Orchid Security Launches Identity Governance Stack for AI Agents and Delegated Access

What Changed

On May 28, 2026, Orchid Security extended its Identity Control Plane with three purpose-built capabilities for governing AI agents operating in production environments. The additions are:

• Agentic Enrichment — maps each AI agent back to its originating identities, owners, applications, and inherited permissions.
• Agentic Observability — monitors agent access paths and reconstructs the full chain of delegation behind every action taken.
• Agentic Guardrails — enforces least-privilege principles and identity hygiene to keep agent behavior within defined operational boundaries.

Alongside these three components, Orchid is introducing a graph-native chatbot and a chain-of-delegation auditing capability, both integrated into the same control plane. The release is a direct extension of the company’s existing identity security architecture rather than a standalone product.

Why Traditional IAM Falls Short

Orchid’s core argument is structural. Legacy identity and access management was designed for exactly two types of actors: human users, who receive narrow permissions managed through formal change requests, and nonhuman accounts — service principals, bots, and similar entities — which typically hold broad standing access kept in check by their code rather than their credentials.

AI agents fit neither category cleanly. They reason like humans, operate at machine speed, and — critically — act through real-time chains of delegation that pass authority across systems without triggering conventional IAM controls. The result is what Orchid terms the Agent AI Authority Gap: the distance between what an enterprise believes is governed and what its agents can actually execute.

Compounding the problem is what the company calls Identity Dark Matter — a layer of hidden local accounts, hardcoded credentials, and excessive privileges that Orchid’s own Identity Gap: 2026 Snapshot report estimates accounts for 57% of enterprise identity. AI agents do not create this exposure, but they accelerate it significantly.

The Scale of the Problem

The numbers Orchid cites make the urgency concrete. A 2025 Team8 CISO Village Survey found that two-thirds of enterprises already run AI agents in production environments. Orchid’s own research found that 67% of nonhuman accounts are local — meaning they operate outside the visibility of central IAM tooling. Gartner’s recent Market Guide for AI Agents has separately warned that governance is not keeping pace with adoption rates.

These figures collectively describe an enterprise security posture where deployment velocity has structurally outrun oversight capability.

The Delegation Problem, Precisely Stated

CEO Roy Katmor framed the launch around a single, precise observation:

“AI agents are not just new identities, they are delegated identities. If you can’t see the delegation chain, you can’t govern the agent.”

That framing is worth taking seriously. An agent that inherits authority from a human user, then passes a subset of that authority to a downstream service, creates an accountability chain that conventional IAM tools were never designed to trace. Orchid’s approach — tying each agent to its originating human or service identity and enforcing guardrails at runtime — is an attempt to make that chain auditable and enforceable at scale.

Company Position and Backing

Orchid Security raised $36 million in January 2025 in a single round co-led by Team8 and Intel Capital. Capital One Financial and a set of angel investors including Jeff Williams, Dror Davidoff, and Zohar Alon also participated. The investor composition — combining a cybersecurity-focused venture platform with a major financial institution — reflects the enterprise security market this product is aimed at.

The company is positioning its Identity Control Plane as the connective layer between existing IAM infrastructure and the agentic workloads now running on top of it.

What This Means for AI Tool Adopters

For organizations already deploying AI agents — or evaluating whether to do so — this launch signals something important: the identity security layer is becoming a first-class concern in agentic architecture, not an afterthought.

Choosing an AI agent platform without a clear answer to how delegation chains are tracked and governed is increasingly a risk decision, not just a technical one. Tools and platforms that expose delegation metadata and integrate with identity control planes will carry a meaningful advantage in enterprise procurement conversations going forward.

Orchid’s move also reflects a broader market dynamic: the security tooling ecosystem is beginning to catch up with the deployment reality of AI agents. That gap is closing — but it has not closed yet.