Deepak Gupta

Theme · 2025

Agentic identity arrives.

The year AI agents stopped being a hypothetical identity problem and became a procurement question every CIAM buyer started asking.

Published 2026-05-11

Key takeaways

Agentic identity was the single most consequential category-level shift in CIAM in 2025, both because the technical primitives stabilized and because enterprise buyers started naming it as a procurement-blocking concern.
The standards stack that emerged, MCP for tool-calling identity, OAuth 2.1 for the underlying flows, dynamic client registration for autonomous agents, and emerging conventions for agent-vs-human token separation, is now table stakes for any CIAM evaluation in 2026.
The vendor field is uneven: a handful shipped credibly (WorkOS, Auth0, Stytch), a larger group are positioning, and a meaningful portion of the legacy enterprise tier has not publicly committed to the agentic identity stack at all.
The defining 2026 question is not whether agents will be a first-class identity class, that's settled, but how authorization will scale to per-agent, per-tool, per-action policy.

The shape of the problem

For most of the post-2020 CIAM era, the field treated machine identity as a solved adjacent problem: workload identities had Hashicorp Boundary and SPIFFE/SPIRE, service-to-service auth had mTLS and bearer tokens, and the CIAM layer cared about humans logging into apps. That separation worked for a decade.

It stopped working in 2025.

The forcing function was straightforward and recursive: more enterprise applications added AI agents that took actions on behalf of users, those agents needed credentials, the credentials needed to be scoped narrower than the underlying user's identity to satisfy least-privilege requirements, and the audit-log path needed to make the agent's authorship visible to the human reviewing it later. None of those four properties were native to the existing CIAM authentication stack. By mid-2025, every enterprise security review for a CIAM purchase included an "agent story" section that hadn't existed twelve months prior.

What the standards push actually delivered

Four primitives became the consensus 2025 vocabulary:

MCP (Model Context Protocol) support. What started as Anthropic's publication of a protocol for connecting LLMs to external tools became the de facto vocabulary for "this is how an AI agent identifies itself when calling an API." By Q3 2025, every credible CIAM vendor had a position, either MCP support shipped, or MCP support on the roadmap. The vendors that had neither stopped being part of serious enterprise evaluations.

OAuth 2.1 conformance. OAuth 2.1 had been stable for a few years; what 2025 added was the procurement pressure that made it a deal-blocker rather than a nice-to-have. The PKCE-by-default behavior and the deprecation of implicit flows in particular surfaced in vendor RFPs more aggressively than they had previously. Buyers learned to ask whether a vendor's OAuth support was "partial" (a euphemism for some-flows-yes-some-no) or full.

Dynamic client registration. DCR was the standard that genuinely needed 2025 to mainstream. The architectural shift was buyer-side: enterprises running large agent fleets needed the ability to provision client credentials programmatically rather than through console clicks. Vendors that supported DCR, and could prove it under load, won the agent-heavy deals.

Agent-vs-human token separation. This is the least-standardized of the four, the one that 2026 will probably consolidate. The general thesis emerged: tokens issued to an autonomous agent should be distinguishable from tokens issued to a human user, even when both are acting under the same underlying identity. Some vendors implemented this as a token-class field; others as scope conventions; the few mature implementations made it a first-class object in the audit log. The conventions are not yet identical across vendors, but the existence of the distinction is now expected.

Who shipped, who positioned, who didn't

The field divided into roughly three groups by year-end.

The shippers. WorkOS, Auth0, and Stytch shipped against all four primitives during 2025, not just announced support but had customers in production. Each took a different shape: WorkOS leaned into the B2B SaaS case (the agent calling internal APIs on behalf of an authenticated user); Auth0's strength was its FGA work as the authorization layer underneath agent actions; Stytch positioned around developer-experience for AI-native SaaS startups building agents-first. The three are not interchangeable , the procurement evaluation depends on which agent shape your application takes, but all three are defensible 2026 picks for agent-aware deployments.

The positioners. Descope, Clerk, and a tier of B2B-SaaS-adjacent vendors (Scalekit, SSOJet, Authsignal) shipped against at least two of the four primitives during 2025 and credibly committed to the rest. Picking one of these vendors is reasonable if their other strengths fit your use case; the agent story is solid but slightly behind the leaders.

The absent. A material portion of the legacy enterprise tier published neither product nor public roadmap for agentic identity in 2025. ForgeRock's absence is partly explained by the Ping merger uncertainty, most of the roadmap energy went into integration questions. LoginRadius's absence is not similarly explainable; the product simply did not engage with the 2025 standards push. Several smaller B2C-only vendors (intentionally unnamed here) are in a similar position. For any 2026 deployment expected to serve agent traffic, these vendors are not viable.

The authorization shoe that hasn't dropped

The 2025 standards push solved authentication for agents. It did not solve authorization for agents.

The conceptual problem is approachable: per-agent, per-tool, per-action policy is exactly what FGA / ReBAC engines are designed for. The operational problem, how to author and review the resulting policy at the scale a busy enterprise produces, is the open 2026 question.

Several vendors made early moves. Auth0 FGA continued to be the most-mature FGA-as-a-product story; SlashID's authorization model leans into agent scenarios explicitly; emerging entrants (some not yet in this index) are building dedicated agent-authorization layers separately from CIAM. The field is fragmenting faster than consolidating, which is why this report does not yet have an "agent authorization" segment award. By the 2026 edition, it likely will.

The procurement consequence

If you are buying CIAM in 2026, agentic identity is no longer a "future roadmap" line item to be evaluated alongside roadmap items. It is a present-tense procurement axis on the same level as standards conformance, passkey support, or SOC 2 attestation. The vendor questionnaire should include:

Token classes. Does the platform issue distinguishable tokens to agents vs humans? How is the distinction surfaced in the audit log?
DCR under load. How many client registrations per minute does the platform sustain? At what point does manual approval become a procurement requirement?
MCP coverage. Does MCP support extend to outbound tool calls (agent calling vendor API on your behalf) or only inbound (vendor API consuming MCP traffic)? These are not the same.
Agent identity revocation. How are compromised agent credentials revoked across the fleet? What's the propagation time?
Authorization granularity. Can policy distinguish between "agent-on-behalf-of-user X" and "agent-on-its-own-authority"? If yes, how is the distinction expressed?

These five questions are the 2026 agent-readiness checklist. Vendors that answer all five with shipped-and-customer-validated responses are the 2026 leader tier. Vendors that answer two of them are the challenger tier. Vendors that cannot answer any are not in the running.

The 2025 transition was real and irreversible. The 2026 question is who operationalizes the consequences cleanly.

Vendors discussed

← Back to CIAM Annual Report 2025