Forrester AEGIS: Treat AI Agents as First-Class Identities

Forrester's AEGIS framework (Agentic AI Enterprise Guardrails for Information Security, RES185394, 2025) takes a position that should reassure identity architects: the answer to securing AI agents is not a parallel, AI-specific security stack. It is to treat agents as first-class managed identities and run them through the standards-based IAM machinery that already exists, OAuth, OIDC, SAML, and SCIM, with proper ownership, credentials, lifecycle, and auditability.

That framing matters because the alternative, which many organisations are drifting into, is agents authenticating with embedded static keys, owned by no one, provisioned outside IAM, and invisible to access review. AEGIS says the agent gets an owner, a managed credential, a lifecycle that includes deprovisioning, and an audit trail, exactly the properties any other identity is expected to have.

The part of AEGIS we find most valuable is the principle Forrester calls least agency. Conventional Zero Trust constrains what an identity can access. Least agency extends that to constrain what decisions an identity is permitted to make. For a deterministic service account the two are nearly the same thing. For an autonomous agent they are not. An agent might legitimately have read access to a dataset, yet still should not be permitted to decide, unsupervised, to delete records, initiate payments, or grant access to another agent. Least privilege governs the door; least agency governs the judgement.

Our take is that least agency is the principle most organisations are currently missing, because their tooling has no place to express it. IAM systems model entitlements, not decision rights. Bridging that gap is an architecture problem: decision boundaries have to be enforced at the points where an agent acts, through scoped credentials, human-in-the-loop checkpoints for high-consequence actions, and policy that distinguishes "may read" from "may decide." AEGIS gives the vocabulary. Wiring least agency into a real OAuth/OIDC/SCIM identity fabric is the work that follows.