Agentic AI Identity
Register AI agents as first-class identities, configure scoped permissions, and monitor agent behaviour in real time.
Agentic AI Identity treats autonomous AI agents as first-class identity types — each with a unique identity, defined permissions, behavioural baseline, and full audit trail.
Registering an AI Agent
Every agent that operates in your environment should be registered in WNCYBER before it is deployed.
- Navigate to Identities → AI Agents → Register Agent
- Provide:
- Agent name — a unique, descriptive name (e.g.,
code-review-agent-prod) - Agent type — the framework or platform (LangChain, AutoGPT, custom, etc.)
- Owner — the team or individual responsible for this agent
- Purpose — a description of what the agent does
- Agent name — a unique, descriptive name (e.g.,
- WNCYBER issues a unique agent identity token (signed JWT) that the agent includes in all API calls
- Configure the agent’s SDK or framework to use the issued token
Configuring Agent Permissions
Principle of Least Privilege for Agents
Agents should receive only the permissions required for their current task — not their maximum possible requirements.
Navigate to Identities → AI Agents → [Agent Name] → Permissions:
- Resource scope — specify which resources the agent may access (S3 bucket, database, API endpoint, etc.)
- Action scope — specify permitted actions (read, write, query, invoke — not full control)
- Temporal scope — set a session duration after which permissions expire automatically
Just-in-Time Access
For agents that need elevated access infrequently:
- Configure the agent to request a JIT elevation via the WNCYBER API
- Set an approval workflow if the elevation requires human review
- WNCYBER grants the elevated permissions for the configured duration, then revokes automatically
Monitoring Agent Behaviour
Behavioural Baseline
WNCYBER observes agent activity over the first 7 days and builds a behavioural baseline — the expected access patterns for a given agent type.
After the baseline period, deviations trigger alerts:
| Deviation Type | Example | Default Action |
|---|---|---|
| New resource access | Agent accesses a database it has never queried before | Alert + flag for review |
| Volume anomaly | Agent downloads 50× normal data volume | Alert + optional throttle |
| Time anomaly | Agent operates outside normal hours | Alert |
| Privilege escalation attempt | Agent requests permissions beyond its configured scope | Block + alert |
Real-Time Session Monitoring
Active agent sessions are visible in Identities → AI Agents → Active Sessions. Each session shows:
- Current action (API calls in progress)
- Resources accessed in this session
- Anomaly score (updated every 30 seconds)
- Option to terminate the session immediately
Revoking Agent Access
Immediate Revocation
To revoke an agent’s access immediately:
- Navigate to the agent’s profile
- Click Revoke All Access
- WNCYBER invalidates the agent’s identity token and terminates all active sessions within 30 seconds
Automated Revocation
Configure automatic revocation triggers in Policies → AI Agent Policies:
- Anomaly score exceeds a threshold
- Agent attempts access to an out-of-scope resource
- Session duration exceeds the configured maximum
- The agent’s owning application is decommissioned