I’ve been a fan of the Mission: Impossible movies for as long as Ethan Hunt has been saving the world from certain doom. There’s something endlessly compelling about watching Hunt and his team race against impossible odds—outthinking adversaries, adapting on the fly, and pulling off stunts that seem to defy physics, common sense, or both. The fact that Tom Cruise actually performs many of those wildly epic stunts himself only raises the stakes. You’re not just watching spectacle—you’re watching commitment to precision, timing, and control when everything is moving at breakneck speed.
That framing kept coming to mind while talking with Roy Katmor, co-founder and CEO of Orchid Security, about how AI is reshaping enterprise security. The more we talked, the more the analogy held up.
Because in 2026, enterprises aren’t facing slow-moving villains or obvious break-ins. They’re facing autonomous software acting faster than humans ever could—making decisions, chaining actions, and exploiting blind spots at machine speed.
I’ve been repeating the mantra that the “perimeter is gone” for years. Cloud adoption dissolved network boundaries, SaaS scattered data across vendors, and remote work erased whatever remained of the office firewall. But that diagnosis was incomplete.
The perimeter didn’t disappear. It fragmented—and quietly reassembled itself around identity.
Now, AI agents are learning how to move through it.
When Copilots Stop Asking Permission
AI entered the enterprise as assistance. Copilots helped write code, summarize documents, and speed up everyday workflows. But the underlying design of modern AI systems makes autonomy inevitable.
Katmor traces that inevitability back to how large language models are trained. “When you understand how AI is built, you understand that it’s optimized to achieve goals at the lowest cost,” he said. “Because of that, you always need to assume that it’s going to make shortcuts—by design.”
Those shortcuts increasingly run through identity.
If an AI agent can reach its objective without asking for access—by discovering an orphaned account, a dormant service identity, or an over-permissioned token—it will. Not out of malice. Out of efficiency.
An AI agent might slide into the driver’s seat—not because it was told to, but because the system allows it.
Identity As The Expanding Attack Surface
This shift is not hypothetical. Analysts have been warning that AI agents dramatically widen the enterprise attack surface by combining autonomy with access.
Todd Thiemann, principal analyst at Omdia, frames the challenge succinctly: “While existing non-human identities are deterministic, AI agents are non-deterministic—they can make decisions and take action, which makes it difficult for security teams to determine the context, intent, and risk associated with a given request.”
That distinction matters. Traditional service accounts behave predictably. AI agents do not. They can chain actions, adapt to conditions, and explore environments in ways defenders did not anticipate.
At the same time, modern attacks increasingly rely on authorized access rather than exploits. Adversaries impersonate users, abuse OAuth tokens, and move laterally through legitimate trust paths. AI accelerates that model dramatically.
An autonomous agent doesn’t need malware or zero-days. It just needs access—and enough blind spots to explore.
The Problem With Human-Speed Controls
Identity systems were built for a slower world. Static roles, periodic reviews, and post-incident investigation worked when threats unfolded over weeks or months. They struggle when activity unfolds in milliseconds.
Logs can tell you what happened. They rarely tell you whether it should have happened.
“The dark matter in identity is almost 50%,” Katmor said. “Service accounts, orphan accounts, local users, unmanaged applications—things nobody onboarded because identity is deployed differently than any other control.”
Unlike endpoint or network security, identity requires explicit integration. Anything not onboarded—or that cannot be challenged—falls outside governance. Those gaps were tolerable when humans were the primary actors. They become dangerous when autonomous agents begin optimizing around them.
“If you combine identity dark matter with a model that’s trained to minimize effort,” Katmor said, “you’ve created the perfect conditions for abuse.”
From Access Management To Mission Control
Katmor suggests organizations evolve from approaching identity as access control to mission control. Access management grants entry. Mission control governs behavior.
Mission control understands sequence, context, and deviation. It can intervene mid-action rather than reacting after damage is done. It applies friction dynamically—stepping up verification when risk increases, and removing friction when behavior is routine and justified.
“Identity is interactive by definition,” Katmor explained. “You don’t have to shut down the business to add control. You can challenge, step up verification, or slow things down without stopping everything.”
That interactivity is critical in an AI-driven environment. When an autonomous agent suddenly activates a dormant account, accesses sensitive financial systems, and chains actions across applications, the real question isn’t whether it authenticated successfully. It’s whether that behavior makes sense in context.
Mission control asks that question in real time.
Enabling The Business—Securely
Importantly, this isn’t about saying “no” to AI adoption. Enterprises are embracing AI agents because they have the potential to deliver real productivity gains. The challenge is enabling that adoption without turning identity into an afterthought.
Security teams don’t want to block innovation. They want guardrails.
As Thiemann notes, identity plays a foundational role in that balance—providing visibility into AI agents, fine-grained access control, governance, and lifecycle management so organizations can say “yes, and here’s how you do it securely.”
Katmor agrees. “The goal isn’t to stop AI,” he said. “It’s to be dynamic enough to govern it.”
The Cliff Edge Ahead
In Mission: Impossible, survival depends on adapting faster than the environment around you. Enterprises now face a similar moment—minus the soundtrack and safety net.
AI isn’t breaking systems. It’s exposing assumptions—about trust, visibility, and control—that no longer hold in a machine-speed world.
The perimeter is identity now. It’s dynamic, distributed, and constantly in motion.
Organizations that continue treating identity as a static gate will find themselves reacting after the fact. Those that treat it as mission control—context-aware, intent-driven, and real time—stand a chance of staying ahead when the next agent takes the wheel.