Your AI Agent Can Authorize Payments. Congratulations.

The accountability vacuum forming around AI agents has a price tag. $25 million at UK engineering firm Arup, after an employee transferred funds following a deepfake video call that convincingly impersonated senior management. £1.9 billion at Jaguar Land Rover, in an incident the Cyber Monitoring Centre described as the UK most costly cyber incident to date. Both cases illustrate what becomes possible when high-consequence actions outpace any mechanism to prove a specific human authorized them.

The problem they point toward is what IBM, Auth0, and Yubico put plainly at the RSA Conference 2026 in San Francisco this week: AI agents are becoming enterprise identities faster than the security stack can track them, and there is currently no reliable mechanism to prove a specific human authorized a specific action taken by an autonomous agent. That is the accountability vacuum — and the infrastructure vendors are now in a race to close it.

The World Economic Forum Global Cybersecurity Outlook 2026 puts structural numbers behind the urgency. Eighty-seven percent of respondents identified AI-related vulnerabilities as the fastest-growing cyber risk over the course of 2025. Eighty-five percent of security professionals told IBM that traditional detection approaches are obsolete. Seventy-seven percent of organizations lack foundational data and AI security practices. These figures predate the full wave of agentic deployments reaching production — the gap between deployment speed and accountability infrastructure is not theoretical, it is already measurable and growing.

Two distinct architectural responses to the accountability vacuum surfaced at RSAC 2026. The most structurally complete comes from Yubico and Delinea. Their partnership makes the two failure modes of the problem viscerally clear: Yubico provides hardware attestation — cryptographic proof that a specific human, using a specific YubiKey, authorized a specific action. Delinea provides runtime authorization — the policy engine that evaluates whether that action is permitted given everything else happening in the environment at that moment. Albert Biketi, Yubico chief product and technology officer, put the logic plainly: Hardware attestation without runtime enforcement is a signature with no enforcement point. Runtime enforcement without hardware attestation is a policy gate with no proof of human presence. This integration with Delinea solves both sides.

The architecture is built around the StrongDM acquisition Delinea completed to close the runtime authorization gap. StrongDM ID — the identity layer purpose-built for AI agents — links each agent to its human sponsor. Yubico Role Delegation Tokens, signed by YubiKey hardware, add the cryptographic human-presence proof at the moment of a high-consequence action. When an agentic workflow hits a gate — a production deployment, a privileged configuration change, a sensitive data operation — the system requires a physical YubiKey tap before it proceeds. The signature is bound to the specific action, with defined scope and constraints. Non-repudiation is the goal; the architecture is a two-sided control.

A separate partnership between IBM, Auth0, and Yubico takes a different architectural path to the same accountability problem. IBM WatsonX AI orchestration layer sits above the authorization layer; Auth0 handles identity flows using the CIBA standard — Client Initiated Backchannel Authentication — an out-of-band authentication protocol designed for step-up authorization where the human approving the action is not in the same session as the agent making the request. YubiKey taps provide the cryptographic human proof. The model: AI agents propose, Auth0 requests human authorization out-of-band, the YubiKey tap proves a specific human was physically present and approved. This is designed to provide non-repudiation for high-stakes agentic actions without requiring humans to be in the loop on every automated decision.

AI agents are quickly becoming one of the fastest-growing classes of identities in enterprise environments, yet most organizations lack the controls and accountability needed to govern what those identities can do, said Phil Calvin, chief product officer at Delinea. The numbers bear that out. Sixty-two percent of organizations experienced a deepfake attack in the previous year — meaning most enterprises have already been tested, and the controls largely did not hold.

Ev Kontsevoy, CEO of Teleport, frames the structural problem as a misdiagnosis the industry keeps making. AI agents change that completely, Kontsevoy told Help Net Security. Now you are introducing non-deterministic actors that do not sleep, do not follow predictable paths, and can move across your infrastructure in seconds. And in most environments, we are plugging them into the exact same model we already struggle to manage, with static credentials, fragmented identity, and over-scoped access, and very little real-time visibility into what they are actually doing. His formulation cuts through the vendor framing: if you cannot answer in real time what an identity is, how it is verified, and what it is doing, you have already lost the thread.

The irony is not subtle. AI agents created the accountability crisis by exposing the inadequacy of software-only controls. The market answer requires hardware keys. It sounds like a regression to RSA tokens, and Kontsevoy argument for why it is not is worth sitting with: a probabilistic AI reviewing a probabilistic model is not the same as blocking a network call to an untrusted server. Agents move too fast, span too many systems, and operate continuously in ways humans never did. The control that works for humans — log in, make decisions slowly enough that gaps are visible in audit logs — does not transfer to autonomous agents. You need cryptographic proof that a specific person authorized a specific action. That is not the same as slowing agents down. It is making high-consequence actions human-authorized by design.

iProov, among the vendors announcing agent-accountability offerings at RSAC 2026, announced its Workforce Solution Suite built around Dynamic Liveness technology — biometric confirmation that a real human, not a deepfake or injection attack, is present at the moment of verification. Andrew Bud, iProov founder and CEO, frames the common thread in modern identity attacks simply: Whether it is a deepfake, a stolen credential, or a convincing social engineering call, the common thread in modern identity attacks is deception.

What the accountability-gap vendors are building is a response to that thread — a way to make deception costly at precisely the moments when it is most damaging. The hardware-backed human-in-the-loop model is not elegant. It adds friction at the moments when agents are fastest and most autonomous. That friction is the point. The alternative — agents executing financial transfers, deploying production code, and accessing sensitive data without any mechanism to prove a human authorized the action — is increasingly what the incidents are costing organizations.

In Kontsevoy view, organizations that treat non-human identity as a first-class infrastructure problem — short-lived cryptographic credentials, continuous validation, unified identity governance across human and AI actors — will be better positioned for the regulatory environment taking shape.

The hardware vendors are ahead of the enterprises they serve. The question is whether the organizations moving fastest on agentic deployment can close the accountability gap before the next high-profile incident makes the cost of the gap unavoidable.