"Are AI agents just software?" This fundamental question, posed by Grant Miller, Engineer & CTO at IBM, cuts to the core of an evolving paradigm in enterprise technology, suggesting that the burgeoning capabilities of artificial intelligence are rapidly outstripping our established frameworks for digital identity and workforce integration. Miller's insightful discussion delves into the nuanced distinctions between human workers, traditional non-human identities, and the new class of AI agents, highlighting the profound implications for organizations navigating this transformative shift.
Grant Miller, Engineer & CTO at IBM, recently illuminated the complex landscape of AI agent identities and their role in modern digital workflows. His presentation underscored a critical divergence between how we've historically managed digital entities and the adaptive, learning nature of contemporary AI agents. He meticulously broke down the characteristics defining human workers—their physical presence, organizational belonging, capacity to assess, break down tasks, execute, and crucially, learn—and contrasted them with traditional non-human identities (NHI), which are digital, deterministic, and largely unvarying in their execution.
The first core insight Miller articulated is that the evolving nature of AI agents transcends traditional software, blurring lines with human-like task execution and learning. Unlike their deterministic predecessors, AI agents are designed to "assess what the prompt or the ask is, they break it down into tasks, how am I going to orchestrate this flow, how am I going to perform the steps that I need, they execute on that flow, and then they actually learn." This inherent capacity for learning and adaptation positions them far beyond mere automated scripts, endowing them with a dynamic identity that challenges conventional definitions of software. This ability to self-correct and improve performance over time makes them increasingly indispensable yet simultaneously complex to manage within existing enterprise structures.
A second critical insight emerges in the realm of organizational perception and integration: should AI agents be recognized as coworkers? Miller points out that as AI agents begin to perform tasks with a level of autonomy and learning akin to human employees, the question of their status within a company becomes unavoidable. He referenced a past instance where an organization treated an AI agent from an HR perspective "as just another worker," highlighting the potential for both efficiency gains and unforeseen challenges. If agents are effectively extending a support team or augmenting business units, their perceived role shifts from a mere tool to a functional contributor, necessitating a re-evaluation of how they are integrated, managed, and perceived by their human counterparts.
This leads directly to the third pivotal question concerning governance and directory inclusion. "Do we put agents into the directory?" Miller asks, referring to enterprise directories like Active Directory. The current Identity Governance and Administration (IGA) systems are primarily designed for human identities, managing approvals, entitlements, and annual validations. The sheer volume of AI agents, potentially "thousands and thousands" within an organization, would overwhelm these systems if treated identically to human users. The cost implications, in terms of CPU usage, network traffic, and data consumption for persistent agents, are substantial.
The question of whether agents should be persistent or ephemeral is not merely technical, but deeply strategic. If an agent is designed to be persistent, always "waiting around to take on a task," it continuously consumes resources, incurring ongoing costs. Conversely, ephemeral agents, spun up only when needed and then decommissioned, offer cost efficiencies but introduce complexities in maintaining state and ensuring seamless continuity across tasks. This choice impacts not only the financial ledger but also the agility and responsiveness of the digital workflow, demanding a careful balance between resource optimization and operational necessity.
Miller’s discussion underscores that current IGA systems, built largely around human identities, are ill-equipped to handle the unique characteristics of AI agents. The deterministic, unvarying nature of traditional non-human identities allowed for simpler, rule-based governance. However, the adaptive, learning, and potentially autonomous nature of AI agents demands a more sophisticated, dynamic, and scalable approach to identity management. This is not just about extending existing systems; it requires a fundamental rethink of how digital entities are provisioned, authenticated, authorized, and audited throughout their lifecycle. Organizations must begin to construct governance frameworks that are as flexible and intelligent as the agents they aim to manage, ensuring security, compliance, and operational efficiency in an increasingly agentic world.
