Skip to main content

We Have Been Here Before: Agentic AI and the Pre-SAML Identity Crisis

In 2000, enterprises had no standard for federated identity. Every vendor had a proprietary answer. The organizations that got ahead of SAML shaped their identity landscape for the next twenty years. The same window is open right now.

PerspectivesJanuary 20, 2026 · 7 min readApivant

In 2000, enterprise federation was a disaster.

Organizations needed a way to assert identity across organizational boundaries. An employee of Company A had to reach a resource at Company B without maintaining a separate credential for every relationship. The concept was clear. The implementation was a mess. Every major vendor -- Microsoft, Sun, IBM, Netegrity -- had a proprietary federation answer that talked to nothing else. Integration projects between organizations required negotiating which vendor's model would win, building custom adapters, or abandoning the idea entirely.

SAML 1.0 shipped in 2002. By 2005, SAML 2.0 had consolidated most of the competing models and the modern enterprise federation stack was effectively established. Organizations that understood the standard early had a five-year head start on building the infrastructure that would govern identity for the next two decades. Organizations that waited for the market to settle built on top of whatever vendor had the most momentum in their stack.

It is 2025. We are back at the beginning of this cycle, with AI agents.

The Parallel

The structural parallel between now and 2000 is striking.

In 2000, the problem was: how does a human at one organization prove their identity to a service at another organization? The existing answer -- Kerberos, NTLM, proprietary SSO -- was built for inside-the-perimeter trust and did not travel. Every cross-organizational integration was a custom project.

Today, the problem is: how does an AI agent, acting on behalf of a human, prove its authority to call a tool or service? The existing answer -- long-lived API keys, service accounts with broad static credentials, bearer tokens with no delegation context -- was built for server-to-server integration and does not carry identity. Every agent integration is a custom project.

In 2000, the missing piece was a standard for asserting identity across trust boundaries. The standards bodies and vendors were working toward it. A few organizations were building against draft specifications. Most were waiting.

Today, the missing piece is a standard for asserting delegated authority in agent-initiated tool calls. The standards bodies and vendors are working toward it -- OAuth 2.0 Actor Tokens (RFC 8693), resource indicators (RFC 8707), the Model Context Protocol (MCP). A few organizations are building against current specifications. Most are waiting.

Why the 2000 Comparison Matters More Than It Looks

The obvious objection to this comparison is that the stakes are lower. SAML solved a fundamental enterprise federation problem. Agent identity is a narrower issue in a newer technology category.

This objection underestimates the velocity of the change.

In 2000, enterprise federation was a specialist problem. Most IT organizations had not yet encountered a scenario where it mattered. Federated identity governance became a mainstream enterprise concern by 2003 as B2B portals, partner extranets, and cross-org collaboration drove the requirement into every large organization.

Today, AI agent adoption is not a specialist problem in a contained category. Every major enterprise software vendor shipped agent capabilities in the last twelve months. Salesforce, ServiceNow, Microsoft Copilot, GitHub Copilot, Workday -- these are not emerging tools. They are production workloads in the majority of large enterprises right now. Each of them can call tools on behalf of users. Each of those calls is an authorization decision that most organizations are not equipped to make or audit.

The window between "early adopters working on this" and "every organization dealing with it" was about three years for SAML. We are inside that window for agent identity right now.

What "Getting Ahead of It" Looked Like Then

Organizations that got ahead of the SAML transition in 2002-2003 did a few things differently.

They separated their identity infrastructure from their applications early. SSO was not an application-level responsibility at these organizations; it was a platform capability. That separation meant that when SAML arrived, the identity layer could be updated once rather than updated in every application.

They treated federation as a policy problem, not just a technical one. The technical question of how to exchange SAML assertions was the simpler half. The policy question of which organizations to trust, under what conditions, with what attribute mapping, was the harder half. Organizations that established a federation policy governance model early were able to extend it to new relationships quickly rather than rebuilding the governance model for each one.

They did not wait for a single vendor to win. The early 2000s federation market had seven or eight serious players. Organizations that bet exclusively on one of them had to backtrack when the market consolidated around SAML. The organizations that built to the emerging standard rather than any particular vendor's implementation were positioned well regardless of who won.

What "Getting Ahead of It" Looks Like Now

The parallel actions for 2025 are not identical to 2002, but they follow the same logic.

Separate agent access from application-level credentials. Today, most AI agent integrations are implemented at the application level. A Salesforce agent has a Salesforce API key, a GitHub Copilot extension has a service account, and each integration manages its own credentials. This mirrors the pre-SSO application-level authentication architecture of 1999. The right architecture is a delegation chain: the human is the principal, the IdP is the authority, and the agent is the actor. Every tool call carries a token that says who the agent is acting for and what they are scoped to.

Treat agent authorization as a policy problem. The technical question of how to issue and validate OAuth Actor tokens (RFC 8693) is the simpler half. The policy question of which agents can be trusted, with which users' authority, under what conditions, is the harder half. Organizations that establish an agent authorization policy model now will extend it incrementally as new agents arrive. Organizations that treat each agent integration as a separate project will rebuild that governance model every time.

Build to the emerging standard, not to any one vendor. MCP is the emerging standard for how AI agents call tools. Anthropic, Microsoft, Google, and OpenAI have all backed it or announced intent to integrate. It is not settled -- the specification is evolving -- but the directional bet is visible. Organizations that build their enforcement infrastructure around MCP today are not making a risky early-adopter bet. They are building to the same standard that every major platform vendor is converging on.

Where the Parallel Breaks

The comparison to the pre-SAML moment is useful but not perfect.

The SAML transition took years partly because the technical infrastructure -- XML parsers, PKI, directory services -- was not ubiquitous. Deployment required careful integration work at every organization. The organizational change management required was significant.

The agentic identity transition will move faster because the infrastructure is already there. OAuth, JWTs, and modern IdPs exist in essentially every enterprise. MCP is JSON over HTTP -- not a new protocol stack requiring new tools. The gap between "the standard exists" and "the standard is deployed" will be shorter this time. That compresses the window for organizations to get ahead of it.

The other difference is that SAML was primarily a B2B integration problem. Enterprise federation mattered most at organizational boundaries. Agentic identity is an internal problem as much as an external one -- AI agents operating inside the perimeter, against internal tools, on behalf of internal users. That makes the governance requirement more immediate and more pervasive.

The Position for Organizations That Move Now

The organizations that are working on this now are not doing it because agents are deployed at scale in their environment yet. Most are not. They are doing it because they understand that the architecture decisions made in the next twelve months will be the ones they are governed by for the next decade.

The Frontier Identity Framework approach to agentic identity is built on current IETF specifications and the emerging MCP standard. The pieces: delegation chains, OAuth Actor tokens carrying act claims with agent identity, resource indicators scoping each token to a single audience, and MCP enforcement at the proxy layer. Not on any single vendor's proprietary model.

That is the same bet the forward-looking organizations made in 2002: build to the standard, establish the governance model, separate identity from application. The organizations that made it then are still benefiting from those architectural decisions. The window is open again.

Ready to Put This Into Practice?

Our architects can help you apply these ideas to your identity program.