Active Directory. Okta. Entra ID. RADIUS. Every identity system your organization relies on was built for a simple premise: the things connecting to your network are humans, or devices operated by humans.
That premise is rapidly becoming obsolete. Coding assistants review pull requests autonomously. Customer service agents handle tickets end to end. Data pipeline orchestrators spawn sub-agents to parallelize workloads. RPA bots execute multi-step workflows across systems without human intervention. According to Gartner, 40% of enterprise applications will feature task-specific AI agents by the end of 2026, up from less than 5% in 2025.
These agents are already on your network. The question is whether your identity infrastructure knows they exist.
The Scale of the Problem
The numbers paint a picture that most security teams are not prepared for. Research from CyberArk and Entro Security shows that enterprises already manage 82 to 144 machine identities for every human identity. AI agents are about to multiply that ratio by an order of magnitude.
The authentication volume alone changes the calculus. A human employee generates 2 to 5 authentication events per day. An IoT device generates 5 to 20. An AI agent performing API calls, accessing network resources, re-authenticating after task boundaries, and rotating credentials generates 50 to 500 authentication events per day. That is not a marginal increase. It is a fundamentally different pattern that existing monitoring systems are not calibrated to handle.
Meanwhile, 48% of cybersecurity professionals identify agentic AI as the top attack vector heading into 2026, outranking deepfakes and password attacks. The threat model is clear. The security infrastructure to address it is not.
Five Gaps in Current Identity Systems
Current enterprise identity systems fail AI agents in five fundamental ways. These are not theoretical shortcomings. They are operational blind spots that create real exposure.
1. No Behavioral Baseline
Your ITDR system knows what "normal" looks like for a human: login at 8 AM, access email and a few applications, generate a modest volume of traffic, go home at 6 PM. But what does normal look like for a coding assistant that operates around the clock? Or a customer service agent that handles 200 tickets per shift? Or an autonomous data pipeline that spins up 15 sub-agents during a batch processing window?
Nobody has established behavioral baselines for AI agents because AI agents are a new category of network entity. Without baselines, anomaly detection is meaningless. You cannot distinguish a compromised agent from a busy one.
2. No Compromise Detection
How do you tell the difference between a legitimate AI agent performing an unusual task and a compromised agent exfiltrating data? Current identity threat detection is trained on human behavioral patterns. An AI agent accessing 50 different network resources in an hour is suspicious for a human. For a well-scoped data integration agent, it might be Tuesday.
Without agent-specific threat models, security teams either drown in false positives or miss actual compromises because they tuned their alerts to ignore the volume AI agents generate.
3. No Certificate Lifecycle at Scale
Managing certificate rotation for 10 managed laptops is straightforward. Managing it for 10,000 autonomous agents that need to authenticate 24/7 requires a fundamentally different approach. Manual MDM enrollment does not scale. Agents need API-first certificate provisioning with automated rotation, short-lived credentials measured in hours rather than months, and instant revocation that propagates in seconds.
4. No Purpose-Scoped Access
A coding assistant should never reach the production database VLAN. A customer service agent should never touch the development environment. A financial reporting bot has no business communicating with the HR system. But current RADIUS policies do not understand agent purpose. They authenticate devices and users, not the intent behind the connection.
Without purpose-scoped access, every agent operates with whatever permissions its host device has. A compromised agent on an engineer's laptop inherits the engineer's network access, which is precisely the lateral movement path attackers look for.
5. No Inventory
Most organizations cannot answer a straightforward question: How many AI agents are accessing our network right now, and what are they doing? The average enterprise already has 1,200 unofficial AI applications in use, with 86% of organizations reporting no visibility into their AI data flows. Without an inventory of what agents are operating on the network, security teams cannot enforce policy on entities they do not know exist.
The Shadow AI Problem
Just as shadow IT created unmanaged devices on enterprise networks, shadow AI is creating unmanaged agents. Developers deploy AI coding assistants. Marketing teams spin up content agents. Operations groups automate workflows. Each of these agents connects to the network, authenticates to resources, and generates traffic that security teams cannot attribute to a known identity.
Why the Network Layer Matters
The non-human identity market raised over $400 million in 2025. Gartner recognized machine identities as a distinct market segment. CrowdStrike paid $740 million for SGNL's continuous identity verification technology. NIST launched the AI Agent Standards Initiative in February 2026.
But every one of these efforts is focused on the application layer: API keys, OAuth tokens, cloud workload permissions. Nobody is solving AI agent identity at the network layer, where physical access is granted, where lateral movement happens, and where the most consequential security decisions are made.
There are structural reasons why the network layer is the right place to solve this problem.
Why Network-Layer Identity Cannot Be Bypassed
- WiFi is the physical access layer. Every AI agent running on a laptop, edge device, or on-premise server connects to the network via WiFi or wired Ethernet. RADIUS is the gatekeeper. Application-layer identity tells you who is authorized. Network-layer identity tells you who is actually connected and what they are doing.
- RADIUS already authenticates machines. The protocol handles MAC authentication, certificate-based EAP-TLS, and device posture checking. The jump from "authenticate this device" to "authenticate this AI agent running on this device" is a protocol extension, not a rewrite.
- Network visibility catches what application-layer misses. A compromised AI agent with valid OAuth tokens will pass every application-layer check. At the network layer, you see the lateral movement: the agent accessing VLANs it has never touched, communicating with peers outside its normal pattern, moving data at three times its baseline volume.
- Certificates are the right primitive for agents. Agents cannot do passwords. They cannot do biometrics. They can do certificates: automated provisioning via SCEP/EST, automatic rotation, revocation on compromise.
- Multi-vendor coverage means universal deployment. Agent identity must work regardless of whether the organization uses Cisco, Aruba, Meraki, Ubiquiti, Ruckus, or any of the 45+ vendors that Cloud RADIUS supports.
What Network-Layer AI Agent Identity Looks Like
Securing AI agents at the network layer requires four capabilities working together. None of them is sufficient on its own.
Certificate-Based 802.1X Authentication
AI agents authenticate to the network using X.509 certificates issued via SCEP or EST protocols. These certificates contain agent-specific metadata: the agent's purpose, its authorized VLANs, its risk threshold. Short-lived certificates, measured in hours rather than months, eliminate the risk of long-lived credentials being compromised. Revocation propagates via RADIUS Change of Authorization to disconnect a compromised agent in under 30 seconds.
This is not a theoretical capability. It is a direct extension of how certificate-based device authentication already works in 802.1X deployments. The difference is treating the agent as a first-class identity rather than inheriting the device's identity.
Purpose-Scoped VLAN Assignment
When an AI agent authenticates, RADIUS returns VLAN attributes based on the agent's registered purpose, not its host device. A coding assistant lands on the development VLAN. A customer service agent lands on the CRM VLAN. A financial reporting bot lands on the analytics VLAN. Each agent gets access only to the network segments required for its function.
This turns RADIUS from a device-level gatekeeper into an agent-level policy engine. The same physical laptop can host three different AI agents, each with different network access profiles.
Behavioral Monitoring
The ITDR baseline engine learns what "normal" looks like for each agent type over its first 7 to 14 days of operation. A coding assistant that normally accesses 3 VLANs and generates 200 authentication events per day sets a baseline. When that same agent suddenly accesses 12 VLANs and generates 2,000 events, the system flags the deviation for investigation.
Agent-specific behavioral dimensions include authentication frequency, VLAN access patterns, peer communication graphs, data transfer volumes, and temporal patterns. These dimensions are distinct from human behavioral baselines and require purpose-aware detection models.
Automated Response
When the system detects a compromised or misbehaving agent, it acts without waiting for a human analyst. Responses range from quarantining the agent to an isolated VLAN, to revoking its certificate and disconnecting it from the network, to alerting the agent's registered owner. Response playbooks are tied to the severity of the anomaly and the sensitivity of the resources the agent is accessing.
| Capability | Human Identity | AI Agent Identity |
|---|---|---|
| Authentication method | Password, MFA, biometrics | X.509 certificates via SCEP/EST |
| Credential lifetime | 90-365 days | 1-72 hours, auto-rotated |
| Access scope | Role-based (department) | Purpose-based (agent function) |
| Behavioral baseline | Human activity patterns | Agent-specific: auth frequency, VLAN patterns, peer graphs |
| Compromise response | Account lockout, password reset | Certificate revocation, VLAN quarantine in <30s |
Getting Started
The window for getting ahead of this problem is narrow. The organizations that establish AI agent identity infrastructure now will have a structural security advantage as agent deployments scale from dozens to thousands.
Three steps to start:
- Inventory your agents. Identify every AI agent operating on your network today. Include official deployments and shadow AI. You cannot secure what you cannot see.
- Extend your RADIUS policies. Move from device-level to agent-level authentication. Deploy certificate-based 802.1X for agents with purpose-scoped VLAN assignment.
- Build agent behavioral baselines. Instrument your ITDR system with agent-specific detection models. Establish what normal looks like before you need to detect abnormal.
Secure Your AI Agents at the Network Layer
IronWiFi provides Cloud RADIUS, Cloud PKI, and WiFi ITDR on a single platform, with support for 45+ access point vendors across 6 global regions. Deploy certificate-based agent authentication with purpose-scoped VLAN policies.
Learn About AI Agent Identity Talk to an ExpertTrusted by 1,000+ organizations in 108 countries
Daniel Konecny
Founder & CEO, IronWiFi
Daniel founded IronWiFi to make enterprise WiFi authentication simple and secure. With deep expertise in RADIUS, 802.1X, and cloud infrastructure, he writes about practical network security for IT teams managing thousands of devices.
About the author