I grew up as a Star Wars kid. I loved the fantastic world of Jedi, X-Wing fighters, and AT-AT walkers. But what I really wanted was my own droid. R2-D2 was my favorite – plucky, loyal, and surprisingly capable – but I always understood C-3PO better. He talked like a person and moved like a person.

Years later, I learned there’s a name for this deeply human tendency: anthropomorphism – applying human traits to non-human things. It’s universal. We call ET a “he,” not an “it.” We call our dogs “good boy” or “good girl.” Our brains are wired to see the world through the lens of personhood.

The same goes for cyborgs. Think RoboCop or Blade Runner. Some are obvious man-machine hybrids (RoboCop), others nearly impossible to distinguish from humans (Replicants). In fact, Alan Turing proposed that if you couldn’t tell machine from man, you could consider the machine “intelligent.”

What does this have to do with agentic AI?

Everything.

Humans are hardwired for pattern matching. Our prefrontal cortex reflexively scans for patterns to keep us alive in hostile environments. It’s fast, subconscious, and deeply rooted in how we interpret the world. So when something new arrives – like Agentic AI – we instinctively try to fit it into a known category.

I believe treating AI agents like humans, rather than workloads or generic NHIs (Non-Human Identities), is both more natural and more effective.

Agents are people too – at least for security

Here’s why:

1. Pattern matching works best when aligned with our instincts.
   • People treat AI agents like people. We say “please” and “thank you” to ChatGPT, even though it costs millions in extra inference time with no effect on output. We anthropomorphize because it’s how we process complexity.
   • Security policies for agents become more intuitive when we model them like human identities rather than opaque constructs like service accounts or ephemeral workload tokens.
2. Agents are replacing human functions.
   • At Capital One, teams model agent workflows as direct analogs to human tasks: what a person did yesterday, an agent will do tomorrow.
   • As agents take on responsibilities with real business impact, treating them like humans ensures appropriate guardrails, approvals, and accountability.
3. We have decades of proven controls for managing humans.
   • IAM has enabled online banking, healthcare, manufacturing, and virtually every critical function in the modern world, to be done securely.
   • Identity orchestration, attribute-based access, and fine-grained authorization are mature for human use cases. These same tools can – and should – secure AI agents.

No disrespect to NHI, but agents aren’t just objects

I’m not saying NHIs are bad. They’re essential for workloads, service accounts, and privileged functions. But forcing AI agents into the same conceptual bucket ignores the reality of what they are and how they behave.

It’s like saying “apples are fruit, therefore all fruit are apples.” Agents may technically be a form of NHI, but the reverse is not true.

A simple logical model

Let’s break it down:

• Subject: directs an Actor to take action on an Object.
• Actor: takes action on an Object.
• Object: has actions taken upon it.

Applying this:

1. Humans are Subjects and Actors, but not all Subjects and Actors are human.
2. Agents are NHIs, but not all NHIs are Agents. Agents have human-like traits – probabilistic, decision making, context awareness – that standard workloads do not.
3. NHIs are often Objects, but Agents blur this line by acting as Actors.

Trying to control AI agents by treating them like static NHIs (objects) fails to provide necessary guardrails or observability. We can’t inspect their inner workings (that’s up to OpenAI, Anthropic, Google, etc). But we can govern their external behavior through Identity Orchestration.

Why Identity Orchestration matters

Identity orchestration is how we secure multi-step, multi-agent workflows:

• Authentication: Agents don’t have faces or fingerprints for FaceID or FIDO2, but they can authenticate with SPIFFE/SVID or PKCE.
• Access Control and Authorization: We define what an agent can do based on its identity and context, just like a human user.
• Attributes: Agents carry roles, scopes, and verifiable credentials (e.g. “age > 21”) to act on behalf of humans without exposing sensitive data.
• Administration and Governance: We track agent identities just as we onboard, offboard, and audit employees.
• Audit: Every action by an agent can be logged with full execution graphs and non-repudiable proofs, ensuring accountability. Specially for agents we need to log intent + context + outcomes.

Embracing agentic anthropomorphism for good

I still don’t have my own R2-D2. But I work every day with systems that manage thousands of agents, and I can say this with confidence: Agents are people too – at least when it comes to identity.

When agents act without identity, without traceability, accountability, or authorization, they become ungoverned actors in your systems. You can’t enforce Zero Trust. You can’t prove who did what. And you can’t stop them when something goes wrong.

We don’t need to reinvent identity for the agentic age. We just need to extend what already works for humans—delegation, access control, auditability — to a new class of actors. With identity orchestration, we can bring order to the chaos, even in a galaxy of multi-cloud sprawl.

And that’s how I stopped worrying and learned to love agentic anthropomorphism. 

Get early access to Maverics Identity for Agentic AI to shape the future of AI identity!