[zippolyon]

The IAM framing is a good starting point but I think it undersells the core difficulty: IAM assumes the identity of the actor is stable and legible. With agents, the "actor" at step 15 of a multi-step run may have meaningfully different context and effective goals than at step 1 — same session, different behavior. Policy enforcement at runtime has to grapple with this. A rule like "don't write to production DBs" is easy. A rule like "don't proceed if your current action contradicts the intent you stated 3 steps ago" requires the agent to have exposed its intent in a queryable form throughout the run — which most don't. Auditability is the easier problem. Runtime intervention based on goal drift is where I think the field is genuinely unsolved.