Identity is the gatekeeper to agentic AI

Lori Mac VittieDistinguished Engineer and Chief Evangelist | F5

Insights from the 2026 State of Application Strategy Report

Agentic AI has crossed the line from theory to expectation.

According to our newly released 2026 State of Application Strategy Report, 98% of organizations are actively preparing for it. Not experimenting. Preparing. That signals something important. Enterprises are not debating whether AI will act. They are assuming it will, and they are trying to figure out how to live with the consequences.

And those consequences are architectural.

Enterprises are keeping inference close

One of the more telling signals is where inference actually runs.

Approximately 78% of organizations are already operating AI inference themselves. Only 36% rely primarily on public AI as a service, and just 8% use only public services with no self-managed inference at all.

That distribution matters.

It tells you enterprises are not outsourcing control. They are deliberately keeping inference inside their own operational boundaries, where it can interact with internal systems, data, and workflows. Which means when agentic AI starts acting, it won’t be acting somewhere “out there.” It will be acting inside the enterprise, across multiple environments, against systems of record.

That raises the stakes considerably.

The actor has changed

What’s driving concern is not just scale or complexity. It’s the nature of the actor.

AI systems are no longer passive tools responding to human input. They are becoming participants in workflows. They will initiate requests, call APIs, chain actions together, and operate continuously.

That breaks a lot of existing assumptions.

Traditional identity models are built around humans. A user logs in, is authenticated, receives a set of permissions, and operates within that boundary. That model works when actions are discrete and attributable to a person.

It starts to strain when the actor is a machine that can issue thousands of requests, across multiple systems, in rapid succession, potentially on behalf of multiple users or processes.

Identity has become the primary concern

Our data reflects that shift clearly.

Identity and access control rank as the top anticipated challenge for agentic AI, exceeding concerns about model quality, infrastructure scale, or cost. Authentication is the most commonly selected method for securing AI inferencing services, and authorization and access control consistently rank alongside observability as the most important protection mechanisms.

At the same time, 88% of organizations report at least one AI-related operational or security challenge. This combination tells you two things. First, organizations are already encountering friction. Second, they understand that identity sits at the center of the problem.

Because once AI can act, the question is no longer just what it can do. It is who it is allowed to be.

Delivery and security are converging at the same layers

Another pattern shows up when you look at where organizations see the most impact from delivery and security services.

For delivery, the prompt layer leads at 29%, followed by the token and control layer at 23%. For security, the prompt layer again leads at 25%, with token and control also at 23%.

That alignment is not coincidence.

The prompt layer is where intent is expressed. The token layer is where scope, cost, and execution are governed. These are the points where decisions are made and where risk is introduced.

If both delivery and security are concentrating there, it means organizations see performance, reliability, and risk as inseparable concerns at inference time.

Identity is the thread that ties them together. It determines who is issuing the prompt, what scope the tokens represent, and what actions are permitted as a result.

Static identity models don’t survive dynamic systems

This becomes even more complex in multi-model environments.

Organizations report running an average of seven models in production, along with roughly two and a half techniques to adapt or extend them. That introduces routing, fallback, and versioning decisions at runtime.

In a system where requests are dynamically routed across models and contexts, a one-time identity check at login is not sufficient. Identity has to travel with the request. It has to be evaluated continuously, in line with routing decisions, token limits, and policy enforcement.

In other words, identity moves from a front-door check to an inline control.

Control is expected to be programmatic

How that control is exercised is just as important.

Across operational tasks, organizations consistently prefer API-based control over GUI, CLI, or natural language interfaces. Even those not heavily using AI still lean toward APIs.

That preference is not about convenience. It is about necessity.

Agents do not click buttons. They call APIs. They authenticate, authorize, and execute through programmatic interfaces. Any identity model that depends on human-mediated workflows will break down under agentic behavior.

Identity enforcement, therefore, has to be machine-consumable, policy-driven, and fully automatable.

Identity is the only control that scales

Put all of this together and the conclusion is difficult to avoid.

Agentic AI introduces more actors, more actions, and more continuous change. In that environment, traditional controls struggle to keep up. Network boundaries blur. Static permissions become brittle. Manual oversight does not scale.

Identity does.

It is the only control that can answer, in real time, who or what is acting, on whose behalf, under what constraints, and with what accountability. It can travel with the request, adapt to context, and be enforced inline with delivery and inference.

Without that, agentic systems become either dangerously permissive or operationally unmanageable.

This is the architectural shift

The data is not subtle.

• 98% of organizations are preparing for agentic AI.
• 78% are already running inference themselves.
• 88% are experiencing operational or security challenges.
• Identity is the top concern, and APIs are the preferred control surface.

That combination points to a single conclusion: agentic AI is not primarily an AI problem. It is an identity and control-plane problem.

And any architecture that fails to place identity at the center of the delivery and inference path will struggle to meet enterprise expectations for trust, control, and safety.

Because in a world where machines act, identity is no longer just about access.

It is about authority.

To learn more, read the full 2026 State of Application Strategy Report.

About the Author

Lori Mac VittieDistinguished Engineer and Chief Evangelist | F5

Lori MacVittie is a Distinguished Engineer and Chief Evangelist in F5’s Office of the CTO with deep expertise in application delivery, automation strategy, and infrastructure. She is known for turning complexity into clarity whether she’s defining guardrails for AI agents, dissecting brittle multicloud architectures, or probing the limits of scalable systems. She brings more than thirty years of industry experience across application development, IT architecture, and network and systems operations. Before joining F5, she served as an award-winning technology editor. MacVittie holds an M.S. in Computer Science and is a prolific author whose publications span security, cloud, and enterprise architecture. She is also an avid tabletop and video gamer with unapologetically strong opinions about cheese.

More blogs by Lori Mac Vittie