An AI agent using a user's session is not automation. It is privilege amplification with a friendly interface.
Agentic systems need first-class identity, scoped credentials, revocation, and audit trails before they touch anything operational.
This is not theoretical for me. In payment-adjacent systems, the dangerous failure is rarely one bad request — it is a tool with too much authority doing a sequence of plausible actions. The current security conversation is converging from several directions at once: agent credentials, credential brokers, API keys that do not revoke instantly, sandbox designs with observability gaps.
That is the architecture line I would draw: an agent should never borrow a human's blast radius just to get work done.
The agent stack will mature when identity boundaries become boring infrastructure, not an afterthought.