Cloud

CLOUD-05

AI Agent Identity Governance

This control asks one thing: How does the organization discover, authenticate, authorize, and govern AI agents (autonomous software agents that make decisions, chain actions, and interact with systems or other agents)?

Low Maturity

What Failure Looks Like

The documented failure mode at level 0 (Absent) on the 0 to 4 maturity scale:

Invisible autonomous access. AI agents operate with inherited permissions that are never reviewed, creating a growing shadow attack surface that traditional IAM tools cannot see.

High Maturity

What Good Looks Like

The business value the methodology documents at level 4 (Optimized):

Turns AI agent governance from a risk constraint into a competitive advantage, organizations that govern agents well can deploy them faster and more broadly.

Next Step

A Typical Next Move

For programs sitting around level 0 (Absent), the methodology recommends this as the next rational step:

Inventory all AI agents, assign each a unique identity, and classify by autonomy level (read-only, task-specific, autonomous) and risk profile.

What reaching level 2 (Developing) unlocks

Governable agent lifecycle, agents can be provisioned, reviewed, and decommissioned like any other identity.

Evidence

Evidence Assessors Ask For

A sample of the artifacts an assessor expects to see around level 2 (Developing):

  • Autonomy-level classification applied to all agents (e.g., read-only, task-scoped, autonomous)
  • Dynamic credential issuance (OIDC, OAuth client credentials) replacing static API keys
  • Delegation chain documented, each agent has a named human owner

Compliance

Compliance Frameworks That Cite This Control

The bank's regulatory mapping for CLOUD-05 resolves to 4 frameworks with a researched compliance threshold. Weakness here shows up in audits, not only in incidents.

Where Does Your Program Land on CLOUD-05?

This page is the teaser layer. The full rubric behind CLOUD-05 defines 5 scored maturity levels, 0 to 4, each with its own operating model, evidence expectations, and regulatory citations. That rubric is the scoring instrument, so it ships inside the assessment rather than on a marketing page. Running the assessment takes about 20 minutes and no signup is required to start.