As agentic AI rapidly enters the enterprise, security teams face a moment of déjà vu: A few years ago, robotic process automation (RPA) bots spread through organizations so quickly that security teams were caught off guard, unable to properly authenticate and monitor them. The key difference: AI agents aren't merely deterministic bots – they possess agency. They make decisions, access sensitive data and execute transactions with minimal human oversight. This establishes them as a genuine third identity type alongside humans and traditional machines, which means they require their own identity framework. Agents are already demonstrating how the worlds of machine identity and human identity blur and are secured. Agents are workloads that can scale on demand, communicate and work autonomously at machine speed, and get recycled immediately after completing work. They require a unique and universal workload identity. An emerging security standard like the secure production identity framework for everyone (SPIFFE), which has proven effective for workload identity, can be adapted for AI agents to establish proper authentication and authorization protocols. SPIFFE offers a universal identity that teams can use across environments, applications, and clouds, including with today’s authentication methods like API keys and access token secured by a secrets manager.