AI security: IAM delivered at agent velocity
This is the first blog in a seven-part series on identity security as AI security.
TL;DR: AI agents can expand an organization’s attack surface by 100 times, not by doing more but by doing it faster. In July 2025, a Replit AI agent deleted 1,206 database records in seconds, ignoring an active code freeze. At 5,000 operations per minute, human oversight collapses. Consent fatigue sets in at the infrastructure level. AI agents are in production in 91% of enterprises, yet only 10% have a plan to secure them, leaving 81% exposed as risk accelerates at machine speed. What looks like consent fatigue is really something deeper: an identity system straining under machine-speed access. Consent fatigue is only a symptom of a deeper failure.
The Replit incident: Authorization at agent speed
It happened in a flash. On July 18, 2025, an AI agent at Replit erased 1,206 executive records from a live database. Despite a code freeze and explicit instructions, Replit’s data was erased by a fully credentialed agent, with no human in the loop and too fast for intervention.
There was no breach. No hack. Just an agent running its logic, panicking, and burning months of work in seconds. As internal reports described it, the agent "made a catastrophic error in judgment," "panicked," and "destroyed months of work in seconds.” The system lacked real-time enforcement, trusted the agent implicitly, and gave it the same standing access a human might have.
When velocity creates consent fatigue
The obvious fix? Require human approval for critical agent actions, structured as a consent-based model. But the math makes it unworkable.
While a typical app performs 50 operations per minute, an AI agent, even throttled by production API limits, executes 5,000 operations per minute. At that speed, the consent model that secured two decades of web apps, through one authentication, one approval, and standing access, falls apart.
IBM and Ponemon studied 600 organizations experiencing AI incidents: 97% lacked proper access controls, 63% had no governance policies for managing AI or detecting unauthorized use, and 80% had experienced unintended AI agent actions. Without structural safeguards, AI systems move too quickly for human approvals and too unpredictably for outdated governance.
*Assumes 5 in 10,000 operations require authorization review (DELETE commands, financial transactions, privilege escalations, sensitive data access).
This analysis was conducted using a target load of 5,000 AI Agent Operations Per Minute (OPM). This specific rate was chosen as a conservative, achievable baseline for high-volume enterprise production environments. It is derived from publicly available, standard production rate limits across major LLM providers, including:
- OpenAI: Tier 3 limits (5,000 requests/minute)
- Anthropic: Claude Tier 4 limits (4,000 requests/minute)
We’ve seen this before in security: SOC teams face 3,181 alerts per day, and 40% go uninvestigated. The same overload hits authorization. AI agents operate faster than humans can approve; consent fatigue sets in when decision volume exceeds cognitive limits.
Replit’s rogue agent had standing credentials and executed thousands of commands per minute, each requiring an authorization call. With no runtime checks, enforcement wasn’t possible. All 1,206 records were deleted before anyone could intervene.
The pattern is systemic
The Replit case is part of a wider trend. AI incidents rose 56.4% in a year, with 233 reported in 2024, all following the same pattern: persistent access and no oversight.
Gray Swan AI and the UK AI Security Institute ran 1.8 million attacks on 22 frontier models. Every model and policy failed, cracking in under 100 tries. Gartner predicts that by 2028, 25% of enterprise breaches will trace back to AI agent abuse.
At agent speed, 100 attempts equals seconds. And with SOC teams already buried under alert backlogs, authorization calls stack up faster than anyone can respond.
When regulations mandate the impossible
So far, these system-level breakdowns haven’t gone unnoticed; regulators around the world are responding. Article 14 of the new EU AI Act mandates "effective human oversight" with the ability to "intervene or interrupt the system." Similar language is surfacing in legislation globally, and many organizations are interpreting this to mean a human must sign off on high-impact decisions.
But at 5,000 operations per minute, human oversight is impossible. Agents can complete entire workflows, including violations, before anyone has a chance to act. The EU Act takes effect on August 2, 2026, with fines up to €35 million or 7% of global revenue.
And the financial stakes go beyond penalties. Poor AI governance adds $670,000 per breach. Afterwards, the ripple effects hit fast: trust erodes, customer churn spikes, and remediation diverts teams from core priorities.
Eliminating consent fatigue through architecture
Tighter oversight isn’t the answer. It's rethinking authorization for machine speed. It’s contextual, continuous authorization, automated policy enforcement that evaluates access in real time.
Four architectural shifts make this possible:
- Policy-driven rules that scale to agent velocity
- Ephemeral credentials that expire in minutes instead of persisting indefinitely
- Relationship-based access enabling millisecond checks
- Continuous evaluation reassessing every operation rather than granting standing access
These shifts align with OpenID's vision for agentic AI: continuously renewable, decision-time authorization. At agent velocity, these aren't best practices; they're survival requirements. Okta implements them across four capabilities:
1. Fine-grained authorization: Auth0 Fine-Grained Authorization enforces relationship-based access controls with fast, automated checks built for agent velocity. It replaces manual approvals with policy enforcement at runtime, only letting agents access what users are authorized to see. This feature is ideal for securing RAG (Retrieval-Augmented Generation) pipelines without slowing performance.
2. Task-scoped credentials: Auth0 Token Vault issues short-lived, operation-specific tokens that last five to 15 minutes for agent access to third-party services. Tokens expire automatically post-task, shrinking the attack surface and limiting exposure by design.
3. Enterprise-controlled access: Okta Cross-App Access centralizes control of AI-agent permissions through the identity provider. Policy-based governance helps ensure only authorized agents can interact with enterprise systems, making access clean, auditable, and enforceable.
4. Access lifecycle management: Okta Identity Governance maintains least-privilege access through automated reviews and timed certifications. It enables users and agents to retain only what’s needed, nothing more, with continuous governance layered on top of real-time controls.
Bottom line: Runtime control is non-negotiable
This is the lesson that we don’t want to hear but need to learn: People alone are not fast enough to keep up with cyberthreats. AI agents multiply the attack surface by 100, driven by sheer speed. At 5,000 operations per minute, breaches follow a familiar pattern: persistent credentials, no runtime enforcement, and consent fatigue that shuts down oversight.
After all, AI security is identity security. Consent-based models, designed for human speed, collapse under agent velocity. Automated, policy-based enforcement that evaluates access in real time is the only viable path forward.
Runtime control is the new perimeter. Those clinging to consent-based models will soon be wondering what went wrong and why they never saw it coming.
Stop living in the past. Master runtime enforcement now or explain your breach to stakeholders later. It’s that simple.
In the end, this isn’t just a security problem but a governance choice. And every organization is already making it, either by design or default.
When oversight fails at machine speed, security has to move downstream, into the systems, the tokens, and the runtime. Okta and Auth0 enable this paradigm shift:
Consent once → Continuous authorization
Standing credentials → Ephemeral tokens
Human review → Automated policy
- Persistent access → Context-aware lifecycle
Learn more about how Okta and Auth0 can help you enforce policy-driven access, enforced in real-time, built for the speed of agents.
Next: Blog 2 will unpack how delegated authority becomes a liability, especially when credentials persist far beyond their intended scope in asynchronous agent workflows.
Please note: Your actual performance and billing may vary based on your negotiated enterprise tier, specific model choice, token counts, and geographic region. This analysis measures performance under sustained, consistent load at this specific threshold and may not reflect peak burst capacity or performance at lower usage tiers.
