I've been fielding a common question lately, and I get why security teams are confused. They hear about Microsoft Entra Agent ID, assume it solves the AI agent security problem, and check the box. But there’s more to it.
Entra gives you registration, which is necessary, but it doesn't give you runtime authorization. Without both, you're exposed.
The difference matters because registration-time identity tells you who created an agent and who owns it, while runtime authorization tells you whether that agent should be allowed to execute a specific action right now, at the moment it's trying to spend money or provision infrastructure or touch customer data.
What is registration-time identity?
Registration-time identity is what happens when you create an agent. It gives you the visibility and governance foundation that makes everything else possible.
You're establishing an identity that includes who created it, who owns it, what it's supposed to do, and what lifecycle state it's in. Think of it as a passport for the agent: proof that it exists as a known entity, tied to an owner, with a verifiable record you can audit.
When someone spins up an agent, it needs an identity that distinguishes it from every other agent and connects it back to y our organization's identity management system.
That means registering it in an identity provider like Microsoft Entra, Okta, or ServiceNow, and capturing metadata about it:
Who created it
Which department it belongs to
What its intended purpose is
Who should be contacted if something breaks
That information gets stored in the identity provider and used for governance, compliance, and lifecycle management, which is critical when you're trying to figure out what agents are running and who's accountable for them.
Without registration-time identity, you've got anonymous systems with no connection to the people who created them or the business functions they're supposed to support.
You can't run access reviews because you don't know who owns what, you can't decommission agents when projects end because you don't know which agents belong to which projects, and you can't investigate incidents because there's no one to contact.
Examples: Entra Agent ID, ServiceNow
Several identity management platforms are building registration-time identity capabilities for AI agents, and they're solving a real problem around visibility and governance.
Microsoft Entra Agent ID extends their identity platform to treat AI agents as first-class identities. Agents get registered in Entra with an agent identity blueprint that defines the type of agent and an agent identity that represents a specific instance.
From there, Entra gives you governance features like access reviews, lifecycle management, and compliance reporting. Administrators can apply conditional access policies to agents, disable agents of a specific type, and audit agent activity through the same tools they use for human identities, which is operationally valuable because you're not learning a new system.
ServiceNow offers similar capabilities through their IT Service Management platform. Agents can be registered as configuration items in the ServiceNow CMDB, assigned to owners, and tracked through change management processes, which lets organizations manage agents using the same workflows they use for other IT assets.
These platforms are solving visibility and governance; you can see what agents exist, who owns them, and how they're being used.
That's necessary, but it doesn't control what agents actually do when they're running.
Limitations: Doesn't control what agent does at runtime
Registration-time identity tells you who the agent is, but it doesn't tell you what it's allowed to do at execution time.
The agent has an identity in Entra or ServiceNow, and that's recorded and auditable, but that identity doesn't prevent the agent from doing something inappropriate or unauthorized.
A concrete example
You've got an agent registered in Entra with Sarah listed as the owner. The registration tells you Sarah created it and she's responsible for it, which is useful for governance.
But it doesn't prevent that agent from placing a $50,000 purchase order three weeks after Sarah leaves the company. The agent's identity persists in Entra, its credentials remain valid, and it keeps operating with whatever permissions it was granted at creation. There's no technical control stopping it from acting.
Registration gives you governance on paper. You've got records, you can run audits, you can generate compliance reports. Still, it doesn't enforce control the instant an AI agent attempts an action, which is when control actually matters.
That's the difference between knowing who owns an agent and preventing that agent from doing something it shouldn't be doing.
How does runtime authorization differ?
Runtime authorization is the process of verifying that an agent has authority to execute a specific action right when it attempts that action; not when it was configured or during a quarterly access review, but right now, when it's trying to place a purchase order or provision infrastructure or access customer data.
This is where enforcement happens. Every time an agent attempts an action, the authorization system checks whether that action is authorized based on current policy, the human owner's current status, and the context of the request.
The check happens at execution time, which means the authorization system is evaluating the action against current policy every single time. Not on permissions that were set weeks or months ago when the agent was created.
If the action is authorized, the authorization system issues a credential that allows the agent to proceed. If it's not authorized, the request gets denied.
This creates a control point at the moment of execution, which is the only moment that actually matters for preventing unauthorized actions.
What runtime authorization tells you
Runtime authorization answers different questions than registration-time identity, and the questions are more about control than governance.
Who approved this action?
Runtime authorization can require human approval for high-risk actions, which means when an agent attempts to place a large purchase order, the authorization system sends a push notification to the agent's owner.
The owner reviews the request in context and either approves or denies it, which creates a record of who approved the specific action, not just who owns the agent generally.
Is it within scope?
Runtime authorization checks whether the action is consistent with the agent's intended purpose and current policy. An agent that was created to order office supplies shouldn't be provisioning cloud infrastructure; runtime authorization enforces those boundaries by checking each action against policy before allowing it to proceed.
Is the human still employed?
Runtime authorization verifies that the agent's owner still has an active account in the identity provider, which means if the owner has left the organization, the authorization system denies the request and flags the agent as orphaned.
This prevents ghost agents from continuing to operate after their owners are gone, which is a real risk I'm seeing companies run into as they scale agent adoption.
Runtime authorization shifts control from configuration time to execution time. Permissions set at agent creation reflect the world as it was then, not as it is now. Verifying authority at the moment of each action is the only way to enforce control in an environment where agents operate autonomously.
Time-bound credentials & cryptographic binding
Runtime authorization uses time-bound, cryptographically signed credentials that are issued for specific actions and expire quickly, which is fundamentally different from the long-lived API keys or service account passwords that most agents are running on today.
When an agent attempts an action, the authorization system evaluates the request and, if it's authorized, issues a credential.
This credential is valid for minutes or hours, not days or weeks, and is scoped to the specific action the agent is attempting.
The credential is cryptographically signed by the authorization system, which means any downstream system can verify that it's authentic and hasn't been tampered with.
The credential includes information about what action it authorizes, when it expires, and who approved it if approval was required.
The agent presents this credential when executing the action. The receiving system (whether that's a procurement API, a cloud provider, or a database) validates the credential and confirms that it authorizes the specific action being attempted.
If the credential is valid, the action proceeds. If not, it gets rejected.
Because credentials are short-lived and action-specific, they reduce the blast radius if something goes wrong. Even if an attacker manages to steal a credential, it's only valid for a narrow action and it expires quickly, which limits what they can do with it.
Comparison: Runtime authorization vs. registration-time identity
Registration-time identity and runtime authorization serve different purposes and operate at different points in the agent lifecycle:
Registration-time identity | Runtime authorization | |
|---|---|---|
Purpose | Establishes agent identity and enables governance | Controls what the agent does at execution time |
When it happens | Once, at agent creation | Every time the agent attempts an action |
What it answers | Who created it, who owns it, what its purpose is | Whether this specific action is authorized right now and who approved it |
Credential type | Long-lived API keys or service account credentials | Short-lived, action-specific tokens |
Enforcement point | Identity provider (Entra, Okta, ServiceNow) | Authorization layer between agent and target system |
Human involvement | At creation and during periodic access reviews | At execution time for high-risk actions |
Prevents ghost agents | No — agent survives when owner leaves | Yes — credentials stop issuing when owner is offboarded |
Prevents unauthorized actions | No — relies on agent code and configuration to behave correctly | Yes — checks authorization before every action |
Compliance value | Audit trail of agent ownership and lifecycle | Audit trail of who approved specific actions |
Integration | Identity providers, CMDBs, governance platforms | API gateways, network layers, orchestration platforms |
Why you need both
Registration-time identity and runtime authorization aren't competing approaches, but complementary ones, and you need both if you're going to secure AI agents at scale.
Registration equals foundation
Registration works like a passport. It proves the agent exists as a known entity, ties it to an owner, and gives you a verifiable record you can audit. A passport doesn't authorize you to board any specific flight. It establishes identity. Everything else builds on top of it.
Without that foundation, you have anonymous agents with no connection to the people who built them or the business functions they support.
Runtime authorization equals execution control
Runtime authorization works like a boarding pass. It's issued for a specific action, on a specific system, within a specific time window. It expires. It can't be reused for a different operation. And even a traveler with a valid passport gets denied at the gate if they don't have a current boarding pass for that flight.
That's the control point that matters. Not whether the agent has an identity on record, but whether it has explicit, current authorization for what it's trying to do right now.
How they work together
The two layers work together in a complementary architecture.
At the top is the identity provider (Entra, Okta, ServiceNow) where agents are registered. This layer maintains the agent's identity, tracks ownership, and manages lifecycle state, which gives you the foundation for governance and compliance.
In the middle is the authorization layer that sits between agents and the systems they access. This layer intercepts requests from agents, evaluates them against policy, and either allows or denies them based on current authorization, enforcing control at execution time.
At the bottom are the target systems that agents interact with, like procurement APIs, cloud infrastructure, and customer databases. These systems receive requests from agents only after the authorization layer has verified that the requests are authorized.
Here’s the flow:
An agent is registered in the identity provider with an owner and a purpose
When the agent attempts an action, the request passes through the authorization layer
The authorization layer checks the agent's identity in the identity provider, evaluates the action against policy, and potentially requires human approval
If authorized, the authorization layer issues a credential and the request proceeds to the target system
Both layers are necessary. Registration without runtime authorization gives you visibility but no control, and runtime authorization without registration gives you control but no governance foundation. Together, they provide comprehensive security.
If your org is running agents, especially multi-agent setups…
Keep in mind that you'll need solutions in both categories, and the sequencing matters.
Start with registration if you have no visibility into what agents exist, who owns them, or what they're supposed to do. You need a governance foundation before you can enforce runtime controls.
Add runtime authorization when you have agents that can spend money, modify infrastructure, or access sensitive data. You can't just track unauthorized actions after they happen - you need to stop them at execution time.
Integrate both when you're scaling agent adoption and need comprehensive security. Registration provides governance and visibility, runtime authorization provides execution-time control, and together they let you adopt agents at scale without creating unmanageable risk.
Conclusion
I get why this is confusing, because both registration and runtime authorization involve identity, are necessary for securing AI agents, and most vendors talk about them like they're interchangeable. From what we're seeing in the field though, they solve completely different problems at different points in the agent lifecycle.
Microsoft Entra Agent ID, Okta, and ServiceNow are solving the registration problem. They establish agent identity, track ownership, and enable governance so you know what agents exist and who's responsible for them, and that's the foundation.
What 1Kosmos and similar runtime authorization solutions are solving is execution-time control: verifying authority for each action, requiring human approval for high-risk actions, and preventing ghost agents from operating after their owners leave.
The two layers solve different problems at different moments in the agent lifecycle, and closing the gap between them is what makes autonomous agent deployment manageable at scale.
See how 1Kosmos handles runtime auth
See how runtime authorization complements your existing identity infrastructure. Learn more or request a demo to learn how 1Kosmos works with Microsoft Entra, Okta, and ServiceNow to provide comprehensive AI agent security.
About the author
Mike Engle
Co-Founder and CSO
Mike is the CSO and a co-founder of 1Kosmos with deep expertise in information security, product development, and business development across Fortune 100 financial institutions and early-stage startups.
