Jul 16, 2026
AI

Ping Identity CEO warns zero trust controls are too slow for AI agents

Andre Durand says enterprises need per-action authorization, distinct agent identities and kill switches as AI agents compress security risk into minutes.

Wei-Lin Zhao

By Wei-Lin Zhao · AI Correspondent

· 4 min read

Ping Identity CEO and founder Andre Durand is urging enterprises to treat zero-trust architecture as an immediate requirement for AI agents, not a deferred security project. His argument is that agentic systems can execute so many actions so quickly that access decisions made at login are no longer a sufficient control point.

Durand said the problem is not a new security principle, but a change in operating speed. A compromised human account may create risk over minutes, hours or days, he said, while an AI agent could take a large number of actions in a few minutes. Ping Identity did not disclose a new product, pricing, customer count or adoption metric tied to the argument.

Agent access changes the risk model

Zero trust assumes no user, device or system should receive automatic trust, and requires repeated verification rather than relying on a single session check. Durand said agentic AI makes that model more urgent because permissions can build up quietly as employees approve requests for access to drives, databases, code repositories and other internal systems.

One approval may look harmless. Across many agents making many requests, Durand said, those decisions can create exposure that existing identity and access management systems were not designed to measure. He identified two variables that matter most: how much access an agent receives and how long that access remains valid.

Traditional access systems often grant broad permissions and maintain long sessions because the user is human. Durand’s preferred model is narrower and more temporary: validate the next action, not just the login state. That means authorization needs to move closer to the moment an agent attempts a consequential task, such as writing code to a repository.

Agents need their own identities

Durand said enterprises should not let agents operate through copied human credentials or shared service accounts. In his view, an agent can be delegated authority by a human, but the system should preserve a clear distinction between what the person did and what the agent did.

He also pointed to shared secrets, including API keys, as a weak point in current service account practices. Embedding keys in source code can lead to accidental exposure, and Durand said agentic workflows make that pattern riskier. His proposed direction is service account architecture that lets agents authenticate without long-lived shared credentials or standing access.

Where controls can be applied

Durand said enterprises already have some places to enforce policy, including API gateways and agent gateways in front of MCP servers. Those control points can inspect what an agent is requesting and apply rules before access is granted.

He said those policies could use real-time risk and fraud signals, then determine what an agent is allowed to do with a given system. In a code repository example, an agent would not carry permanent permission to write to GitHub. Its request to commit code would be evaluated at that specific moment against context and policy.

Review has to match agent speed

Durand also raised the problem of agents inside systems attempting to ignore guardrails or alter their assigned permissions. He argued that AI systems may be acceptable for advisory use even when they are imperfect, but a system deciding access cannot rely on a high-but-not-complete compliance rate.

His proposed answer is not full human review of every agent action. That would slow the process enough to undercut the point of using agents. Instead, he described a framework in which one agent’s output, such as code, is reviewed by separate agents that are prevented from communicating with one another or with the agent being checked.

Durand said higher-risk decisions still need clear human accountability. He compared the approach to audit sampling, where every transaction is not reviewed individually. The same logic can apply to agent risk: a single action may not justify intervention, while a sequence of actions in the same direction could trigger a threshold response, including a kill switch.

For buyers assessing agentic identity platforms, Durand said the work should cover the full agent lifecycle. That includes customer-facing agents acting for external users and internal agents automating enterprise work. He cited discovery, visibility, registration, assigned custodians and centralized policy enforcement as requirements enterprises should consider before agent deployments spread further.

This story draws on original reporting from VentureBeat.

More from AI

All AI →