Cloud Computing

Curity Challenges Traditional IAM Limits with Launch of Access Intelligence for Autonomous AI Agent Security

Photo of Tsabitah Inas Tsabitah InasJune 3, 2026
0 1 6 minutes read

As enterprise developers in 2026 accelerate the deployment of the first generation of truly autonomous AI agents, the global cybersecurity landscape is facing a fundamental reckoning regarding the efficacy of traditional identity and access management (IAM). The rapid proliferation of these agentic systems—which possess the ability to make decisions, invoke APIs, and interact with other autonomous entities—has outpaced the defensive capabilities of legacy security frameworks. Addressing this critical vulnerability, Swedish cybersecurity firm Curity has announced the launch of Access Intelligence, a specialized extension to its Identity Server platform designed specifically to govern the complex, non-deterministic behaviors of AI agents.

The emergence of agentic AI represents a paradigm shift in how software interacts with corporate data. Unlike traditional applications that follow rigid, pre-defined logic, AI agents utilize large language models (LLMs) to interpret goals and execute multi-step workflows. This autonomy introduces a level of unpredictability that renders standard "point-in-time" authentication obsolete. While industry giants such as Okta, Ping Identity, and Microsoft’s Entra ID continue to dominate the human-centric and machine-to-machine (M2M) identity markets, Curity argues that a specialized, runtime-centric approach is required to prevent these agents from becoming the most significant attack vector of the decade.

The Crisis of Legacy Authentication in the Agentic Era

For decades, IAM has operated on a relatively simple premise: verify the identity of the requester—whether human or machine—and grant a set of static permissions based on that identity. This model assumes a linear relationship between the user and the resource. However, AI agents operate through long, branching chains of actions conducted at speeds that human administrators cannot monitor in real-time.

Traditional IAM tools are ill-equipped to handle what security architects call "the non-deterministic problem." When an AI agent is tasked with "optimizing a supply chain," it may decide to query a database, contact a third-party vendor’s API, and then trigger a financial transaction. If the security system grants the agent broad permissions at the start of its session, the risk of a "runaway agent" or a prompt-injection attack leading to unauthorized data exfiltration increases exponentially. Conversely, if the agent is restricted by overly rigid, static policies, its utility is neutralized, as it will constantly encounter "access denied" errors during its reasoning process.

Curity’s Access Intelligence aims to solve this by moving away from static permissions. Instead of a one-time login, the system treats access as an ephemeral, context-aware state. This ensures that an agent’s privileges are strictly tied to its current task and intent, rather than its general identity.

Technical Breakdown: Token Intelligence and Runtime Enforcement

The core of Curity’s new offering lies in a feature termed "Token Intelligence." In standard OAuth-based systems, a token acts as a digital key that proves an application has permission to access a specific resource. Access Intelligence extends the role of these OAuth tokens, transforming them into "smart containers" that carry metadata regarding the agent’s specific purpose and immediate intent.

Under this framework, when an agent initiates a new task, it must request a specific token for that action. This token is not a general-purpose pass but a scoped credential that describes exactly what the agent is trying to achieve. For instance, if an agent is tasked with "generating a quarterly report," it might receive a token that allows it to read financial records but explicitly forbids it from modifying them or transferring funds. If the agent’s next step requires it to email that report to a stakeholder, it must obtain a new token specifically for the mail server API, providing a new layer of validation for that specific intent.

Jacob Ideskog, Cofounder and CTO of Curity, emphasizes that this application-centric approach is vital for the modern enterprise. "Curity has always been application-centric," Ideskog stated. "Our focus has always been on how we broker access. Because we let an agent do something now doesn’t mean we should be allowing it to do this a minute later."

Furthermore, the system introduces a "Human-in-the-Loop" (HITL) trigger for high-risk actions. If an agent attempts to execute a task that exceeds a pre-defined risk threshold—such as moving a large sum of money or deleting a database—Access Intelligence can pause the execution and require real-time human authorization before issuing the necessary token.

The Rise of Shadow Agents and the Governance Gap

The urgency behind Curity’s announcement is underscored by the explosive growth of "shadow agents." Much like the "shadow IT" trend of the 2010s, where employees used unsanctioned cloud applications, shadow agents are AI tools deployed by departments or individual developers without the explicit oversight of the central IT security office.

Recent industry data suggests that over 60% of enterprises currently have undocumented AI agents operating within their networks. These agents are often integrated into local development environments or used to automate repetitive tasks using low-code tools. Without a centralized IAM layer like Access Intelligence, these agents operate with the same permissions as the developers who created them, often possessing far more access than they actually require.

Curity’s Access Intelligence functions as a self-hosted microservice, acting as a centralized gateway through which every agent request must pass. By utilizing Identity Server’s centralized token validation, the system ensures that even if a developer "fires up" a new agent without formal registration, that agent remains isolated from real-world actions unless it can secure a validated token through the central security layer.

A Chronology of Identity Evolution

The launch of Access Intelligence marks the latest phase in the evolution of digital identity. To understand the significance of this shift, it is necessary to look at the timeline of IAM development:

  • Phase 1: Human Identity (1990s–2010s): Focused on usernames, passwords, and eventually Multi-Factor Authentication (MFA). The goal was to ensure the person at the keyboard was who they claimed to be.
  • Phase 2: Machine-to-Machine (M2M) Identity (2010s–2022): The rise of microservices and APIs required systems to talk to each other. OAuth 2.0 became the standard, allowing one application to access another’s data without sharing passwords.
  • Phase 3: The Agentic Shift (2023–Present): The introduction of LLMs and autonomous agents created a need for "Intent-Based Identity." Access is no longer just about who or what is requesting access, but why they are requesting it and what they plan to do next.

Curity’s move signals that the industry is now firmly in Phase 3, where the complexity of the "why" is more important than the "who."

Industry Implications and Competitive Landscape

The cybersecurity industry has reacted with a mixture of caution and curiosity to Curity’s approach. While major players like Okta have focused on securing the "AI workforce"—meaning the humans using AI—Curity is focusing on the "Agentic workforce."

Industry analysts suggest that Privileged Access Management (PAM) vendors are currently the most vulnerable to this shift. Traditional PAM solutions, which manage high-level administrative credentials, are designed for human admins who log in, perform a task, and log out. They are not designed for an AI agent that might perform 500 privileged tasks in a single second across twenty different cloud regions.

"Enterprises are asking their PAM vendors how they’re going to deal with agent security, and I don’t think the PAM vendors have good answers yet," Ideskog noted. This gap in the market provides a significant opportunity for smaller, more agile players like Curity to define the standards for the next generation of security.

However, Curity is not positioning Access Intelligence as a total replacement for existing security stacks. Ideskog believes that a multi-layered defense is the only viable path forward. Access Intelligence can work alongside API gateways, Web Application Firewalls (WAFs), and out-of-band behavioral analysis systems. While a WAF might stop a known exploit at the perimeter, Access Intelligence ensures that if an agent is compromised via a prompt-injection attack, its ability to do damage is limited by the specific, intent-based tokens it holds.

Broader Impact: Governance, Compliance, and the Future of AI

The deployment of autonomous agents also carries significant legal and compliance implications. Under regulations such as the EU AI Act and GDPR, organizations are required to maintain strict logs and explanations for how AI systems process personal data. Traditional IAM logs, which might only show that an "Agent_Account_01" accessed a "Customer_DB," are insufficient for these regulatory requirements.

By using Token Intelligence, Curity provides a granular audit trail that includes the purpose of the access. This allows compliance officers to see not just that the database was accessed, but that it was accessed specifically for the purpose of "calculating loyalty rewards for European customers." This level of transparency is likely to become a mandatory requirement for any enterprise operating in highly regulated sectors such as finance, healthcare, and government.

As we move deeper into 2026, the success of agentic AI will depend less on the sophistication of the underlying models and more on the robustness of the guardrails surrounding them. The launch of Access Intelligence by Curity represents a significant step toward a future where autonomous agents can be deployed with the confidence that their actions are governed by intent, verified at runtime, and always under the ultimate control of human policy. The transition from "Identity" to "Access Intelligence" may well be the defining shift in cybersecurity for the remainder of the decade.

Related posts:

Tags
Photo of Tsabitah Inas Tsabitah InasJune 3, 2026
0 1 6 minutes read
Photo of Tsabitah Inas

Tsabitah Inas

Related Articles

AWS Streamlines Cloud Database Onboarding with General Availability of Amazon Aurora PostgreSQL Express Configuration

May 13, 2026

AWS Enhances Management Console Efficiency with Expanded User Experience Customization Capabilities for Regions and Services

April 22, 2026

Microsoft Announces General Availability of Smart Tier for Azure Blob and Data Lake Storage to Automate Cost Optimization

October 7, 2025

AWS Announces General Availability of AWS Interconnect for Multicloud and Last Mile Connectivity to Streamline Hybrid Cloud Networking

October 8, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button
Jar Digital
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.