The bottom line: Traditional IAM systems authenticate individual users and grant static permissions. AI agents connect to business systems and operate in ways that require dynamic access patterns that IAM can’t handle.

Here’s why enterprises need purpose-built solutions for agent access control in order to deploy AI safely across systems and teams.

How Traditional IAM Works

Corporate identity and access management systems are built around a simple premise: authenticate a human user, then grant them specific permissions to predetermined resources.

Here’s the typical flow:

  • A user logs in with credentials
  • IAM verifies their identity
  • The system checks their role and grants access to approved applications
  • The user works within those applications during their session
  • Functional and data access permissions are governed by the system directly
  • They log out when finished

This model works because human behavior is relatively predictable. A marketing manager needs access to campaign tools, email, and analytics dashboards. A finance analyst needs accounting software and reporting systems. Clear roles, static permissions, straightforward audit trails.

IAM excels at this because it can create high level application access policies for each user type and enforce them consistently over time, centralizing governance for on and off-boarding use cases.

How AI Agents Actually Connect to Business Systems

AI agents operate completely differently. When you deploy an agent to handle a business task—like reconciling financial records or analyzing customer data—it doesn’t log into applications the way humans do.

Instead, agents connect to your business systems through Model Control Protocol (MCP), a standardized way for AI to communicate with databases, APIs, and business tools. Think of MCP as the bridge that lets AI agents read from your CRM, write to your accounting system, or pull data from your analytics platform.

Here’s what happens when an agent executes a single task:

  • The agent receives instructions to complete a specific business process
  • It identifies which systems contain the necessary data
  • Through MCP, it connects to multiple databases, APIs, and tools
  • It performs dozens of read and write operations across these systems
  • It processes the information and delivers results

A simple task like “prepare onboarding materials for our new marketing hire starting Monday” might require the agent to:

  • Create a user account in your identity system (Active Directory)
  • Add the new hire to relevant Slack channels and team groups
  • Generate access requests for marketing tools (HubSpot, Google Analytics)
  • Pull the latest employee handbook from your document system (SharePoint)
  • Create calendar invites for first-week meetings from your scheduling system (Outlook)
  • Update headcount reports in your HR system (Workday)

That’s six different systems for one straightforward request. More complex tasks can involve dozens of system connections.

The critical difference? This entire task runs autonomously and spans across the access rights of multiple human users given a typical organization’s span of control. Traditional IAM permissions can’t keep an agent operating within its intended scope. Agents need permissions scoped to each specific request, task, and tool to stay firmly bounded when taking actions on behalf of users.

Why IAM Can’t Handle MCP-Based Access

Traditional IAM breaks down with agent workflows for several fundamental reasons:

Dynamic vs. Static Access Patterns: IAM grants permissions based on user roles that remain relatively stable over time. Agents need access that changes based on the specific task they’re performing or the human asking them to perform it. An agent handling payroll for an HR manager needs different system access than the same agent handling onboarding a new employee for an HR onboarding specialist.

Role Explosion: Traditional IAM uses roles to define permissions—”Marketing Manager” gets marketing tools, “Finance Analyst” gets accounting software. This works for humans with stable job functions.

But AI agents operate across multiple dimensions that create exponential permission combinations:

  • Task type: payroll processing, onboarding, expense reports, data analysis
  • User context: which person is making the request and their permissions
  • Systems needed: which specific tools the task requires (Workday, Slack, Active Directory, etc.)
  • Data scope: which subset of data the agent should access

A simple example shows how quickly this multiplies:

Just 2 task types × 2 user roles × 3 systems = 12 different role permutations

  • Agent processing payroll for HR Manager accessing Workday
  • Agent processing payroll for HR Manager accessing ADP
  • Agent processing payroll for HR Manager accessing Active Directory
  • Agent processing payroll for HR Specialist accessing Workday
  • Agent processing payroll for HR Specialist accessing ADP
  • Agent processing payroll for HR Specialist accessing Active Directory
  • Agent handling onboarding for HR Manager accessing Workday
  • Agent handling onboarding for HR Manager accessing Slack
  • Agent handling onboarding for HR Manager accessing Active Directory
  • Agent handling onboarding for HR Specialist accessing Workday
  • Agent handling onboarding for HR Specialist accessing Slack
  • Agent handling onboarding for HR Specialist accessing Active Directory

In reality, enterprises have dozens of task types, hundreds of users, and dozens of systems. The math becomes impossible—you’d need thousands of hyper-specific roles.

This creates three critical problems:

  1. Unmaintainable complexity: No security team can track what each role actually permits. Documentation becomes outdated immediately.
  2. Brittle systems: Changing one permission requires updating dozens of interconnected roles. A single modification risks breaking multiple agent workflows.
  3. Audit impossibility: When a security incident occurs, determining who had access to what becomes a forensic nightmare across thousands of granular roles.

Traditional role-based permissions weren’t designed for the dynamic, combinatorial nature of agent access patterns.

Cross-System Workflows: IAM typically manages access to individual applications. Agent tasks routinely span multiple systems, databases, and third-party services. A single agent workflow might touch your ERP, CRM, marketing automation platform, and external APIs—all through MCP connections that IAM doesn’t understand.

Scale Mismatch: IAM systems manage hundreds or thousands of human users. Enterprises deploying agents might have hundreds of agents performing thousands of tasks daily, each requiring dozens of system connections and execution time authorizations. IAM wasn’t architected for this volume of access requests nor does it execute its policy enforcement decisions at the network traffic layer that agents require.

Session Management: Human users have clear login/logout sessions. Agents create ephemeral connections—they might need access to specific systems for minutes or seconds, then never need those same permissions again.

The Security Gap This Creates

Without proper access controls for MCP connections, organizations face serious risks:

Excessive Permissions: Giving agents the same permissions that humans have isn’t a good idea. Humans think “What will happen if I do this?” “Will I get fired?” Agents don’t have a conscience. You don’t want your agents having full administrative rights to your systems that your humans do. One wrong prompt, malicious or not, and your entire system could be wiped out.

No Audit Trail: Traditional IAM systems can’t track what agents actually do with MCP connections. You might know an agent accessed your database, but not what specific data it read, edited or deleted until it’s too late.

Shadow AI Activity: When IAM blocks legitimate agent workflows, employees create unauthorized agents or use personal AI tools, moving business processes outside your security controls entirely.

What Enterprises Need Instead

The solution isn’t trying to make IAM work for agents—it’s deploying purpose-built access control designed for MCP-powered AI workflows.

Effective agent access management requires:

MCP-Native Controls: Security systems that understand MCP protocols and can grant specific permissions for agent-to-system connections, not just human-to-application access.

Context-Based Permissions: Instead of role-based access, agents need permissions tied to specific business processes and the people using them. An agent handling expense reports gets different access than an agent managing inventory, even if they’re both “finance agents.”

Real-Time Guardrails: The ability to monitor and control what agents do with their system access in real-time, blocking actions that fall outside approved policies while allowing legitimate requests to be approved.

Granular Visibility: Complete audit trails that show exactly which data agents accessed, what actions were allowed, restricted, blocked and why.

Traffic Layer Policy Enforcement: Decisions on transactions between AI agents and MCP system resources need to be applied as the agent makes a request, in line with that request.

The Practical Reality

Most enterprises are already using AI and agents, whether they’ve officially approved them or not. Marketing teams use agents to analyze campaign performance. Finance departments deploy agents for data reconciliation. IT teams rely on agents for code generation and system monitoring. Even if it’s just using Claude or ChatGPT paid accounts and leveraging connections.

Traditional IAM systems will continue to be essential for human access management. But enterprises need additional access management specifically designed for the MCP connections that make AI agents powerful.

Without proper agent access controls, organizations face an impossible choice: block AI adoption to maintain security, or accept the risks that come with unmanaged agent access to business systems.

The companies that solve agent access control will unlock AI’s productivity benefits while maintaining the security posture their business demands.

Barndoor provides purpose-built access control for AI agents connecting to your data and business systems through MCP. We give enterprises the security and visibility they need to adopt AI safely—without blocking the data access that makes agents valuable. Book a demo today.