Ping Identity and KuppingerCole Analysts Examine Runtime Authorization Gaps

Ping Identity commissioned new research from KuppingerCole Analysts on how enterprises govern AI agents at runtime as these systems move into production. The work focuses on emerging authorization gaps that can appear when agents act beyond controls built for human users.

The report describes a shift from managing identities to controlling how identities act across systems, data, and workflows. It also outlines a failure mode where an AI agent combines individually legitimate permissions in unintended ways, producing actions that established controls cannot fully trace or govern.

KuppingerCole Analysts said access grants permission but does not enforce control, and they described several risk areas for agent operations. These include delegation opacity and sub-agent spawning that break auditability, implicit human assumptions in IAM where OAuth and OIDC models depend on human decision-makers that agents bypass, context leakage across systems without continuous re-evaluation of authorization, and questions around permission inheritance, liability, and enforcement in agent-to-agent interactions.

The researchers laid out an independent blueprint for controlling autonomous AI grounded in identity, policy-based authorization, governance and oversight, and accountability, extending identity and zero trust principles toward continuous runtime authorization and governance. “Enterprises are deploying autonomous AI faster than they can govern it,” said Andre Durand, CEO & Founder, Ping Identity. The report also cited findings from IBM’s 2025 Cost of a Data Breach report and included a statement from Martin Kuppinger on extending identity and authorization models for autonomous agents operating in dynamic environments.