NewCore’s AI Agent Identity Solution Unveils a Deeper Corporate Accountability Challenge

The Phantom Workforce: Identity Without Responsibility

A curious paradox is taking shape at the frontier of enterprise technology. On one hand, companies like Goldman Sachs and McKinsey are openly embracing AI agents, treating them not merely as software tools but as digital coworkers. McKinsey reports 25,000 AI agents already embedded among its 60,000 human employees, a ratio that suggests a fundamental redefinition of the workforce. On the other, a wave of startups, exemplified by NewCore’s recent $66 million funding announcement, are racing to give these agents robust identities – complete with permissions, lifecycle controls, and revocation mechanisms. This push for ‘first-class identities’ for AI agents, while a necessary technical evolution for security, inadvertently shines a spotlight on a far more profound and unaddressed problem: who exactly is accountable when these ostensibly autonomous digital employees make critical errors or cause security breaches?

NewCore, co-founded by Zohar Alon, Amihai Neiderman, and Erez Yarkoni, emerged from stealth with significant backing from Cyberstarts, Index Ventures, and Evolution Equity Partners, reaching a $300 million post-money valuation. Their argument is compelling: existing identity platforms, often 15 or 20 years old, were never designed for a world where AI agents could outnumber human staff, as TCS Chairman N. Chandrasekaran has also predicted. Alon succinctly put it: “The scale and the complexity that those things [AI agents] are going to add…are going to break them.” NewCore’s platform aims to manage both human and AI-agent identities within a single system, featuring innovations like a ‘split-key’ architecture to prevent single points of compromise and ‘Agentic Skill’ packages for tools like Anthropic’s Claude Code.

The immediate problem NewCore is solving is real: managing access for non-human entities. Assigning a distinct identity to an AI agent allows for granular control, auditing, and the crucial ability to revoke permissions instantly – functionalities that become critical when an agent might access sensitive enterprise systems. This is an improvement over clunky service accounts or manually distributed credentials. Yet, the language itself, framing AI agents as possessing ‘identities’ analogous to human employees, creates a dangerous ambiguity that Silicon Valley often glosses over.

Beyond the Firewall: The Liability Labyrinth

The push to assign distinct identities to AI agents extends beyond technical convenience; it reflects a broader industry trend to anthropomorphize these systems, positioning them as active participants rather than passive tools. This framing, while useful for marketing and conceptual understanding, fundamentally blurrs the lines of corporate and legal responsibility. If an AI agent, operating with its own ‘identity’ and permissions, misinterprets an instruction and exfiltrates sensitive data, or triggers a cascading system failure, where does the ultimate culpability lie? The company that deployed it? The developers who coded it? Or the human employee who provided the initial, potentially ambiguous, prompt?

Traditional corporate liability frameworks are built on a clear chain of command and human decision-making. We hold executives, board members, and specific individuals accountable. Insurance policies and regulatory compliance are structured around this human-centric model. But as AI agents are granted ‘first-class identities’ and operate with increasing autonomy, this framework begins to fray. The incentive for companies to push this ‘identity’ narrative, especially from vendors like NewCore, is clear: they are selling a necessary security product by making companies acknowledge AI agents as distinct entities requiring management. This narrative also implicitly helps companies internalize the shift towards an AI-augmented workforce. However, it sidesteps the immense legal and ethical burden that comes with it.

Consider the implications for compliance under GDPR or CCPA. If an AI agent processes personal data erroneously, who is the data controller? Is the agent itself a legal entity subject to fines? This is not a hypothetical academic exercise; it is a live challenge that existing legal counsel and corporate risk departments are largely unprepared for. The technical solution of identity management, while vital for cybersecurity, outpaces the development of the requisite legal ‘guardrails’ Alon himself hints at. This creates a regulatory gap that will inevitably be filled by precedent-setting lawsuits and punitive actions.

The Unasked Question of AI Governance

NewCore’s mobile app, which allows human employees to “grant, review and revoke access for AI agents,” provides a much-needed human oversight layer. This feature is critical, yet it also highlights the underlying tension: AI agents are presented as autonomous workers, but their every action remains ultimately dependent on human supervision. This isn’t just about technical control; it’s about the illusion of independent agency versus the reality of corporate control. A truly skeptical observation is that this entire ‘identity for agents’ narrative, while solving a tactical security problem, inadvertently shifts attention away from the deeper strategic questions of corporate governance and algorithmic accountability that demand immediate attention.

As AI agents proliferate, potentially outnumbering human employees in many tech-focused organizations within a few years, the governance structures must evolve beyond simple access management. We need robust frameworks for auditing AI decision-making, transparent mechanisms for error correction, and clear lines of legal responsibility. Singapore and the UK, often pioneers in regulatory thought, are already grappling with these questions, acknowledging that digital ethics and legal clarity must run parallel to technological advancement. Simply giving a digital entity an ‘identity’ is a technical fix; understanding its profound societal and legal ramifications requires a far more expansive and urgent conversation than venture capitalists and cybersecurity startups are currently having.