Six months ago, “agent identity” inside most enterprises meant a hardcoded service account, an OAuth client credential reused across thousands of agent invocations, or — worst of the lot — a long-lived API key checked into a repo that nobody had rotated since the original PoC. Auditors hated it. Security teams couldn’t revoke a compromised agent without nuking everything that shared the credential. And the blast radius of one leaked key was the entire production agent surface.
That whole arrangement broke in the last 90 days. Microsoft Agent 365 went GA on May 1 with Entra Agent ID as the unified identity primitive for any agent talking through it. Okta shipped Auth for GenAI a few weeks earlier. Auth0 wrapped its developer-facing version into LangChain, LlamaIndex, CrewAI, AutoGen, and the Vercel AI SDK. CyberArk and SailPoint pushed agent-specific releases through Q1. The non-human identity (NHI) category — Aembit, Astrix, Token Security, Britive, Andromeda, Cyera — went from “interesting startup space” to “the line item every CISO is asked about on the FY27 budget call.”
If you’re the IAM architect or platform lead picking the stack your 50,000 future agents will authenticate with, here’s how I’d think about it.
Why agent IAM is suddenly its own category
The forcing functions are stacking. Service accounts don’t carry the lifecycle, attestation, or audit semantics that EU AI Act high-risk classification requires. Conditional Access policies were written for humans, not for an agent that legitimately invokes 4,000 tool calls in 90 seconds. SOC 2 auditors started asking “show me the least-privilege policy applied to the agent that touched this customer record” — and “it’s a shared client_credentials grant” stopped being an acceptable answer in late 2025.
The other forcing function is volume. The agent-fleet forecasts most large enterprises are now planning against — 10,000 to 100,000 agents in production by FY27 — make a per-agent identity model unavoidable. You cannot run joiner-mover-leaver, segregation-of-duties certification, or per-tool-call authorization through service accounts at that count. The math just doesn’t work.
So the platforms split. Some are building first-class directory objects for agents. Some are wrapping agents in workload identities. Some are vaulting and brokering short-lived credentials. They overlap, but not by accident — they’re all attacking the same gap from different starting points.
Microsoft Entra Agent ID: the M365-shop default
If your shop is already on Entra ID for humans, Defender for the SOC, and Purview for compliance, Entra Agent ID is the path of least resistance. Every agent registered through Agent 365 — or synced through the cross-cloud registry from Bedrock AgentCore or Gemini Enterprise — gets a first-class directory object. That means Conditional Access policies apply. Sign-in logs land in the same SIEM pipeline. Purview audit treats agent activity the same as human activity for retention and eDiscovery. Lifecycle hooks fire when the agent’s owner leaves the company.
The cross-cloud registry sync is the genuinely interesting bit. An agent built on AWS Bedrock or Google’s Gemini Enterprise can show up as an Entra Agent ID and be governed by Microsoft’s Conditional Access engine without running on Microsoft infrastructure. That’s a bigger deal than Microsoft is being credited for — it lets a Microsoft-shop CISO impose a single policy fabric across multi-cloud agent estates without forcing teams onto Azure.
The flip side: if you aren’t an Entra-licensed shop, this is not the path. Entra Agent ID is bundled into M365 E5 and the Agent 365 add-on, and the value proposition collapses outside that ecosystem. You’re paying for a directory layer you don’t otherwise need.
Okta Auth for GenAI and Auth0 GenAI Workforce: the identity-vendor play
Okta and Auth0 (which Okta still operates as a separate developer-platform brand) split the agent-identity problem along their existing customer split. Okta Auth for GenAI is the workforce-identity story — it issues a workload identity to each agent and adds a delegated user authorization layer so the agent can act on behalf of a specific human, with stepped-up consent when the action is sensitive. That’s the pattern the EU AI Act’s autonomy disclosure language really wants: a clear chain from “user X authorized agent Y to do Z.”
Auth0 GenAI Workforce — the developer-facing sibling — ships token vault, async authorization, and human-in-the-loop approval primitives directly into the popular agent frameworks. If you’re building product on LangGraph or CrewAI and you want “user gives consent through a Slack DM before the agent submits the refund,” Auth0’s primitives are the shortest path to a production-ready implementation. You’d otherwise spend two engineer-quarters building the same flow.
I think the Okta family is the strongest pick for two specific profiles: companies that already pay Okta for humans and want one vendor for agent identity too, and product-engineering teams that need agent-aware OAuth flows without rolling their own. Where it’s weaker is the privileged-access angle — Okta will sell you identity, but credential brokering and secrets vaulting at the depth a regulated bank wants is a CyberArk or HashiCorp story.
CyberArk: the regulated-industry pick
CyberArk extended its privileged access platform with agent-specific credential brokering — short-lived rotating credentials minted per agent invocation, scoped to the specific tool call, then revoked. If you’ve already deployed CyberArk PAM for humans, the agent extension is the obvious continuation. The audit trail is the cleanest of any platform I’ve seen on this list: per-invocation credential issuance, scope, and use, all signed and immutable.
The reason this matters for FSI, healthcare, and federal isn’t theoretical. Regulators in those sectors are increasingly asking for evidence that an autonomous system cannot reuse credentials across boundaries — that an agent calling the customer-data API at 9:01 cannot use the same token to call the trading API at 9:02. CyberArk’s model answers that directly. Most of the others answer it through policy, which is fine until an incident.
The cost is operational complexity. CyberArk is not a five-engineer-startup tool, and the deployment-and-tuning burden is real. If you don’t already have a PAM program, starting one to govern agents is putting the cart way ahead of the horse.
Saviynt and SailPoint: the IGA-for-agents story
Identity governance — the joiner-mover-leaver, certification, segregation-of-duties layer — is a different problem from authentication, and it’s the one most agent platforms quietly punt on. Saviynt and SailPoint both shipped agent-IGA features in Q1 that treat non-human agent identities as first-class governance subjects. That means certification campaigns include agents (a manager has to attest that “yes, this agent should still have access to Salesforce”). It means SoD policies span humans and agents (the same person can’t both submit and approve a refund — and neither can their agent). It means deprovisioning works: when an employee leaves, the 12 agents they own get terminated automatically.
If your company already runs Saviynt or SailPoint for humans, layering agent-IGA on top is the natural play, and the auditor-readiness story is by far the strongest of any option on this page. The downside is that IGA platforms are not auth platforms — they’re the governance layer above auth, and you still need Entra, Okta, or another platform to actually issue and validate the credentials. So in practice this is “Saviynt or SailPoint plus something else,” not a standalone pick.
The NHI category: Aembit, Astrix, Token Security, Britive, Andromeda
The non-human identity startups don’t quite fit the same frame as the incumbents because most of them started by attacking a different slice of the problem. Aembit’s wedge is workload-to-workload authentication — the agent-talking-to-an-API problem, with conditional access policies enforced at the request boundary. Astrix and Token Security started in NHI posture and discovery: finding the existing service accounts, OAuth tokens, and API keys nobody knew about. Britive ships just-in-time privileged access for cloud workloads, which extends naturally to agents. Andromeda is closer to a runtime-enforcement layer.
Cyera’s $7B valuation late last year is what pulled this whole category to the top of the CISO agenda — fairly or not, it became the proxy for “NHI is real now.” For most enterprises, an NHI tool sits alongside (not instead of) an Entra or Okta deployment, doing the discovery, posture, and runtime-enforcement work the incumbents are slower to ship. If you’re at a company with multi-cloud sprawl and an existing zoo of service accounts, an NHI tool is probably worth a POC ahead of the incumbent rollout — you’ll find things you didn’t know existed.
Protocols matter more than you’d think
A protocol-level checklist separates the platforms more than marketing does:
- OAuth 2.1 is now the table-stakes baseline. If a platform isn’t OAuth 2.1-native, it’s behind.
- MCP (Model Context Protocol) auth support is increasingly important because MCP is how agents are connecting to tools, and the auth flow is non-trivial. Entra Agent ID, Auth0 GenAI Workforce, and a couple of the gateways have first-class MCP auth; others handle it through generic OAuth.
- A2A (Agent-to-Agent) credential exchange matters for any system where agents call other agents. The A2A 1.0 spec landed earlier this year and has uneven support.
- SPIFFE/SPIRE is the workload-identity standard that already governs much of cloud-native infrastructure. CyberArk, Aembit, and HashiCorp all support it; Entra and Okta do not, natively.
If your environment is multi-cloud Kubernetes-heavy, SPIFFE is probably the right substrate and the platforms that don’t speak it are awkward fits. If you’re a Microsoft-everywhere shop, Entra Agent ID’s lack of SPIFFE doesn’t matter because you’re not running SPIFFE anyway.
Pricing is doing weird things
Pricing models haven’t settled. Entra Agent ID is bundled into M365 E5 and the Agent 365 add-on — effectively “free” if you already pay for both, expensive if you don’t. Okta and Auth0 charge per-identity, which gets interesting fast: a 50,000-agent fleet at $2-$8/identity/month is $1.2M-$4.8M/year just for identity, and that math forces a real conversation about whether every short-lived agent should get its own persistent identity or whether ephemeral identities (created and destroyed per session) make more sense.
CyberArk and SailPoint price on a different axis — privileged identity tiers and IGA seats — and the per-agent cost can drop dramatically at scale, but the floor is high (six-figure deals minimum at most enterprises). The NHI startups are mostly still on platform-fee + tiered-identities pricing, which favors customers under 10,000 agents and gets uncomfortable above that.
The honest answer: nobody has the pricing right yet. Negotiate hard on FY27 contracts and don’t lock in three years at a per-identity model that will look insane when your agent count 5×s.
Lifecycle is where most pilots fall over
Buying decisions tend to fixate on the auth flow and underprice lifecycle. The realistic failure mode in 2027 is not “an agent gets compromised” — it’s “an employee leaves, their 12 agents keep running for nine months because nobody had a deprovisioning hook wired up.” Every platform on this page claims lifecycle support; in practice the depth varies wildly.
What to actually probe in a POC: does the platform fire a deprovisioning event when the human owner is terminated? Does it cascade through agent-to-agent dependencies? Does it survive the platform engineer who set it up leaving? If you can’t answer those three questions confidently after two weeks of vendor demos, you’re being sold an auth product, not an identity product.
EU AI Act and audit
The EU AI Act high-risk classification is going to push a lot of these decisions in late 2026. The audit trail requirement — “for any high-risk autonomous decision, produce the chain of authorization from user to agent to action” — is exactly the chain Auth0 GenAI Workforce, CyberArk, and Entra Agent ID are designed to emit. Platforms that can’t produce that chain in a single query are going to face awkward conversations with European customers.
If you’re operating in the EU or selling to EU customers, treat audit-log granularity and per-tool-call authorization records as gating requirements, not nice-to-haves. The fines aren’t theoretical.
How I’d pick
If you’re a Microsoft-everywhere shop, Entra Agent ID through Agent 365 is the default, and you only look elsewhere for the privileged-access layer (CyberArk) or NHI discovery (Aembit, Astrix). If you’re an Okta workforce-identity shop, Auth for GenAI plus Auth0 GenAI Workforce on the developer side is one vendor, one billing relationship, and a coherent story. FSI and healthcare with existing PAM programs go CyberArk plus SailPoint for governance — slow, expensive, auditor-bulletproof. Multi-cloud, Kubernetes-heavy, no strong incumbent? Aembit and Britive on the runtime side, with HashiCorp Vault carrying the secrets-and-credentials layer.
The wrong move is doing nothing for another budget cycle. Service accounts and shared OAuth clients are not going to age well. If you’re in the IAM seat, the homework worth doing this quarter is mapping your current agent inventory (you almost certainly have more than you think — Astrix or Token Security can find them in a week), then sketching the FY27 architecture against one of the four buyer profiles above. Pick a POC. Run it for sixty days against a real workload. The category will keep moving, but the first decision is whether to engage now or pretend the problem isn’t already on your plate.