Agent Identity
AI agents require verifiable identities to operate securely and with accountability. Agents on Google Cloud can now receive a dedicated Agent Identity: a new, first-class principal type distinct from human identities or generic service accounts.
Built on the open Secure Production Identity Framework For Everyone (SPIFFE) standard, these identities are cryptographically protected, strongly attested, and automatically provisioned. Agent Identity allows you to recognize agents whether they are operating autonomously or on behalf of a user.
With Agent Identity, agents are recognized as an independent identity type, allowing you establish strong governance and agent-specific authorization rules.
To support this, we are announcing the following updates:
Agent Gateway
Agent Gateway enables policy enforcement for all agent-to-agent and agent-to-tool connections. Because AI agents behave non-deterministically, all agent traffic on Google Cloud can now be routed through the Agent Gateway. This centralized flow allows you to enforce strict policies that prevent agents from accessing unauthorized or undesired third-party endpoints.
To extend Zero Trust enforcement to agents and AI systems, the following capabilities are also available in preview:
-
Identity-Aware Proxy (IAP) for Agents: IAP integrates with Agent Gateway, providing default-on, identity-centric security. It enforces granular access control policies using IAM, based on agent identities and rich contextual attributes derived from the model context protocol (MCP).
-
Context-Aware Access (CAA) for Agents: CAA evaluates contextual signals such as device health, IP address, and location for agent identities before granting access to resources.
Agent access management
Managing agent access and the operations they can perform is critical to address dormant permissions. Our defense-in-depth approach to agent access management ensures agents only have the privileges they need. To help enforce least privilege access, Agent Identity is now fully supported across Google Cloud’s policy, monitoring, and governance solutions.
-
IAM Allow and Deny policies for Agent Identity are now generally available, letting you control which agents can access specific resources.
-
Principal Access Boundary (PAB) for Agent Identity is now in preview. PAB acts as a protective additional layer, setting hard limits on the resources a specific agent or group of agents can never access, regardless of other permissions they might inherit.
-
Unified Access Policy (UAP) for Agent Identity is coming soon. These new access policies act as a rulebook for AI agents, allowing granular control over agent access to tools, APIs, and resources. Policies can be based on the Agent Identity, the effect (allow or deny), the operation, and specific conditions. They can even mandate human-in-the-loop (HITL) approvals for sensitive actions, ensuring critical decisions have human oversight.
All these policy types support the new Agent Identity nomenclature, including hierarchy-aware constructs built on SPIFFE’s trust domain and namespace model. This means you can govern agents individually or as groups using the same familiar policy mechanisms already in use for human and service account identities.
Agent guardrails
Beyond providing strong access management capabilities, we must also ensure that AI agents can not exfiltrate data at runtime or pull in unauthorized external data. VPC Service Controls (VPC-SC) support for Agent Identity as first-class principals in ingress and egress rules is now in preview, allowing you to prevent data exfiltration and letting you control the data traversing in and out of your perimeter.
Additional enterprise-wide guardrails are available to enforce that only specific resource configurations are allowed in your cloud environment:
-
Organization Policies: Administrators can enforce constraints, such as restricting agent creation to specific regions or preventing agents from creating public IP addresses.
-
Custom Organization Policies: Cloud administrators can tailor constraints to unique agent behaviors and compliance requirements.
To help enterprises continuously monitor and secure AI agents, our new Agent Security dashboard for Agent Platform, in preview, offers agentless discovery, vulnerability scanning, runtime threat detection, and graph-based risk discovery.
Key capabilities of this platform include:
-
Agent security posture: Provides secure-by-design templates and Google-recommended controls for building agentic applications.
-
Agent vulnerability scanning: Identifies weaknesses in agent packages and skills, catching flaws before deployment.
-
Agent asset discovery: Delivers an organization-wide inventory of all AI agents and their associated assets. The inventory process will soon differentiate between shadow AI agents and sanctioned AI agents in your organization.
Collectively, these capabilities help to ensure that agents are secure by design and continuously monitored.
Runtime defense
While agent access management and guardrails can help you manage permissions and prevent data exfiltration, runtime defense controls can provide an additional protection layer addressing runtime security risks and ensuring AI agents function as intended.
Model Armor provides real-time protection for user, model, and agent interactions to protect against runtime risks such as prompt injection, tool poisoning, and sensitive data leakage across Google Cloud services and Gemini Enterprise Agent Platform. It now provides inline protection for Agent Gateway, Agent Runtime, Google Cloud MCP servers, Langchain (in preview) and Firebase (generally available) to help developers add runtime guardrails and sanitization of agent traffic and interactions without the need to change code.
These integrations expand Model Armor’s existing inline protections for Agent Platform models, Gemini Enterprise, Apigee, Google Kubernetes Engine inference gateway and load balancers, as well as API interfaces.
Beyond agents: Additional IAM capabilities announced at Next ’26
We’re rolling out a comprehensive suite of new capabilities to manage identity, access, and governance at scale. We’re simplifying user provisioning with SCIM support for Workforce Identity Federation, streamlining Gemini Enterprise onboarding, and ensuring strong machine identities with Managed Workload Identity.
We’re also making access management smarter and more secure with the general availability of Gemini-powered IAM Role Picker, Fine-Grained Access Control for BigQuery, and enhanced Privileged Access Manager insights. To mitigate access risks and further strengthen security, we have introduced a VPC Service Controls violation analyser, integrated Identity-Aware Proxy with Cloud Run, mandated multi-factor authentication for specific cohorts, and extended Context-Aware Access to service accounts.
To help you organize and centralize control over your expanding cloud footprint, Custom Organization Policy now supports over 130 Google Cloud products and services.
Learn more
These updates represent a significant leap in how we help you manage your agentic cloud ecosystem, but what hasn’t changed is our commitment to building a secure foundation for your organization. We continue to fortify Google Cloud’s security platform, ensuring that you have a robust and trustworthy environment for all your workloads, including those powered by AI.
By centralizing control and automating identity governance, you can scale your AI initiatives with the confidence that your most critical data remains protected.To learn more, view the Next ’26 session recording for an overview of these announcements. For a closer look at how to implement these security best practices in your own organization, please check out our documentation.
