New capabilities deliver agent runtime identity attribution and behavioral anomaly detection across the full agent lifecycle

Today we are announcing AI agent runtime security capabilities across the Permiso platform. These capabilities give security teams continuous visibility into agent runs, events, tool calls, and data access across agents, sub-agents, MCP servers, and the underlying infrastructure those agents operate on.

While startups race to build agent security from scratch and incumbents try to acquire their way into the space, Permiso took a different path. The platform we built to secure human and non-human identities was designed to extend to new identity classes, and AI agents are exactly that. This is not a new product. It is the architecture we have been building toward, now covering the fastest-growing and least-governed identity class in the enterprise. That changes today.

Every enterprise we talk to is deploying AI agents. Nearly none of them have runtime visibility into what those agents are doing. The gap between agent adoption velocity and agent security governance is the largest unaddressed risk in enterprise security today. Agents are operating with access to production data, critical infrastructure, and downstream systems, making autonomous decisions at machine speed, and most security teams cannot answer basic questions about what those agents are doing.

Permiso was built for exactly this class of problem, delivering agent runtime identity attribution and agent behavioral anomaly detection across the full agent lifecycle.

Where posture tools capture a snapshot of what an agent is allowed to do, Permiso watches what it actually does. Every run, every event, every tool call, every data access, attributed to a specific identity and assessed for risk in real time. The platform extends the same Discover, Protect, and Defend framework that Permiso customers already use for human and non-human identities across the full agent lifecycle, from the moment an agent is born in a code repository through deployment, runtime operation, and containment.

Why your current security tools cannot see what AI agents are doing

AI agents are being deployed across cloud infrastructure, developer environments, workforce machines, and business workflows at a pace that has outrun security. Each agent operates with service accounts, OAuth tokens, or workload identities that grant access to production data and critical systems. Each one makes autonomous decisions, calls external tools and MCP servers, spawns sub-agents, and interacts with downstream infrastructure and data stores at machine speed, often without any human in the loop.

Most of the market is solving for posture and governance: where agents are, how they authenticate, what permissions they hold. Posture matters, and Permiso answers all of those questions. But posture is a snapshot. Agents operate in real time, making context-dependent decisions across tools, data stores, and downstream systems in milliseconds. The security question that actually matters is not what an agent is allowed to do, it is what it is doing right now, and whether you can stop it.

Traditional identity providers lose visibility the moment an agent authenticates. The runs, events, and tool calls that follow happen in a blind spot that governance tools cannot see or stop. Part 1: they know how to build an inventory. Part 2: they know how to add context to it. Part 3: they know how to map activity. Part 4: they know how to operationalize visibility.

Adding to the challenge, NHI security vendors are treating agents like static machine identities. They apply credential lifecycle management, just-in-time permissions, and rotation policies to identities that behave nothing like traditional service accounts. Agents log in as the users who deployed them, make context-dependent decisions in real time, call different tools based on the task at hand, and take actions that are indistinguishable from legitimate human activity. Securing agents requires runtime observability and identity attribution, not static credential management.

Five capabilities that bring Discover, Protect, and Defend to AI agents

Permiso was built for exactly this class of problem, delivering agent runtime identity attribution and agent behavioral anomaly detection across the full agent lifecycle.

Where posture tools capturetake a snapshot of what an agent is allowed to do, Permiso watches what it actually does. Every run, every event, every tool call, every data access, attributed to a specific identity and assessed for risk in real time. The platform extends the same Discover, Protect, and Defend framework that Permiso customers already use for human and non-human identities acrossto the full agent lifecycle, from the moment an agent is born in a code repository through deployment, runtime operation, and containment.

The five core capabilities include:

1. Agent and session discovery

Permiso inventories every AI agent, sub-agent, builder, model, and user across cloud, SaaS, IdPs, and code environments, including agents running in Lambdas, containers, and VMs that traditional identity tools cannot see. This includes shadow agents and sessions not sanctioned by security teams.

Most organizations discover significantly more agents than they expected once this capability is deployed. The gap between what leadership assumes exists and what actually exists is where risk accumulates. You cannot secure an agent you do not know about. Discovery is always the first step.

2. Identity attribution at runtime

Every run, event, tool call, and MCP invocation is tied to a specific human, non-human, or AI identity. Permiso’s agent graph visualizes the full chain: which human deployed the agent, what identity the agent is using, what sub-agents it spawned, and what downstream systems each one touched.

This is the audit trail that security and compliance teams need to reconstruct what happened during an incident. It is also the attribution layer that makes behavioral anomaly detection possible. Without knowing which identity is behind each action, detection is just noise. Attribution turns noise into signal.

3. Tool, data, and infrastructure observability

The platform captures what tools an agent called, what MCP servers it connected to, what data it accessed, and what downstream systems it reached. This is not log aggregation. It is structured observability that maps agent activity to the resources and infrastructure those actions affected.

Security teams can see the full blast radius of any agent session in a single view. When an agent calls a tool that accesses a database, spawns a sub-agent that writes to an S3 bucket, and connects to an MCP server that has access to internal APIs, the entire chain is visible as a connected sequence, not as isolated log entries scattered across consoles.

4. Runtime detection

Permiso detects over-privileged access, unused permissions, anomalous tool usage, policy violations, and high blast radius behavior in real time. These detections are powered by P0 Labs threat intelligence, which now includes agent-specific behavioral patterns built from the same team’s research into LLMjacking, cross-prompt injection vulnerabilities in AI copilots, and analysis of 341+ malicious AI agent skills.

Detections are surfaced in the same alert module security teams already use to investigate human and non-human identity threats. There is no separate agent console, no separate workflow, no separate learning curve. An agent behaving anomalously appears alongside a service account behaving anomalously, both attributed to identities, both investigated with the same tools. This is deliberate. Agents are identities. Identity threats belong in one place.

5. Identity-first controls

The platform provides least privilege recommendations based on actual agent behavior, not theoretical permission models. If an agent has access to ten tools but only uses three, Permiso flags the other seven as candidates for removal. Approval gates for high-risk actions let security teams insert human review into agent workflows where the risk warrants it.

And runtime kill switches operate at the identity layer, giving security teams the ability to revoke an agent’s access at machine speed when behavior crosses a threshold. When an agent starts accessing production data it has never touched before, or connects to an MCP server outside its normal pattern, the kill switch stops the session before the blast radius expands.

How AI agent runtime security fits the Permiso platform

These capabilities are not a bolt-on module. They are integrated into the same Universal Identity Graph that Permiso uses to track human and non-human identities. The same P0 Labs threat intelligence that powers 1,500+ detection signals for human and NHI threats now extends to agent-specific behavioral patterns. The same Discover, Protect, and Defend framework that customers already use now covers the full agent lifecycle.

For existing customers, AI agents appear alongside their human and non-human identities in the same platform, with the same investigative tools, the same alert workflows, and the same response controls. No new deployment required. For new customers, Permiso’s agentless, API-based architecture means the full platform, including AI agent runtime security, deploys in days with no infrastructure changes.

How Permiso secures the full AI agent lifecycle

Autodesk, a Fortune 500 company deploying AI agents across its products, global workforce, and cloud infrastructure, is one of the first enterprises to deploy Permiso’s AI agent runtime security capabilities. As organizations move from experimenting with agents to deploying them at scale, the question shifts from “should we secure our agents?” to “can we see what our agents are doing right now?”

If your organization is deploying AI agents and your security team cannot see what those agents are doing after they authenticate, that is the gap Permiso was built to close. See AI agent runtime security in action. Request a demo at permiso.io.