Securing agentic AI with intent-based permissions

When seatbelts were first introduced, cars were relatively slow and a seatbelt was enough to keep drivers safe in most accidents. But as vehicles became more powerful, automakers had to add airbags, crumple zones, and (eventually) adaptive driver assistance systems that anticipate hazards and avoid collisions.

Identity and access management (IAM) is now at a similar inflection point. For decades, action-based permissions have performed the role of the seatbelts of enterprise security, essential guardrails that define what users or systems can do. But with the rise of agentic AI and autonomous software agents that operate independently and make decisions at scale, IAM now needs intent-based permissions that understand not only what an AI agent is doing, but why.

The identity seatbelt and the adaptive driver assistance for AI agents

Action-based permissions remain the cornerstone of most IAM systems. They operate by specifying allowed operations, read, write, update, delete, or by granting scoped API access.

For humans or deterministic bots, this model works well: it enforces least privilege, creates audit trails, and makes compliance easier to demonstrate. But in the context of AI agents, these controls are not enough.

Administrators often grant overly broad access to avoid breaking workflows, which introduces new risks. Meanwhile, overly strict guardrails may block useful behaviors and frustrate business users. Most importantly, action-based permissions capture only the “what” of an operation, not the “why.”

If an AI agent attempts to delete data, is it executing a routine cleanup, or attempting an unauthorized action? The permission system can’t tell. Action-based controls may keep the agent within predefined lanes, but they can’t interpret the destination or purpose of the journey. Like a seatbelt, they’re protective after impact, but not preventive.

Intent-based permissions take IAM one step further by examining the purpose behind the action. Context such as task type, data sensitivity, user delegation, and real-time risk signals are factored into access decisions.

This is the equivalent of adaptive driver assistance in a vehicle, which steers the car away from hazards to prevent incidents in the first place: intent-based permissions allow AI systems to operate with autonomy, while dynamically preventing actions that don’t align with business purposes.

For example, an AI agent might be allowed to access customer PII if the intent is resolving a support ticket, but blocked from the same access if the task is training a model. This approach introduces semantic awareness into IAM, mapping not just to actions but to goals.

Why intent matters for agentic AI

Humans bring context to their actions. When a payroll administrator accesses salary data, it is generally understood to be part of their job. Unfortunately, AI agents don’t have that implicit context. They can chain together operations in novel ways, creating behaviors that administrators never anticipated and that existing permissions may not adequately constrain.

By continuously evaluating purpose, intent-based controls allow enterprises to adaptively grant access only when actions align with approved business objectives. This reduces blind spots, prevents both over- and under-permissioning, and supports productivity without compromising security.

In many ways, intent-based IAM extends zero trust and least privilege principles into the age of AI. It asks not only “is this action allowed?” but also “is this action appropriate given the current purpose, context, and risk?”

That’s not to say that action-based permissions are now obsolete. Security depends on layered controls. Together, action-based guardrails and intent-based governance create a system that is both protective and adaptive.

Moving to a hybrid IAM model

The shift to intent-based permissions will have to happen in phases. Here’s a three-step roadmap for getting there:

• Short term: Audit AI agents and enforce tighter action-based scopes. Ensure every permission has a justification and is auditable.
• Medium term: Integrate context-aware policy engines that can interpret agent tasks, evaluate data sensitivity, and factor in risk signals. Apply intent checks first to high-value or high-risk workflows.
• Long term: Move toward unified identity frameworks where action, intent, and risk converge into a single governance layer for humans, and non-human identities (NHIs) like bots and AI agents.