Every AI capability your buyer describes as "the AI doing X" is a text-completion engine emitting a structured request that some other piece of infrastructure executes with a real credential.
The model outputs a JSON object that says I would like to read the email. A surrounding system parses that JSON, picks up a credential the model never touches, authenticates to the mail server, retrieves the message, and hands the text back for more completion. The model is a very sophisticated way of deciding what to ask for next. Everything downstream of it acts.
This is the single most important mechanical fact about agentic AI, and the one most consistently obscured by how people talk about it. When a CISO says "we're worried about the AI accessing production data," what they're actually describing is infrastructure they haven't inspected, running credentials they may not have inventoried, executing requests generated by a system whose next move depends on what it just read.
That's a real concern, and a familiar one if you've spent your career in identity. You already know more about it than you think.
What's actually in the box
Anthropic's engineering team has published the clearest decomposition of how agent systems work, across a series of posts through early 2026. The components reduce to four, and the relationship between them matters more than any individual piece.
The model is the language engine. Text in, text out. It does not execute code, call APIs, or touch filesystems. It produces structured requests that describe what it wants done.
The harness is the orchestration loop. It receives the model's request, decides whether to execute it, manages the credential for execution, collects the result, and feeds it back to the model for the next turn. Anthropic's engineers define it plainly: "the system that enables a model to act as an agent." The model proposes. The harness disposes.
Tools are the capabilities the harness can invoke on the model's behalf. API calls, database queries, file operations, web searches. Each one is a function with a defined interface that the model can request by name.
The environment is where it all runs. Sandbox boundaries, network access, filesystem permissions, credential storage.
The practitioner shorthand that emerged this year is Agent = Model + Harness, with tools and environment as sub-components of the harness. The control surface is the harness. If you want to govern what an agent can do, you govern the harness. OpenAI and Google Cloud use different vocabulary for the same structural insight. OpenAI calls their harness the Runner; Google Cloud identifies seven components. The terms vary. The mechanical fact holds across all of them: the model requests, something else executes.
Where buyers land on the ladder
The application patterns buyers are deploying or evaluating form a progression, and this section will walk through each one in its own piece:
Single-prompt completion. The model answers a question. No tools, no loops. ChatGPT in a browser.
Augmented generation (RAG). The model's prompt is enriched with retrieved context before completion. The model still just completes text, but against your organization's data.
Tool-using agents. The model emits tool calls, the harness executes them, results come back, the model decides what to do next. Credentials enter the picture here.
Multi-agent systems. Multiple models with separate harnesses coordinate on a task, potentially with different tool access and different credentials. Identity gets genuinely hard at this rung.
When a buyer says "we're deploying agents," you need to know which rung they're standing on. The identity implications are different at every level.
In identity, a client credentials grant gives a non-human principal a scoped token that defines what it can access. The closest AI equivalent is the API key that authenticates an agent's harness to the model provider. It diverges here: that credential authorizes the harness to call the model, but says nothing about what tools the model can invoke. The blast radius is defined by the harness configuration, not the credential. If someone in a meeting says "we've secured the agent's credentials," the follow-up is: which ones?
In identity, a PEP sits between a request and a resource, evaluating whether the request should proceed. The harness functions as a PEP for model-generated requests. It diverges here: a PEP evaluates requests against static policy. A harness evaluates requests generated dynamically by a model whose next request depends on the result of the last one. The request pattern is unpredictable from the credential alone.
Nothing has settled yet
OpenAI's Assistants API, the agent infrastructure that hundreds of production deployments were built on, is being deprecated with a target sunset of August 2026. Teams that built on it are migrating to the Responses API. The thing they built on two years ago is being turned off.
Anthropic renamed its Claude Code SDK to the Claude Agent SDK in Q1 2026, signaling a scope shift from coding-specific to general-purpose agentic infrastructure. In the same quarter, Anthropic clarified that the Agent SDK requires API key authentication only, blocking OAuth tokens from subscription accounts that practitioners had been using in automated workflows. A credential pattern people assumed was settled got reversed by policy enforcement.
"Harness engineering" wasn't a phrase anyone used in 2024. By February 2026, Mitchell Hashimoto had synthesized an OpenAI internal publication on agent infrastructure into the formula that Anthropic's own engineering posts now reinforce. The concept went from unnamed to standard vocabulary in under a year. The spec calls this "orchestration," which is a generous word for what's actually happening in most production deployments.
The patterns are real. The packaging keeps changing. The pieces that follow will cover the mechanics as they work today, with explicit markers for where they're likely to shift. Your IDAM knowledge is genuinely useful here. You just need to know where it applies cleanly and where it will get you in trouble if you lean on it too hard.
That's what this section is for.
Things to follow up on...
- Anthropic's credential vault pattern: Their managed agents architecture stores OAuth tokens in a secure vault retrieved by a proxy at execution time, so the harness never sees tool credentials — a design that makes the identity layer more interesting than most demos suggest.
- Context rot in production: As agent sessions run long, accumulated tool outputs and stale history degrade model accuracy well before hitting the hard context limit, and the failures look like reasoning problems when they're actually infrastructure problems.
- MCP's token overhead problem: A five-server MCP setup can consume 100K+ tokens in tool definitions alone before the model processes a single prompt, which is why Anthropic shipped progressive discovery for MCP in January 2026.
- Google DeepMind's delegation framework: A February 2026 research paper proposes five core requirements for multi-agent delegation focused on authority and accountability — signaling where the academic framing of agent-to-agent trust is heading.