New Capabilities: AI Agent and Machine Identity Aggregations

Description

We’ve delivered new aggregation, deletion, and schema controls for managing the growing number of AI agents and machine identities.

Admins are now able to:

• Use Machine Identity Aggregations, which succeeds AI Agent Aggregations, to govern the increasing number of machine identities available for collection.
• Set automated deletion thresholds and manage the removal of machine identities for specific schemas.
• Review and edit the schemas associated with machine identities at the source.

This release is available to orgs licensed for Agent Identity Security (AIS), but will be expanded to orgs licensed for Machine Identity Security (MIS) in the future.

New Capabilities

We have released Machine Identity Aggregations, now available to administrators. This feature succeeds AI Agent Aggregations and offers:

• Robust controls for aggregating an expanding set of AI and machine identities.
• Automated deletion thresholds for streamlined lifecycle management.
• Configurable source schemas representing AI and machine identities.

Problem

With the rapid growth of AI and machine identities, organizations face challenges in efficiently managing these identities at scale. Customers expressed the need for better and more familiar tools to automate AI and machine identity governance on sources with a variety of entities.

Solution

Machine Identity Aggregations addresses these challenges by organizing the multiple types of AI and machine identities on a source into configurable schemas. For example, Bedrock and AgentCore agents are aggregated under separate schemas on the AWS SaaS source.

Review all the capabilities included in this release.

Schedule Machine Identity Aggregations

You want to keep your AI and machine identities up-to-date in alignment with how often you see the source data changing.

Admins are able to aggregate All Types or Specific Types of machine identities on a configurable schedule. This scheduled command will create, update, and delete machine identities in Identity Security Cloud based on the changes that were detected on the source.

Aggregate machine identities on a schedule

Initiate Manual Machine Identity Aggregations

You want to keep your machine identities up-to-date on an as-needed basis.

Admins are able to aggregate All Types or Specific Types of machine identities with a button click or endpoint call. This command will create, update, and delete machine identities in Identity Security Cloud based on the changes that were detected on the source.

Aggregate machine identities on-demand

Remove Machine Identities

You want to remove all entities on a source while testing initial configurations. For example, you might want to update the Machine Identity Schema on a Web Services SaaS source and then re-aggregate all machine identities.

Admins are able to remove machine identities for All Types or Specific Types of machine identities. This command removes the machine identities from Identity Security Cloud. No deletion commands are provisioned to the source.

Remove machine identities from Identity Security Cloud

Disable Machine Identity Deletion

You want to restrict machine identity deletion handling. For example, you might want to enforce policy against deleting machine identities until you can verify their machine accounts have been decommissioned.

Admins can disable machine identity deletion on a source. The system will set the Exists on Source attribute for deleted machine identities to false when deletions are detected. Admins can also use the Exists on Source attribute as a filter in machine identity lists.

Disable machine identity deletion

Filter for Exists on Source attribute

Set Machine Identity Deletion Thresholds

You want to cancel an aggregation when more entities are deleted than expected. For example, you might expect up to 100 deletions during each aggregation but want to be alerted when there are several hundred deletions.

Admins can set deletion thresholds on a source. The system will cancel aggregations when the threshold is exceeded so that the admin can investigate.

Enable machine identity deletion

Handle Correlated Accounts During Deletions

You want to keep accounts correlated to the most appropriate machine identities when machine identity deletions occur.

The system re-correlates impacted accounts to new machine identities on the basis of their Machine Identity attribute mappings. The Machine Identity attribute mapping for an account is defined in the source’s Machine Account Mappings.

Review Machine Identity Schemas

You want to know what machine identity schemas and schema attributes the system will aggregate when you’re working with SailPoint’s native, out-of-the-box sources.

We recommend leaving SailPoint’s pre-configured, out-of-the-box schemas configured as-is unless you’ve got a specific reason to make changes.

Review out-of-the-box schemas

Create & Edit Machine Identity Schemas

You want to configure the schemas and schema attributes the system will aggregate when you’re working with custom, Web Services SaaS sources.

Admins can create, update, and delete schemas and schema attributes for all sources.

Create new machine identity schema on Web Services SaaS source

Add new machine identity attribute on Web Services SaaS source

Replace Machine Identity Attribute “Business Application” with “Native Identity”

You want to configure AI agents and applications as machine identities. Therefore, it’s important that the external unique identifier for machine identities makes sense for all subtypes. Additionally, it’s important that the external unique identifier for machine identities does not conflict across sources.

• A new attribute, Native Identity, is replacing Business Application. Native Identity must be unique within the context of a source. However, it does not need to be unique across sources.
• Native Identity will be editable ONLY on the IdentityNow source. Native Identity will be read-only on sources where its value is aggregated.
• The Machine Account Mappings UI that correlates machine accounts to machine identities will reference a machine identity’s Native Identity for correlation matching.
• The data currently stored in Business Application will be migrated to Native Identity. Backward compatibility to existing endpoints will be maintained for Business Application.
  • For the IdentityNow source: On the v2025/machine-identities endpoint, patches to businessApplication will set both the businessApplication and the nativeIdentity value. Patches to nativeIdentity will fail.
  • For the IdentityNow source: On the v2026/machine-identities endpoint, patches to businessApplication will fail (businessApplication will no longer be present). Patches to nativeIdentity will set both the businessApplication and the nativeIdentity value.
  • For sources other than IdentityNow: neither businessApplication nor nativeIdentity may be set using any endpoint.

Who is affected?

This release is available to orgs licensed for Agent Identity Security (AIS), but will be expanded to orgs licensed for Machine Identity Security (MIS) in the future.

What’s next?

Machine Identity Aggregations & Schemas support AI Agent identities in this release. A future release will add support for Application identities so that you can aggregate entities like CMDB applications and then correlate machine accounts to them. Machine Identity Aggregations will then be opened up to Machine Identity Security (MIS) customers.

Important Dates

We’ll begin rolling this out to sandbox tenants on March 16, 2026, and production tenants on March 23, 2026.