identity architects from Fortune 500 companies, seemed split. A show of hands at the end revealed that while 60% were piloting some form of AI gateway, only a fraction had deployed it in production.

Ping Identity took a different tack, announcing a partnership with a leading observability platform to feed agent telemetry directly into its risk engine. The idea: if you can’t trust the agent, trust the pattern. Their demo showed a dashboard that lit up red when an agent suddenly accessed a server it had never touched before, even if the access was technically authorized. The system didn’t block the request—that would require a gateway—but it fired an alert into the SOC, giving humans a chance to intervene. It’s a pragmatic stopgap, and many attendees scribbled notes.

Microsoft Entra and the Windows enterprise play

For the Windows-focused crowd that reads this site, the real news was how all this flows into the Microsoft ecosystem. Microsoft’s strategy, laid out in a breakout session titled “Securing AI at Scale with Entra,” revolves around three pillars: identity lifecycle for agents, continuous access evaluation (CAE), and a new schema for conditional access policies tailored to non-human actors.

Entra already supports workload identities with certificate-based authentication, and CAE can revoke access in near real time—a capability that became critical during a 2024 incident when a compromised workload identity was used to move laterally across a tenant. Now, Microsoft is extending that to agents. The big reveal: a public preview of “Agent Conditional Access,” which lets admins write policies like “Allow any agent registered in the finance registry to access ERP APIs, but only from U.S. data centers and only with a risk score below 25.”

The demo showed an admin portal—familiar to anyone who’s configured CAPs for users—with a new tab simply labeled “Agents.” Under the hood, each agent gets an identity in Entra ID, classified as a “service principal” but with a new category marker. That marker triggers special handling: CAE checks happen with every request, not just every hour, and risk is computed based on agent behavior over tens of thousands of requests rather than a single sign-in. One Microsoft program manager told me that in internal testing, agent CAE added an average of 4.7 milliseconds of latency—well within the 10 ms threshold that most enterprises demand.

But the crowd wasn’t all smiles. Several Microsoft MVPs in attendance pressed the presenters on how this works with multi-agent systems where one agent spawns another. “Does the child agent inherit the parent’s policies, or does it get a new identity?” asked one. The answer, after a short pause: “That’s still being designed. We’re looking at runtime token exchange with scope narrowing, but it’s not in this preview.” The honesty was refreshing, but it underscored how nascent the whole field is.

Practitioners speak: what’s real, what’s vapor

Outside the vendor halls, the hallways told a grittier story. I spoke with a senior identity architect for a major retailer who has been running AI agents in production for six months—well ahead of the governance curve. “We built our own registry using a Git repository and some custom OPA rules,” they said, referring to Open Policy Agent. “It works, but my team is drowning in exceptions. Every vendor integration needs a custom policy, and the agents keep changing. Last week a finance agent suddenly started accessing the HR system because someone updated its training data. We caught it, but only because we had a human spotting it manually.”

That pain point—agent drift—emerged as the unsolved problem of the conference. Agents that learn and adapt are the very definition of modern AI, but they also drift from their original authorization profile. A registry that’s not continuously updated is worse than useless; it gives a false sense of security. Several vendors claimed their gateways can auto-discover agent behavior and suggest policy updates, but no one demoed that convincingly. “It’s the holy grail,” said a Gartner analyst during a lunch roundtable. “Whoever solves drift detection and auto-remediation for agent policies will own this market within two years.”

Another concern, particularly for Windows shops, is the entanglement with legacy systems. Many agents don’t use modern OAuth. They rely on Kerberos, LDAP, or even hard-coded credentials—the exact patterns that Microsoft has spent a decade trying to retire. A Microsoft engineer admitted in a hallway chat that they’re exploring a “legacy agent proxy” that would translate old-school authentication into Entra tokens, but it’s a research project with no timeline. In the meantime, companies are left to bolt AI onto identity systems that were never designed for it.

The governance fabric: a unifying idea

If there was one conceptual breakthrough at Identiverse 2026, it was the notion of a “governance fabric.” Unlike a control plane, which is typically a product from a single vendor, a governance fabric is a set of standards and APIs that allow multiple tools to cooperate. Imagine an agent registry that multiple gateways can query, a policy engine that feeds risk signals into various SIEMs, and a logging standard that lets you trace an agent’s decisions across clouds.

The OpenID Foundation used the conference to announce a new working group: the Agent Identity and Authorization Framework (AIAF). Heavyweight backers include Microsoft, Google, and several large banks. The group aims to deliver a first draft of a standard by the end of 2026. If successful, it could do for agent governance what SAML and OIDC did for human authentication—create a lingua franca that prevents vendor lock-in. Skeptics, of course, noted that standards bodies move slowly while agents are already shipping. But the fact that competitors are willing to sit at the same table signals just how urgent the problem is.

What Windows admins should do now

For Windows and Microsoft 365 administrators reading this, the message from Las Vegas is clear: start now, even without perfect tools. The first step is inventory. Use Entra’s existing workload identity reports to find how many non-human identities you actually have—the number often surprises teams. Next, classify them. Which ones are simple service accounts, which ones are scheduled pipelines, and which ones are actual AI agents with learning capabilities? Only that last category requires the kind of governance discussed at Identiverse, but you can’t govern what you don’t know.

If you’re already piloting agents, set a hard rule: no agent connects to production without being registered, and every agent must authenticate with a certificate or a workload identity federated credential—no secrets. Microsoft’s docs on workload identity federation with Entra are solid, and the CAE preview for agents, while limited, is worth testing in a sandbox.

Finally, invest in observability. The most common regret I heard from early adopters was that they deployed agents and only later realized they had no way to audit what the agents were actually doing. Windows Event Forwarding, Azure Monitor, and even open-source tools like Elastic can give you a baseline. Without that, you’re flying blind—and at machine speed, that blindness can be fatal.

Looking ahead: Identiverse 2027 will be very different

Identiverse 2026 closed with a visionary talk that asked: “Will 2027 be the year AI agents govern themselves?” The speaker, a CTO from a large aerospace firm, argued that the ultimate solution isn’t better gates or registries, but agents that carry their own verifiable credentials and negotiate access in a decentralized trust model. It sounded far-fetched, but five years ago, the idea of chatbots approving expense reports was equally pie-in-the-sky. The industry is moving faster than any compliance cycle can match, and the identity professionals in Las Vegas left with a mix of excitement and dread.

For now, the governance work falls on humans. The architectures we build this year—the registries, the gateways, the policies—will define how safe our AI-infused enterprises will be for years. The tools are still rough, the standards are still forming, but one thing is undeniable: the age of the agent is here, and identity security is the only thing standing between a powerful AI and a catastrophic mistake.