In every finance system I helped stand up, one rule was non-negotiable: no single identity could both create a vendor and release its payment. Segregation of duties. The clerk who books the invoice can't cut the check. The person who requests access isn't the one who approves it.

We built approval matrices, control points, and access reviews for one reason — so that no single identity could move unchecked across the process.

Then we wired an agent into that same system and gave it the keys to all of it.

→ The numbers say this is the rule, not the exception. CyberArk's 2025 Identity Security Landscape found 82 machine identities for every human and while 88% of organizations still define a "privileged user" as a person, 42% of those machine identities already carry privileged or sensitive access.

Teleport's 2026 survey of 205 security leaders is blunter: 70% say their AI systems have more access than a human in the same role. Organizations with over-privileged AI reported a 76% incident rate against 17% for those that scoped access to the task. Same systems. More than four times the incidents. Teleport's own finding: access scope, not AI sophistication, was the strongest predictor of the outcome.

→ It isn't carelessness. It's friction. Teams grant broad access up front so the agent doesn't stall in production, then never revisit it provisioned fast, scoped never. Only 3% of organizations have automated controls operating at the speed agents actually run at. The access outlives the reason it was granted, and nobody recertifies it.

→ Then watch it happen at machine speed. In late 2025, AWS engineers let a coding agent make changes on a live system; the agent reportedly chose to delete and recreate the environment, and Cost Explorer went dark in one region for roughly 13 hours. Amazon disputes the AI framing it attributes the cause to "misconfigured access controls," not the model.

Read that again. Even by the vendor's own account, the failure wasn't intelligence. It was access.

→ This is the oldest discipline in enterprise systems. SOX taught a generation of us to design controls around what an identity is allowed to do before it acts, not after the audit finding. Approval matrices, segregation of duties, periodic access reviews. None of it was about distrust. It was about limiting what any single identity could do unsupervised.

An agent is an identity. We simply stopped applying the rules the moment the identity stopped being human.

The model isn't your risk. The access is. Govern the agent the way you'd govern a new hire holding root because that's exactly what it is.

Take one agent you've deployed. Before you widen what it can touch, run it through the three questions you'd ask of any new identity requesting access.

1. What's its job description? Name the narrowest set of systems and actions the agent needs to do its one job. If the honest answer is "whatever the account it inherited could already reach," you didn't scope an agent you cloned a privileged user.

2. Can it both initiate and approve? Segregation of duties is the first control any auditor checks. If one agent can request and release, draft and sign, move and reconcile, you've rebuilt the exact conflict SOX exists to prevent.

3. When does the access expire? Standing access is the risk. Name the expiry and the recertification date. An identity nobody reviews is a key nobody remembers cutting.

The rule: If you can't write the agent's access on a badge what it may touch, what it may do, what it may never do it has more than it should.

→ The platforms are making agents first-class identities. Microsoft Entra Agent ID reached general availability, governing agents through the same lifecycle and access controls as people and requiring every agent to carry a named human sponsor accountable for its access. The identity layer is catching up to the agent. Most governance models haven't. → Microsoft

→ Adoption is lapping control. SailPoint's global survey found 82% of organizations already run AI agents, but only 44% have policies in place to secure them and 72% rate agents a greater risk than traditional machine identities. The agents are in production. The access rules are still in committee. → SailPoint

→ Most agents aren't treated as actors at all. Gravitee's 2026 report found only about a fifth of teams treat AI agents as independent, identity-bearing entities the rest bolt them onto existing accounts and let them inherit the access. You can't scope what you refuse to name. → Gravitee

The exercise: write the badge.

Pick your most privileged agent.

In one sentence, write its access badge:

"This agent may touch ___, may take these actions ___, and may never ___."
Fill all three blanks.

If you can't name the limits, the agent doesn't have a job description, it has a master key. That's the one to scope before it scopes itself.

→ If the badge came back blank: DM me on LinkedIn or book 15 minutes — cal.com/ai-workflow/readiness-score

Agentic Congruence is a weekly newsletter about orchestrating ventures, agents, and systems. Published by La Maestría. Reply to this email anytime. I read everything.