The Agentic Breaking Point: Why AI Demands Centralized Authorization

In the early days of data engineering, access was predictable. A handful of power users—engineers and analysts—pre-calculated dashboards for the masses. The permutations of “who can see what data” were limited, static, and typically managed ahead of time.

Then came the “Chat with your Data” revolution.

Today, LLM agents have turned every employee into a potential data consumer. Through text-to-SQL, agents can now traverse distributed systems, generate complex queries, and collate answers in seconds. However, while the speed of insight has accelerated, our security models remain tethered to the dashboard era. This gap creates a massive operational bottleneck for data platform owners and governance leaders. Without a modernized authorization framework, the enterprise is forced into a strategic stalemate: data platform owners face an unmanageable explosion of manual provisioning, while governance and audit teams must choose between halting innovation or accepting a security surface area that is one non-deterministic hallucination away from a breach.

We are effectively trying to solve a 2026 authorization problem with a 2010 authentication toolkit, creating an environment where security isn’t just a hurdle, it’s the reason AI never leaves the sandbox.

The OAuth trap: Why authentication isn’t authorization

The industry’s knee-jerk reaction to securing agents has been to use OAuth. The logic is simple: let the agent “impersonate” the user so it can only see what the user sees. However, attempting to solve an authorization problem at the authentication layer creates five critical failures:

1. Account Sprawl: You are forced to provision and manage every single human user in every single underlying data system. You aren’t just defining access policies; you’re manually implementing them everywhere. 
2. Exposure Risk: By giving every user an active account across the entire stack, you’ve massively expanded your attack surface. The amount of permutations of data access to manage will be daunting, creating an environment ripe for access management errors, and so slow and rigid it is impossible to change or manage.
3. Scope Explosion at the Data Plane: OAuth scopes are too coarse for databases; attempting to map thousands of granular data permissions to a protocol designed for broad SaaS actions is brittle and unmanageable.
4. Rights Inflation: Consider an ACCOUNTADMIN. If they use an agent via OAuth, that non-deterministic agent inherits “god-mode” privileges. A simple hallucination could lead to unintended, system-wide changes that go far beyond answering a data question.

Muddy Audit Trails: Query logs will show the user ran the query, when in reality, the agent ran it on behalf of the user. There is no way to breadcrumb back to what actually occurred.

Centralizing the decision, not just the identity

We tend to assume authorization is enforced at a single, static point—the system being queried. But in delegated agent-driven work, authorization becomes distributed. The policies on the identity, not just the relying system, must participate in enforcing constraints. Just as Okta and Entra were required to centralize identity, agents make it mandatory to centralize and externalize authorization.

In a world of delegated work, authorization logic must travel with the identity across the entire ecosystem, powered by a centralized source of truth.

Immuta: The centralized source of truth

Immuta solves this at the authorization level by treating the agent as its own first-class identity. Instead of the agent pretending to be a human via OAuth, it works like this:

1. The Agent Identity: The agent authenticates as itself—a conduit for human questions.
2. Role Vending: When a human asks a question, Immuta vends a role in the data platform to the connecting agent that represents that specific human’s access as defined in Immuta.
   1. This is not basic “does the user have access to the data platform or not”, this is fine-grained access control, down to table, column (masking), row (filtering), and even cell-level.
3. Scoped Access: These policies represent the human’s scope of access through the agent conduit. They do not need to match the human’s “normal” or elevated privileges in the system, should those exist at all.
4. Zero Standing Privileges (ZSP): The human doesn’t even need an account on the underlying data system. Because Immuta uses Attribute-Based Access Control (ABAC) to define policies once, those policies carry through to every data platform the agent touches.

Clear Breadcrumbs: Since the agent is its own identity and Immuta knows which roles were vended for which humans, the audit trail is crystal clear. You know exactly when an agent was acting on behalf of a human.

The road ahead: From centralized control to autonomous governance

By centralizing authorization today, Immuta provides the essential foundation for secure agentic access. But this is just the beginning. Over the coming months, we are taking this centralization two steps further to add layers of sophisticated automation on top of that foundation:

1. Enhancing Precision with In-Flight Intent Scoping

We will allow Immuta user access policies to be further dynamically scoped based on the intent of the user’s question. To determine the final policy, Immuta calculates the union between what a certain intent is permitted to query (and how) with the user’s existing Immuta-defined permissions. This ensures that a user’s foundational access scope can be small (or non-existent) and only expanded when under legitimate intent.

2. The Semantic Access Layer

Currently, agents operate under the assumption that they can see the entire “semantic layer,” the business context and metadata critical to building accurate responses. We are exposing a layer that describes exactly which parts of that metadata the user is authorized to access.

• Just-in-Time Authorization: If an agent identifies that it needs more data to answer a query, it can request missing access in real-time.
• Deterministic Automation: Pre-defined rules can grant that access instantaneously. Over time, trends in human-driven access decisions will automate the deterministic rules, leaving only the most sensitive determinations for humans.

A Re-Platforming of the Identity Control Plane

This represents a fundamental security shift; it’s an identity control-plane re-platforming. With agents and centralized authorization, we can finally move to a world where compliance focuses on legitimate questions of data and purpose-based audit trails, rather than the endless, manual recertification of standing privileges.

Ultimately, this re-platforming provides more than just a security fix, it provides the operational agility required to turn AI from a pilot project into a production reality. By solving the authorization problem today, enterprises aren’t just protecting their data; they are building the necessary foundation for a future of autonomous governance. This is the new blueprint for data security in the AI era: one where innovation isn’t slowed by the need for access, but is instead accelerated by the certainty of it.