AI & TechnologyAgentic

Agents Don’t Click: Why Agentic AI Is an Infrastructure Crisis

By Alex Bovee, CEO and co-founder at C1

Every enterprise system you rely on was built around a single assumption: a human is in the loop. OAuth consent screens wait for a click. MFA prompts wait for a fingerprint. Approval workflows wait for someone to navigate a wizard and click a button.

For twenty years, this was fine. The human was both the operator and the control plane. If something went wrong, a person would notice and intervene.

Now the fastest-growing class of enterprise “user” has no browser, no fingers, and no concept of business hours. Gartner predicts 40% of enterprise applications will embed task-specific AI agents by the end of 2026, up from less than 5% in 2025. The question isn’t whether agents will transform enterprise workflows—that’s already happening.

The question is whether the infrastructure underneath can handle it.

Built for Browsers, Not for Agents

Enterprise software’s architectural DNA was forged in the GUI era. Session-based interaction. Sequential workflows. Human-speed throughput.

The consumerization wave of the 2010s modernized the surface, making enterprise apps look more like mainstream digital products. But the plumbing didn’t change.

The API-first pivot of the last decade decoupled interfaces from business logic. That was necessary but insufficient. Most enterprise APIs were designed as supplements to the GUI, not as the primary interface. Nearly 60% of business and IT leaders cite legacy system integration as their primary barrier to AI agent adoption.

Agentic AI doesn’t navigate UIs or maintain browser sessions. It reasons about objectives and calls tools through APIs. When it encounters an OAuth consent screen, an MFA challenge, or a CAPTCHA, it stops.

Not because it lacks intelligence. Because the infrastructure requires a human body that isn’t there.

That gap between “API-available” and “machine-ready” runs through every layer of the enterprise stack. The systems aren’t broken. They were built for a user that no longer reflects who (or what) is doing the work.

The Identity Assumption That No Longer Holds

Every enterprise identity system was built on a core premise: each identity maps to a person. Role-based access control, session management, MFA, periodic access reviews. All presuppose a human who logs in, performs tasks within a bounded session, and logs out.

AI agents shatter this model. They don’t log in in any traditional sense. They spawn sub-agents that need their own scoped credentials. They act on behalf of humans without human presence, and can dynamically create identities that are invisible to conventional IAM.

The authorization problem is equally deep. OAuth 2.0’s authorization code flow requires a browser redirect and human authentication — things an agent doesn’t have. The conventional fallback, client credentials, strips out user context entirely, collapsing all user-level authorization into a single service identity.

The agent use case requires context-aware delegation without direct human presence. The IETF OAuth working group has active drafts addressing this. They remain drafts, not deployed infrastructure.

Then there’s the delegation chain problem. When an orchestrator agent spawns a specialist agent that calls a tool-execution agent, each hop needs scoped authorization tracing back to the original human principal. Today’s token exchange standards document these chains but don’t enforce them. A compromised agent with a valid delegation token can act on downstream systems with no way to verify whether each hop was actually authorized.

This is the confused deputy problem, where a trusted intermediary is tricked into misusing its authority, reborn at an enterprise scale.

The numbers confirm what the architecture exposes. 92% of organizations lack full visibility into their AI identities. 86% don’t enforce access policies for them. Only 5% feel confident they could contain a compromised AI agent.

In my conversations with CISO and CIOs, the same question is a concern: who approved access and on whose behalf?

The 100-to-1 Problem

The scale makes the identity gap existential, not theoretical.

Non-human identities already outnumber humans by 45:1 in the average enterprise. In cloud-native environments, 144:1. In hyper-automated sectors, 500:1. These identities are growing at 44 to 77% year-over-year, and agent identities alone are projected to grow 85% in the next 12 months.

The governance gap is staggering. 97% of non-human identities carry excessive privileges. 71% of their credentials haven’t been rotated on schedule. Two-thirds of non-human accounts are unseen and unmanaged.

88% of organizations still define only humans as “privileged users,” leaving the entire machine identity population outside privileged access governance.

This isn’t abstract risk modeling. The Midnight Blizzard attack on Microsoft began with a legacy test OAuth application that lacked MFA, carried elevated privileges, and had no lifecycle governance to flag it for decommissioning. An orphaned non-human identity, sitting in production, waiting.

GitHub detected 39 million leaked secrets on its platform in 2024. 70% of secrets leaked in 2022 are still active today. The OWASP Non-Human Identities Top 10 codifies the pattern: improper offboarding, secret leakage, and overprivilege.

We’ve seen this movie before with service account sprawl in the cloud era. Agents are the sequel, running at 10x the speed.

Now layer AI agents on top. They create and consume non-human identities dynamically, request elevated permissions autonomously, and chain actions across systems in ways that are difficult to predict or audit. Every existing governance gap gets amplified by entities that operate at machine speed with human-level decision-making authority.

91% of organizations are already using AI agents. Only 10% have governance in place.

Identity Has to Go Headless

Here is what the industry is missing: headless infrastructure.

Headless is a recurring architectural inflection that hits every enterprise platform once two conditions are met: the value lives in the data and logic rather than the UI, and the number of surfaces consuming that data has exceeded what one interface can serve.

Content management went headless around 2014. Commerce followed around 2018. In April 2026, CRM joined the shift when a major platform called its API-first decomposition the most significant architectural change in its history. The reason was explicit: AI agents, not humans, are becoming the primary consumers.

Identity is the next domain to make this transition. And the most consequential one, because identity is the horizontal control layer that touches every other system in the enterprise.

Today, the identity stack is scattered across five or six categories that don’t talk to each other: directories, vaults, credential managers, real-time authorization engines, governance suites, and agentic-identity point solutions. Each fragment is independently going API-first. None shares an identity graph, a policy model, or an audit trail with the others.

The result is that enterprises run a vault from one source, an IGA suite from another, an authorization engine from a third, a PAM tool from a fourth, and an NHI scanner from a fifth. All duct-taped together with glue code that no one governs.

Headless identity means every primitive of the identity stack is exposed as APIs and protocol-native tooling, callable from wherever work actually happens: chat interfaces, developer environments, CI/CD pipelines, runtime sidecars, autonomous agents. The admin console becomes one client among many. The API becomes the contract.

Operationally, this means an engineer in an AI-assisted IDE, a workflow running in a pipeline, and an autonomous agent calling a tool all authenticate and authorize through the same programmable layer, with the same policy enforcement, in real time.

The specific infrastructure requirements follow from this architecture. Credential brokering at runtime, so agents never possess long-lived secrets, and credentials are resolved at invocation time by a broker that the agent runtime never sees. Intent-aware, dynamic authorization, because static role grants cannot govern entities whose behavior is non-deterministic.

Mandatory delegation chains, where every agent action carries a verifiable chain from the human principal through each agent hop to the final action, are cryptographically enforceable at each step. And real-time revocation, so a compromised agent’s access dies within seconds, not at token expiry.

Individual pieces of this exist. Credential vaults, runtime authorization engines, and workload identity frameworks are all mature in isolation. The gap is unification: no single identity control plane operates across human, service, workload, and agent identities with one graph, one policy model, and one audit trail.

The Window

Gartner predicts that over 40% of agentic AI projects will be canceled by the end of 2027. Not because the AI doesn’t work, but because the infrastructure underneath it doesn’t.

Every important enterprise platform is decomposing from monolith to headless architecture. Identity is next, and the forcing function is the biggest of any prior wave: a new class of operator that has no eyeballs, requiring instant credentials, authorization decisions in milliseconds, and a delegation chain that ties every action back to a human sponsor.

None of that is solvable at a UI. The organizations that understand this will build the infrastructure that defines how enterprises operate in the machine-speed era. The ones that don’t will spend the next decade cleaning up the consequences.

Author

Related Articles

Back to top button