Your AI Agents Are Already Crossing System Boundaries. Their Identities Are Not

Your AI Agents Are Already Crossing System Boundaries. Their Identities Are Not.

A registrar I trust called me last month with a question she didn't want to ask out loud. An advising assistant, the kind a vendor turned on inside the learning platform back in March, had updated a course registration overnight. The student didn't remember doing it. The audit log said the student did it. The session token said the student did it. The student was asleep at 2:14 AM Central when the action posted.

She asked me a simple thing. Who actually did that?

I didn't have a clean answer. Neither did her vendor, when she called them the next morning. They had a clever answer about "user-initiated workflows with assisted completion." She had a FERPA log that lied by omission, and a board meeting in three weeks where someone was going to ask whether the institution knew what was running on its network.

This is the moment I've been writing toward for a year. The agent identity gap is no longer theoretical. The institutions deploying agents shipped them on borrowed credentials. The vendors didn't ask. The IAM team didn't know. And now the agents are doing work that human beings will be held accountable for.

The 21.9% Number Is a Mirror, Not a Benchmark

Gravitee published its State of AI Agent Security 2026 report a few weeks ago and the number that should be on the cover of every Board of Trustees deck this quarter is buried on page two. Only 21.9% of teams treat AI agents as independent, identity-bearing entities. The other 78.1% are running agents under inherited human accounts or shared service identities. Worse, 45.6% wire agent-to-agent traffic using shared API keys, which is the 2026 equivalent of writing the admin password on a sticky note and passing it around the office.

If your campus is in the 78.1%, you are not behind. You are typical. That is exactly the part that should scare you.

Look at what is already in production in higher ed. Canvas IgniteAI rolled out a teaching assistant agent earlier this year. Element451 Bolt Agents have admissions workflows running across the customer relationship system into the student information system. Druid AI is in financial aid offices. N2N's LightLeap is moving data between Banner, Workday Student, and a dozen downstream systems on campuses I won't name. Anthology's own analysts have called this class of tool "AI browsers," because what they really do is impersonate authenticated users at the interface layer. A human logs in. The agent rides the session.

Every action that agent takes is attributed to a person who did not perform it. Every FERPA log lies by omission. Every audit trail tells you a student did something a piece of software did. The state I named in my predictions last year was Impersonated, and it is now the fifth member of the Manual, Delayed, Forgotten, Orphaned family.

Two-Thirds of Firms Already Had an Agent-Related Incident. Higher Ed Just Discloses Slower.

The enterprise data is in. AI agent security incidents have hit 65% of firms in 2026. Eighty-eight percent of enterprises report at least one agent-related breach. Infosecurity Magazine puts the number more bluntly: unchecked AI agents caused cybersecurity incidents at two-thirds of firms.

Two-thirds.

The pattern that is surfacing in higher ed mirrors the enterprise pattern almost exactly. A compromised campus chatbot abused to pull partial transcript data. A bot account in a learning platform repurposed as a phishing distribution channel. An over-privileged research-lab service identity quietly altering financial records because nobody bothered to scope it. Princeton, the University of Pennsylvania, and Harvard all disclosed breaches in fall 2025. None of the postmortems have mentioned agent-mediated access yet. I would bet a good bottle of bourbon that at least one of those breach timelines, when fully reconstructed, touches an agent identity that nobody had inventoried.

The CIO who tells the audit committee "we have not seen an AI agent incident yet" is the CIO who has not looked at the logs with the right lens. You cannot detect an attack against an identity class you have not declared exists.

Microsoft Just Shipped the Object. The Governance Is Your Problem.

On June 5, Microsoft announced General Availability of Entra Agent ID. The platform now gives you a first-class identity object for an agent, alongside lifecycle workflows for what Microsoft is calling "agent ID sponsorship." A workload-identity-based authentication preview for SAP SuccessFactors provisioning shipped on June 10. Sensitivity labels for Entra security groups went generally available May 24. HashiCorp pushed in parallel, pitching SPIFFE as the substrate for agentic identity inside Vault Enterprise.

This is Prediction 3 from my worldview landing exactly as called. The capability ships. The how-to-implement does not.

Entra Agent ID gives you an object to register. It does not tell the registrar's office who sponsors the advising agent. It does not tell financial aid who signs off when the scope of the disbursement bot expands. It does not tell the dean of students who revokes an agent when its sponsoring department head retires. "Sponsorship lifecycle" is the polite Microsoft phrase for this is your governance problem now.

The institution that treats Entra Agent ID as a checkbox in next quarter's identity roadmap will be the institution explaining to its auditor in 2028 why an agent with a sponsor who left in 2024 was still writing to Banner. We have seen this movie. The protagonist was named Ghost Account. The sequel just stars an agent with an API key and a planner loop.

The Skeptic's Case, Taken on the Chin

I have to be honest about the pushback, because it is real and I respect the people making it. The argument goes like this. Most campuses cannot reliably deprovision a human account inside the 30-minute Entra Connect sync window. Layering agent identity governance on top of a broken human lifecycle compounds risk rather than reducing it. The agents most institutions are running today live inside vendor tools, where the vendor's identity stack mediates the permissions anyway. Standardizing too early on a moving target creates new attack surfaces.

Every word of that is true at the median institution.

Here is the honest version of my Prediction 4. AI agents will not amplify governance failures uniformly. They will amplify them sharply at the institutions that already automated their lifecycle, because automation means scale and scale means a single bad agent identity propagates everywhere in seconds. The institutions that did not automate get a different failure mode. They will not know an agent acted, because they do not know who acted on their network yesterday either.

Both roads lead to harm. Neither road leads to a Gartner quadrant that fixes it for you.

The fix is not to ignore agent identity until human lifecycle is perfect. The fix is to recognize that the work is the same work. A registered, sponsored, scope-bound, revocable identity is what a student account should be, what a contractor account should be, what a service account should be, and what an agent should be. The class of the identity is different. The discipline is identical.

Read the Drafts So You Can Push Back

Four active drafts at the Internet Engineering Task Force now define the agent identity stack. The Agent Identity Protocol assigns every agent a unique identifier and a key. The Agent Authorization Profile for OAuth 2.0 introduces task binding and operational context, distinguishing autonomous software from human users. The AI Agent Authentication and Authorization draft frames agents as workloads requiring their own management system. A fourth draft extends OAuth 2.1 with authenticated discovery, sandboxing, and revocation requirements. The foundational OAuth specification itself was updated on May 20.

I am not asking you to read all four. I am asking you to remember one phrase: task binding. If a vendor cannot tell you what specific task their agent is bound to, and what happens to the agent's authorization when that task completes, the answer is no. Not "let's pilot it." No. Send them back to engineering until they can answer.

The next Banner integration vendor or learning-platform copilot vendor who walks into your office in Q4 will quote these drafts to justify the scope of access their agent needs. Read enough of them to push back intelligently. That is the entire ask.

Ray's Corner

Here is what bothers me. Every higher-ed CIO I talk to can tell me, to the dollar, what their Entra licensing costs. None of them can tell me how many agents are running in their tenant tonight. Not roughly. Not within an order of magnitude. We spent fifteen years getting the human identity problem to a place where we could at least answer the audit question. The agent identity problem has put us back to 2009, and we are pretending it has not.

I think about my registrar friend a lot. She is going to walk into that board meeting and someone, probably the trustee who used to run IT at a bank, is going to ask her how many AI agents have access to student records. She is going to have to say I do not know, and I do not have a way to know yet. That is not her failure. That is a structural gap her vendors created and her IAM stack was never built to close.

The locksmith question I keep coming back to is this. When the lock changes, who has the new key? Right now, on most campuses, the answer for agents is everyone, and nobody is tracking it. That is the work for the next six months. Not picking a standard. Not waiting for EDUCAUSE to publish principles. Inventorying what is running, naming a sponsor for each one, and writing the revocation procedure before the sponsor retires.

You do not need the IETF to bless a draft to start that work. You need a spreadsheet and a willingness to ask your vendors the uncomfortable question.

Take The Next Step

Primary: Download the QuickLaunch AI Agent Inventory Tool at quicklaunch.io. It walks through the sponsorship lifecycle questions you should be asking your vendors this quarter, with a starter inventory template.

Secondary: Subscribe to the QuickLaunch column. Wednesdays, no academic-calendar skips, and I will keep tracking which institutions answer this honestly and which ones learn the hard way.

References

• State of AI Agent Security 2026 Report: When Adoption Outpaces Control Gravitee. https://www.gravitee.io/blog/state-of-ai-agent-security-2026-report-when-adoption-outpaces-control
• Canvas Unrolls AI Teaching Agent Inside Higher Ed. https://www.insidehighered.com/news/tech-innovation/artificial-intelligence/2026/03/23/canvas-unrolls-ai-teaching-agent
• Element451 AI-Driven CRM and Agent Platform Element451. https://element451.com
• LightLeap N2N Services. https://www.lightleap.ai
• The Latest Front in the Battle for Academic Integrity: Initial Thoughts on the Rise of AI Agents Anthology Community. https://community.anthology.com/public/blogs/the-latest-front-in-the-battle-for-academic-integrity-initial-thoughts-in-response-to-the-rise-of-ai-agents
• AI Agent Security Incidents Hit 65% of Firms in 2026 Kiteworks. https://www.kiteworks.com/cybersecurity-risk-management/ai-agent-security-incidents-2026
• Unchecked AI Agents Cause Cybersecurity Incidents Infosecurity Magazine. https://www.infosecurity-magazine.com/news/unchecked-ai-agents-cause
• AI Agent Security: The Identity Crisis Hitting the Enterprise in 2026 — AI Automation Global. https://aiautomationglobal.com/blog/ai-agent-security-identity-crisis-enterprise-2026
• Microsoft Entra Releases and Announcements Microsoft Learn. https://learn.microsoft.com/en-us/entra/fundamentals/whats-new
• What's New in Microsoft Entra: May 2026 Microsoft Entra Blog. https://techcommunity.microsoft.com/blog/microsoft-entra-blog/whats-new-in-microsoft-entra-may-2026/4517884
• SPIFFE: Securing the Identity of Agentic AI and Non-Human Actors HashiCorp. https://www.hashicorp.com/en/blog/spiffe-securing-the-identity-of-agentic-ai-and-non-human-actors
• Securing the AI Era: Privileged Access Management for Non-Human Identities Identity Defined Security Alliance. https://www.idsalliance.org/online-show/securing-the-ai-era-privileged-access-management-for-non-human-identities/
• Agent Identity Protocol (AIP) Draft IETF. https://datatracker.ietf.org/doc/html/draft-aip-agent-identity-protocol-00
• Agent Authorization Profile (AAP) for OAuth 2.0 IETF. https://datatracker.ietf.org/doc/draft-aap-oauth-profile
• AI Agent Authentication and Authorization IETF. https://www.ietf.org/archive/id/draft-klrc-aiagent-auth-00.html
• Yao Draft on Agent Auth Considerations IETF. https://datatracker.ietf.org/doc/draft-yao-agent-auth-considerations/
• RFC 6749: The OAuth 2.0 Authorization Framework IETF. https://datatracker.ietf.org/doc/rfc6749/

*Raymond Todd Blackwood is the President of QuickLaunch and writes about identity, agentic AI, and the messy reality of higher-ed IT. #ItsExistential