Machine identities outnumber your people many times over, and unlike your people, no manager owns them and no auditor asks hard questions about them. So they accumulate access, keep static credentials, and outlive the projects they were built for. The fix is an owner for every one, plus telemetry to surface the dead and the over-privileged.
Getting rid of standing access sounds simple until you ask how anyone gets in when they need to. An authorization broker is the answer: a choke point that issues short-lived, scoped, audited access. Here's when a broker is worth running and when native IAM is already enough.
Workload identity is the goal: no static secrets, short-lived credentials, identity the platform vouches for. But you can't flip to it everywhere at once. Here's what has to be true before a workload can drop its secrets, and what to do about the systems that aren't there yet.
On paper a role grants a short list of permissions. In practice you assume a role, land on an instance, the instance has its own role, and that role reaches further. The dangerous access is the access you cannot see, and most reviews never look for it.
There is no single perfect IAM setup, and you will never get the unlimited budget or the greenfield to build one. What 'good' looks like depends on your company's size and stage. The real skill is knowing which identity investment to make next, and which to skip until later.
AI writes a growing share of the code in every repo, and almost no team can say which lines came from a model or who is accountable for them. That gap turns expensive the moment IP changes hands, a security review needs prioritizing, or an auditor asks. Most of the fix is attribution you can build from git metadata you already have.
The agent stack runs in three directions: MCP to tools, A2A to other agents, AG-UI to the user. Two of them cross a trust boundary, and a single boundary test decides which protocols earn their keep there and which are theater inside a system you already own.
The same shape that makes AI useful for access reviews extends to firewall rule cleanup, certificate rotations, vulnerability triage, and a long list of other recurring compliance work. The criteria are simple: the task happens on a schedule, it produces evidence, and the action it proposes is bounded. Here's how to build the agents and the guardrails that keep them honest.
Most organizations still run access reviews as a quarterly attestation ritual. The telemetry to do them continuously has existed for years; the shift is from evidence of process to evidence of outcomes. AI takes the routine volume, and a named human still signs the call.
Articles claiming that MCP is going away in favor of direct API calls with workload identity are half right. For systems you own, the direct call is often cleaner. For third-party services, MCP is the only surface where security policy, audit, and blast-radius control can live.
