Stephen Cox, CTO at Strivacity. 25+ year tech veteran focused on customer identity and the emerging security challenges of agentic AI.gettyOver the past several months, I've had a version of the same conversation with multiple enterprise identity leaders. AI agents are showing up in their environments, through official channels or not, and eventually the question is raised: What is the risk?Most don't have an answer. The question is genuinely new.Consider the following scenario: A customer interacts with your company's AI agent to update their shipping address. The agent, being helpful, also notices an unpaid balance, initiates a payment retry against a saved card and, interpreting an ambiguous instruction, cancels a pending order it flagged as a duplicate. The customer never explicitly asked for any of that. The canceled order was legitimate, and the payment retry overdrafts their account.Who authorized those actions?If your answer includes "the AI decided" or "the user said update my account," you have a liability problem. And right now, most enterprises deploying agentic AI couldn't answer that question with evidence even if they wanted to.For decades, identity infrastructure has solved one core problem: proving that a human is who they claim to be and granting them access accordingly. Authentication, authorization, audits and essentially the entire customer identity stack were designed around a human at the keyboard.Agentic AI breaks that assumption. When an AI agent acts on a user's behalf, autonomously across multiple systems, the authorization chain is no longer a moment in time. It's a sequence of decisions, and each of which carries legal weight. None of which were made directly by the human who initiated the session.This is the very definition of an identity gap. Enterprises have invested heavily in securing who gets in. Almost nobody has invested in governing what agents do once they're in, on whose authority and with what constraints.The pressure to deploy AI agents is pushing engineering organizations to treat this as an implementation detail to be solved later. To be fair, this is exactly how most infrastructure problems get deferred. Treating it as a secondary concern is a governance failure that most organizations won't recognize until something breaks.There are three key pillars we need to look at here:1. Authorization: What did the user actually consent to? "I want to update my shipping address" is not authorization to retry a payment or cancel an order. But most agentic deployments today operate on broad, static permissions. OAuth scopes or API keys may grant access to entire systems, rather than specific, user-confirmed actions. That gap is real, and it's currently being papered over rather than solved.2. Auditability: When something goes wrong, regulators, courts and customers will ask for a record of what happened. An LLM reasoning trace is not an audit log. It doesn't establish that a specific action was authorized by a specific user at a specific point in time. A genuine audit trail for agentic AI requires the same rigor as any other consequential system: immutable records, time stamps and authorization context. Most enterprises deploying agents today cannot produce this.3. Accountability: When an agent acts incorrectly and causes harm, who is responsible? The enterprise that deployed it? The model provider whose reasoning produced the action? The user who granted access? The answer will be determined by what the identity and authorization record shows. If your enterprise cannot demonstrate that the agent acted within a clearly defined, explicitly granted, user-confirmed scope, the accountability defaults to you. That is the legal exposure.Current data protection frameworks were not designed for highly autonomous language-model-driven delegation. GDPR, CCPA and the EU AI Act all assume a traceable human authority behind the decisions being made. Of these, GDPR's lawful basis requirements are likely to be the sharpest edge. "Legitimate interest" as a lawful basis is going to face serious scrutiny when the processing decision wasn't made by a person, but rather by a language model operating on broad delegation.The solution does not have to be "slow down AI agent adoption." Instead, we must treat agent identity as a first-class infrastructure requirement.The building blocks for this exist. Every agent capable of consequential autonomous actions needs a distinct, authenticated identity that is separate from the user it acts for and not inherited from their session. Permissions need to be scoped to what the user actually consented to in that interaction, not carried over from a broad standing grant. Every consequential action needs to be logged with the authorization context that permitted it. And users need to actually understand what they're authorizing, in language they can parse. What’s missing is the organizational will to treat this as a deployment requirement instead of a road map item.Before your next deployment goes live, ask:1. Can we prove, with a complete audit trail, what our agent was authorized to do in any given session?2. Can we demonstrate that each consequential action was within the explicit scope of user consent?3. Have we mapped our agent's data processing activities against our GDPR, CCPA and EU AI Act obligations?If the answer to any of them is no, then you have exposure worth addressing now, before a customer complaint, regulatory inquiry or discovery request makes it urgent.Let's look back at my original scenario with the customer who contacted your AI agent to update a shipping address. The payment retry, the canceled order and the overdraft: Who authorized all of that?Right now, the honest answer most enterprises would give me is: We don't know.That gap, between what agents can do and what enterprises can prove they were authorized to do, is where the next wave of AI liability will be decided. My prediction is that it won't be a regulatory enforcement action that forces the issue. It will be a high-profile consumer lawsuit, the kind that gets covered in the press and names a company rather than a compliance framework. That case is coming. The enterprises building proper identity infrastructure for their agents today will have a defensible record when it does. The ones that haven't may be building one under discovery.Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?