Blog

Home : Knowledge Base : Artificial Intelligence : Beyond Static Permissions: Why Agentic AI Needs Intent-Based Access Control

Beyond Static Permissions: Why Agentic AI Needs Intent-Based Access Control

June 30, 2026
Fernando Aguilar Islas

From Static Boundaries to Dynamic Intent

AI agents don’t just need permission to access resources. They need constraints on how they use that access. Intent-Based Access Control (IBAC) is an emerging authorization model that enforces the principle of least privilege dynamically, scoping each agent action to the specific goal it is trying to accomplish rather than granting the full breadth of a user’s entitlements.

Most organizations manage access to their systems and data through a patchwork of roles, permissions, and platform-specific rules. As that patchwork grows, so does the difficulty of answering a seemingly simple question: “Who can access what, and should they?” In previous posts, we explored how graph-based security and entitlements address this challenge by modeling the enterprise as a network of interconnected entities. The Unified Entitlements Service (UES) and the entitlements digital twin consolidate those fragmented permissions into a single, holistic view of effective access across platforms. UES answers a fundamental question: “Can this identity access this resource?” It does so by evaluating roles, attributes, and relationship paths across the enterprise graph.

But UES is fundamentally a model of static permission boundaries. It defines what can be accessed, but it does not constrain why an action is being taken or whether that action is consistent with the task at hand. In traditional software, this distinction rarely matters. Users interact with applications through predictable interfaces, and the scope of any given session is implicitly bounded by the application’s design.

Agentic AI changes this equation. Autonomous agents dynamically compose workflows at runtime, chaining across tools, APIs, and other agents. Intent shifts as tasks cross agent boundaries. Static permission boundaries alone cannot close that gap. That is the gap IBAC is designed to fill.

 

Why Static Permissions Break Down in Multi-Agent Workflows

In a standard On-Behalf-Of (OBO) authorization model, an agent uses its own machine identity to act on behalf of a human user. This establishes a foundation of identity tracking and auditability. However, the agent’s identity inherits the full breadth of the user’s permissions, creating a dangerous amount of exposure as that token passes down a chain of autonomous agents. Attempting to fix this by creating more specific roles only makes the problem worse. Every new agent, skill, or tool multiplies the number of role combinations the organization needs to define and maintain. At enterprise scale, with hundreds of agents and thousands of tools, this approach becomes unmanageable almost immediately.

The core gap is this: UES can tell you whether a valid permission path exists, but it cannot constrain the agent to exercise only the subset of permissions relevant to the task at hand. Without intent-level controls, every agent in the chain can access, query, write, or act on anything the user is entitled to, regardless of whether it is relevant to the task. The result is an environment where unintended actions are only discovered after they occur, often at great cost, when they could have been prevented at runtime.

 

Enter Intent-Based Access Control

At its core, IBAC evaluates each action against the stated intent of the current workflow, not just whether the identity holds a valid permission. Instead of asking, “Does this agent have access?,” IBAC asks, “Is this action consistent with what the agent is trying to accomplish right now?”

IBAC operates through three key mechanisms. First, deterministic intent formulation translates a user’s prompt into a structured authorization statement expressing a subject, action, resource, and context. Second, secure intent chaining carries that intent forward across agent hops so each delegate operates within the originating scope. Third, granular enforcement filters the agent’s visible tools, skills, and MCP resources to only those matching the stated intent. The result is that each agent in the chain sees a partial, authorized view of its target rather than the full surface area of the user’s entitlements.

 

How UES and IBAC Work Together

Consider a concrete scenario. An analyst asks an AI agent to generate a quarterly compliance report. The agent needs to pull data from a financial data warehouse, cross-reference it with internal policy documents, and format the output. Here is how UES and IBAC divide the work:

  1. UES plays its role first. The entitlements digital twin confirms the analyst has valid access paths to the data warehouse and the policy document repository. It resolves identity across platforms and evaluates relationship-based permissions.
  2. IBAC then scopes the agent’s runtime behavior. The intent layer restricts the agent’s actions to “generate a compliance report.” When the agent chains to a sub-agent that queries the data warehouse, the delegated intent constrains it to read-only access on compliance-relevant tables only. The sub-agent cannot see, query, or act on other datasets that the analyst might otherwise have access to through their broader entitlements.

UES establishes the permission boundary. IBAC applies least privilege dynamically within that boundary at every hop.

 

Looking Ahead: Toward Intent-Aware Entitlements

As agentic workflows scale, organizations cannot predefine every interaction path an autonomous agent may take. This is especially true as the Model Context Protocol (MCP) enables agents to dynamically discover tools and resources that were not explicitly anticipated at deployment.

IBAC is an emerging model pioneered by vendors like IndyKite, whose approach leverages identity knowledge graphs to carry and enforce intent across agent delegation chains. The convergence of UES and IBAC points toward an entitlements architecture where static boundaries and dynamic intent constraints operate as complementary layers, giving organizations both the visibility to prove who can access what and the runtime controls to ensure agents act only within the scope of what they are supposed to do.

As agentic architectures mature, the organizations that move first on intent-aware entitlements will be best positioned to scale AI initiatives with confidence. Enterprise Knowledge partners with teams to assess entitlement risk, design Unified Entitlements Service architectures, and build the governance foundations that make agentic workflows safe and auditable. Contact us to start your journey to unified entitlements. For background on the architectural foundations discussed in this post, see Inside the Unified Entitlements Architecture and IndyKite’s Intent-Based Access Control for AI Agents.

Fernando Aguilar Islas Fernando Aguilar Islas is a data analyst with a passion for turning data into valuable insight through exploratory data analysis, statistics, and machine learning techniques. With a quantitative academic background and experience in the services industry, he provides a unique blend of algorithmic and practical approaches to problem-solving delivering business-relevant solutions. More from Fernando Aguilar Islas »