The expanding
agentic AI era must feel like the wild west for many security teams and MSSPs, with growing numbers of autonomous agents working mostly unsupervised and scouring sensitive corporate data while reaching into the internet to find the information they need.
They’re also creating new and
significant security risks, with a key one being the exponentially growing number of identities that are created, a big concern at a time when bad actors are putting a focus on compromising identities to gain initial access into victims’ systems. It’s helped create a ratio of as many as
80 non-human identities (NHIs) to one human identity.
This is a particular challenge for MSSPs, which have to help dozens to hundreds of clients manage their identities.
With that in mind, it’s not surprising that a growing number of security vendors are rolling out products and services designed to better identify, track, and manage agents. Recent examples include vendors like Radiant Logic, Threatdown, Semperis,
and Hack The Box. For its part,
AppViewX has announced Agent Identity Security, a new offering on the vendor’s AVX platform that aims to discover, secure, and monitor every machine and agent in a company’s environment.
The solution is aimed at addressing the myriad challenges that come with AI agents, like managing an AI bill of materials, governing Model Context Protocol (MCP) tools, and securing non-deterministic behavior, according to the company.
The agentic workforce
In unveiling the new capability, AppViewX CEO
Archit Lohokare called AI agents “the largest workforce most enterprises
never hired,” and added that this will become even more important in the impending quantum computing era.
“At first glance, many customers don’t immediately tie AI agent security and quantum computing readiness together,”
Paul Trulove, chief product officer at AppViewX, told MSSP Alert. “However, they are missing several key reasons why the two must be addressed together.”
Much of that has to do with the looming Q-Day, the time when quantum systems will be powerful enough to break modern cryptographic standards. Most predictions have said the industry will reach that time in the 2030s, though Google in March said it is more likely to
be in 2029.
Pre-crisis threats
This matters to enterprises and MSSPs. Organizations that want to secure agent infrastructure now are making decisions about authentication, encryption, and key management, and need to include
quantum-safe cryptography (PQC) now rather than trying to retrofit in later. In addition, they need to ensure agent deployments are PQC-aware, Trulove said.
In addition, AI agents expand the cryptographic attack surface by authenticating to APIs, signing transactions, and exchanging sensitive data at machine speed and scale, and the opportunity is now, he said.
“Both threats are pre-crisis,” Trulove said. “Addressing them together lets security teams consolidate roadmaps, reduce duplicated effort, and avoid the much harder task of securing a fully deployed, quantum-vulnerable agent infrastructure under pressure.”
Managing AI agents
Even without the added complication of quantum computing, enterprises are struggling to address what Trulove called a “rapidly changing identity ecosystem.”
“In many cases, organizations still have significant gaps in managing their human identities, and now they are faced with a growing number of non-human identities, and a universe that is scaling rapidly across machines and agents,” he said. “We are seeing a few patterns emerging with customers.”
He added that a key pattern is that “most enterprises are still in an ‘AI tool’ mental model. They're asking, ‘What can agents do for us?’ rather than, ‘How do we onboard, govern, and offboard agents the way we do employees?’ That gap is where the security risk lives.”
Other challenges are that human identities are based on accountability, and most other machine identities – like service accounts, certificates, and API keys – are static and predictable, and security teams know how to handle them.
Breaking both models
“Agent identities break both models,” Trulove said. “Agents are dynamic. They make decisions, chain actions, call other agents, and operate across trust boundaries, often with credentials inherited from the human or machine that spawned them. They behave more like workers than tools, but enterprises are provisioning them like scripts.”
There are other issues, such as the rise of shadow AI and how to govern agents, which raise such questions about ownership and how to deal with them when their project is completed.
MSSP challenges, opportunities
All of this raises a range of challenges and opportunities for MSSPs, which play a significant part “by selling business outcomes across risk, resilience, and competitive advantage,” he said. “Building and delivering solutions for agent identity security and quantum readiness are well aligned to the same outcomes and provide an important opportunity to establish new revenue streams and create significant differentiation in the market.”
With AppViewX’s Agent Identity Security solution, they can now offer clients a tool that includes an identity governance framework and a PQC readiness assessment before mandates really kick in, according to Trulove.
That said, they have to make sure they’re on top of the quantum issue.
“Quantum readiness is a service gap most MSSPs haven't priced in,” he said. “Clients are going to need PQC migration help – crypto inventory, certificate lifecycle updates, algorithm migration – and they're going to look to their MSSPs first. Most haven't built that practice yet, and the window to do so without being in reactive mode is closing.”
