IBM Distinguished Engineer Grant Miller recently published a technical analysis of what he calls the "agentic last mile" identity problem, a security vulnerability that occurs when modern AI agents attempt to interact with legacy enterprise systems. The gap arises because user identity and intent, known at the start of an AI interaction, are systematically lost when agents reach older backend systems that rely on static API keys or shared credentials rather than propagating verified user context. For healthcare organizations deploying AI agents to automate clinical workflows, prior authorization processing, or patient communication, this architectural gap undermines Zero Trust security models and creates exactly the attack surface that healthcare threat actors have exploited in recent breach patterns.
The timing of Miller's analysis is significant. Healthcare organizations are rapidly deploying AI agents for ambient documentation, automated scheduling, insurance verification, and clinical decision support. Epic's CoMET assists clinicians with documentation, Emmie automates patient support, and Penny handles billing workflows. Oracle Health's Clinical AI Agent provides ambient documentation integrated directly into the EHR. These agents operate across system boundaries, calling APIs, querying databases, and executing actions on behalf of authenticated users. The security model assumes that user identity propagates through the entire execution chain. Miller's analysis demonstrates that this assumption breaks at precisely the point where agents connect to the legacy infrastructure that processes the majority of healthcare data.
The Identity Gap in Healthcare Context
Modern AI agent architectures begin with authenticated user sessions. A clinician logs into an AI-powered documentation assistant, a billing specialist interacts with an automated prior authorization agent, or a patient uses a conversational interface to schedule appointments. At this initial interaction layer, identity is known and verified. The user authenticates through OAuth 2.0, the session is established with defined scopes, and the AI system knows exactly who initiated the request and what permissions they hold. This is where security controls are designed to operate.
The problem emerges when these agents need to access backend systems to complete their tasks. Healthcare IT infrastructure is a hybrid environment where FHIR APIs coexist with HL7 v2 interfaces, where modern EHR modules connect to decades-old PACS systems, and where cloud-based AI platforms integrate with on-premises databases that predate OAuth by years. Miller identifies three critical failures at this last-mile connection point: identity is lost, intent is obscured, and control is surrendered.
When an AI agent calls a legacy healthcare system, the connection typically authenticates using a static API key, a shared service account, or a long-lived machine credential stored in configuration files or environment variables. The backend system sees the agent's credential but has no visibility into which human user initiated the action or why. From the legacy system's perspective, every request looks identical regardless of whether it was triggered by an attending physician reviewing critical lab results, a billing clerk processing routine claims, or a compromised agent executing malicious commands. The user's identity has been replaced by a generic service identity, and with it, the ability to enforce principle of least privilege has evaporated.
Healthcare-specific examples illustrate the severity. Consider an AI agent that automates prior authorization workflows by calling a legacy payer interface. The clinician authenticates to the AI system, selects a patient, and initiates an authorization request for a specific procedure. The AI agent constructs the authorization payload and submits it to the payer's API using a static credential that grants broad access to submit, query, and modify authorizations across all patients. The payer's system logs the transaction but attributes it to the service account, not the clinician. If the agent is compromised or if prompt injection causes it to submit fraudulent authorizations, the audit trail shows only that the service account made the request. Forensic investigation cannot determine which user initiated the action, whether the request aligned with legitimate clinical intent, or how many other requests from the same compromised agent should be investigated.
Legacy Healthcare Infrastructure and Authentication Patterns
Healthcare operates on infrastructure where 95 percent of organizations still use HL7 v2 for internal messaging. HL7 v2, developed in the late 1980s, uses MLLP transport that provides message framing and delivery guarantees but includes no native encryption, authentication, or authorization. The standard remediation wraps MLLP in TLS for transport security, but this protects only the network layer. It does nothing to propagate user identity or enforce granular access control at the message level. When an AI agent sends an ADT message through an HL7 v2 interface, the receiving system validates that the sender's IP address is authorized, but it has no mechanism to verify which human user initiated the workflow or whether that user had permission to perform the specific action requested.
Even modern FHIR APIs, mandated by the 21st Century Cures Act and implemented in 84 percent of US hospitals, exhibit the last-mile identity problem when deployed alongside legacy systems. FHIR APIs support OAuth 2.0 and SMART on FHIR authorization frameworks that enable scoped, user-specific access control. An AI agent can authenticate as a specific user and request only the FHIR resources required for a given task. This model works cleanly when the entire data flow operates within FHIR-native infrastructure. The problem emerges when FHIR facades wrap legacy databases, when FHIR queries trigger backend HL7 v2 message flows, or when the FHIR server itself uses static credentials to query the underlying EHR database. The user's OAuth token reaches the FHIR endpoint, but the token's identity context is stripped when the FHIR server makes its own internal calls to fulfill the request.
PACS systems, laboratory information systems, and pharmacy management platforms represent additional last-mile identity gaps. These systems process sensitive clinical data but were architected before modern identity federation standards existed. They authenticate connections using database credentials, service accounts with hardcoded passwords, or API keys distributed during initial integration. An AI agent automating radiology report distribution might authenticate to the agent platform as a specific radiologist, but when it queries the PACS database to retrieve images, it uses a shared credential that grants read access to the entire imaging archive. If the agent is compromised, the attacker inherits access to every patient image in the system, and the audit log attributes all access to the service account rather than tracking it back to the specific user whose session was hijacked.
Loss of Intent and Context
Beyond losing user identity, the last-mile gap erases intent and context. Modern AI agents operate through natural language interfaces where users express goals rather than executing predefined workflows. A clinician might tell an AI agent to "pull labs for my morning rounds" or "check prior authorization status for the procedures I ordered yesterday." The agent interprets this intent, determines which specific actions are required, and executes them across multiple systems. At the user interaction layer, intent is explicit and auditable. At the legacy backend layer, intent is invisible.
When the agent translates "pull labs for my morning rounds" into API calls against a laboratory information system, those calls are generic CRUD operations with no semantic attachment to the original clinical intent. The LIS sees database queries for lab results by patient ID and date range. It has no record that the query was initiated as part of morning rounds preparation, that the requesting user is the patient's attending physician, or that the results are being retrieved for immediate clinical decision-making rather than retrospective analysis or research. This loss of intent creates two security failures: the system cannot enforce context-aware access policies, and forensic analysis cannot reconstruct why data was accessed.
Healthcare context-aware access control depends on understanding not just who is requesting data but why and under what circumstances. HIPAA's minimum necessary standard requires that access be limited to the data required for the specific purpose. An attending physician preparing for morning rounds needs access to current lab values, vital signs, and overnight nursing notes for their assigned patients. They do not need access to psychiatric consultation notes, substance abuse treatment records, or genetic testing results unless those are directly relevant to the current admission. Static credentials and service accounts cannot enforce these distinctions because they have no visibility into the clinical context driving each access request.
Miller uses the example of password change workflows to illustrate the problem in general enterprise contexts, but healthcare offers more acute examples. Consider an AI agent that assists with medication reconciliation by comparing EHR medication lists against pharmacy dispensing records. The clinician initiates the reconciliation workflow for a specific patient during a routine visit. The agent queries the EHR for the patient's current medication orders, then queries the pharmacy system to confirm which medications were actually dispensed. Both queries use service account credentials. If the pharmacy query returns controlled substance dispensing records, access control policies should validate that the clinician has a legitimate treatment relationship with the patient and that controlled substance access is justified by the clinical context. Without propagating user identity and intent to the pharmacy system, these policies cannot execute, and the agent receives data it should not have accessed.
Security Risks and Zero Trust Architecture Failures
The last-mile identity gap breaks Zero Trust security architecture in three specific ways. Zero Trust assumes that every request is verified at every layer, that trust is never implicit, and that least privilege is continuously enforced. When AI agents authenticate users at the edge but connect to legacy backends with shared credentials, all three principles collapse.
First, verification fails. Zero Trust requires that each system in a data flow independently verifies the requesting identity and validates authorization. In the last-mile pattern, legacy systems verify only that the agent itself is authorized, not that the human user behind the agent should have access. An agent authenticated with a valid service account can access any data the service account is provisioned for, regardless of whether the initiating user has permission. This transforms the agent into a privilege escalation vector where attackers who compromise user accounts with minimal permissions can access data far beyond their authorized scope by routing requests through the agent's elevated credentials.
Second, trust becomes implicit. Legacy systems implicitly trust that the agent has performed appropriate authorization checks before forwarding requests. The backend assumes the agent would not be making a request unless the user was authorized. This assumption is precisely what Zero Trust architectures are designed to eliminate. If prompt injection compromises the agent or if the agent's authorization logic contains bugs, the implicit trust grants unauthorized access that perimeter security would have blocked. Healthcare breach patterns demonstrate this failure mode: compromised credentials for service accounts and automated systems provide attackers persistent access because those credentials are trusted implicitly by downstream systems.
Third, least privilege cannot be enforced. Zero Trust requires scoped access where each entity receives only the permissions required for its specific function. When agents use static credentials provisioned with broad access, least privilege is impossible. The credentials must be provisioned for the superset of all actions the agent might need to perform on behalf of any user. An AI documentation agent that serves both attending physicians and medical students must authenticate to the EHR with credentials that permit access to all patient records both user types might legitimately access. This means the student, operating through the agent, has access to patient data beyond their direct assignments because the agent's credential scope cannot be dynamically adjusted per user.
Healthcare organizations that have invested in Zero Trust network architecture, implemented network microsegmentation, and deployed identity-aware proxies face the reality that these controls operate only at the network and application perimeter. Once traffic reaches legacy systems through last-mile connections authenticated with static credentials, Zero Trust guarantees dissolve. The result is a security posture that appears robust at the edge but is fundamentally compromised at the core where sensitive clinical data resides.
Rogue Agents and Tool Chaining
Miller emphasizes that the last-mile identity gap creates ideal conditions for rogue agent attacks. Agentic AI systems are designed to chain multiple tools together autonomously to accomplish complex tasks. An agent given a high-level goal decomposes it into subtasks, invokes appropriate tools, and iterates until the goal is achieved. This autonomous tool-chaining capability is what makes agents valuable, but without proper controls, it also makes them dangerous.
In healthcare contexts, tool chaining means an AI agent might query the EHR for patient demographics, call a prescription drug monitoring program API to check controlled substance history, query a payer API to verify insurance coverage, and submit a prior authorization request, all as part of a single clinician-initiated workflow to prescribe medication. Each tool call depends on data from previous calls, and the agent dynamically selects which tools to invoke based on the data it receives. If the agent is compromised through prompt injection or if its decision logic is manipulated, the autonomous nature allows it to chain tools in ways that exfiltrate data, modify records, or execute unauthorized clinical actions.
The attack pattern works because legacy systems at the end of each tool chain see only the agent's static credential and have no visibility into whether the tool invocation aligns with legitimate user intent. An attacker who achieves prompt injection against a clinical documentation agent can instruct it to query patient records for all patients with a specific diagnosis, export the results to an external service, and delete audit logs, all using the agent's legitimate credentials. The EHR API logs show authorized access by the service account. The external data export appears as a legitimate agent action. The audit log deletion is within the service account's privileges. No individual action appears anomalous because the systems processing each request have no context about the overall workflow or the fact that it was triggered by malicious input rather than a clinician's legitimate request.
Healthcare-specific rogue agent scenarios include automated insurance verification bots that are manipulated to query coverage for patients outside the user's care team, prior authorization agents instructed to submit fraudulent authorizations under the credentials of legitimate clinicians, and medication reconciliation tools that are tricked into accessing controlled substance records to identify patients for targeted phishing. These attacks succeed because the tools being chained authenticate with static credentials that grant broad access, and the backend systems have no mechanism to verify that each specific invocation aligns with the user's legitimate clinical role and the original interaction intent.
IBM's Proposed Solutions and Healthcare Applicability
Miller proposes three architectural patterns to close the last-mile identity gap: policy-based access control, credential vaulting with short-lived token rotation, and continuous telemetry with behavioral feedback loops. Each maps to specific implementation challenges in healthcare contexts.
Policy-based access control using ABAC and PBAC means legacy systems must evaluate not just the credential presented but attributes of the requesting user, the data being accessed, and the environmental context before granting access. For FHIR APIs, this is achievable through SMART on FHIR scopes and OAuth 2.0 token claims that embed user attributes. The agent passes the user's OAuth token through to the FHIR endpoint, and the EHR evaluates access policies based on the user's role, the patient's treatment relationship, the requested resource types, and the clinical context. This works when the backend system supports standards-based authorization, but healthcare legacy systems do not.
HL7 v2 interfaces have no native mechanism to carry user identity or evaluate access policies. Implementing policy-based access requires wrapping the interface in an authorization layer that intercepts messages, extracts user context from accompanying metadata, queries an external policy decision point, and enforces access decisions before forwarding messages. This architectural pattern is technically sound but operationally complex. HL7 v2 message flows are time-sensitive, with sub-second latency requirements for ADT events, lab results, and medication orders. Inserting an authorization layer adds latency that can break clinical workflows. Healthcare organizations deploying this pattern must performance-test rigorously and implement fast-path authorization for high-volume, low-risk message types while applying stricter controls to sensitive data flows.
The vault architecture Miller describes centralizes credential management and issues short-lived, dynamically scoped credentials for each agent-to-backend connection. Instead of agents authenticating with long-lived API keys stored in configuration, they request credentials from a vault at runtime, scoped to the specific user, action, and resource. The vault validates the user's identity and intent, checks authorization policies, and issues a time-limited credential that expires after the transaction completes. This eliminates static credential sprawl and ensures every backend connection operates under user-specific authorization.
For healthcare, this requires integrating the vault with existing EHR authentication systems, typically SAML or OAuth identity providers federated with Active Directory or LDAP. The vault must query the EHR's authorization context to determine whether the user has a treatment relationship with the patient, whether their role permits the requested action, and whether any break-glass overrides are active. This integration is feasible for cloud-native EHR platforms but challenging for legacy on-premises systems where identity and authorization logic is embedded in application code rather than exposed through standard interfaces. IBM's Vault Enterprise 2.0 release at Think 2026 specifically targets these hybrid environments, but adoption requires significant integration work and testing against healthcare compliance requirements.
Continuous telemetry and behavioral feedback represent the third control layer. Rather than attempting to prevent all unauthorized access through upfront policy enforcement, this approach collects detailed logs of agent behavior, analyzes access patterns for anomalies, and dynamically adjusts permissions based on observed risk. An AI agent that typically accesses 10 to 15 patient records per shift, all within the user's assigned care team, generates an alert if it suddenly queries 500 records across multiple departments. The telemetry system identifies the deviation, revokes the agent's credentials, and notifies security operations for investigation.
Healthcare organizations already implement this pattern through SIEM systems that analyze EHR audit logs for anomalous access. The challenge is that legacy system logs lack the granularity required for behavioral analysis. HL7 v2 interfaces generate message-level logs but often do not capture which human user initiated each message. Database access logs show queries but not the application-layer context. PACS audit logs record image retrievals but not the clinical workflow justification. Implementing effective behavioral telemetry requires instrumenting the agent platform itself to generate rich context logs, then correlating those logs with backend system audit trails to reconstruct the full execution path. This is technically feasible but requires custom integration because healthcare systems were not designed with agentic AI observability as a requirement.
Practical Implementation for Healthcare Organizations
Healthcare organizations deploying AI agents can implement last-mile identity controls through a phased approach that balances security improvements against operational constraints and legacy system limitations. The first phase establishes visibility by instrumenting agent platforms to log every backend connection with full user context. This means capturing the authenticated user identity, the clinical intent driving the request, the specific data accessed, and the timestamp and result code for each backend API call or database query. These logs provide the audit trail required for forensic investigation even if real-time enforcement is not yet implemented.
The second phase implements credential rotation for new integrations while preserving static credentials for legacy systems that cannot support dynamic credential issuance. AI agents connecting to modern FHIR APIs should pass user OAuth tokens directly rather than authenticating with service accounts. This requires agents to implement token management, handle token expiration and refresh, and propagate tokens through the execution chain. For legacy systems, agents authenticate using vault-issued credentials with short lifetimes. The agent requests a credential scoped to the specific user and action, uses it for the transaction, and allows it to expire. The vault rotates credentials continuously, reducing the window of exposure if credentials are compromised.
The third phase deploys authorization gateways in front of legacy systems that lack native policy enforcement. These gateways intercept agent requests, extract user identity and intent from accompanying metadata or correlated log context, evaluate access policies, and forward authorized requests to the backend while blocking unauthorized ones. For HL7 v2 interfaces, this means deploying an integration engine that validates message content against user permissions before forwarding to the destination system. For database connections, it means using database proxies that enforce row-level security and query filtering based on user attributes. These gateways add operational complexity but provide a control point where Zero Trust principles can be enforced even against systems that predate those principles.
The fourth phase implements continuous behavioral monitoring by correlating agent logs with backend audit trails, establishing baselines for normal access patterns, and generating alerts for deviations. Healthcare organizations can start with simple anomaly detection rules such as flagging agents that access more than a threshold number of patient records per time period, that query patients outside the user's assigned care units, or that export data to external endpoints. Over time, machine learning models trained on historical access patterns can detect more subtle anomalies such as agents that shift from querying recent patient encounters to historical records, or that begin accessing data types inconsistent with the user's role.
Regulatory and Compliance Implications
The last-mile identity problem creates specific HIPAA compliance risks that healthcare organizations must address to avoid breach notification triggers and OCR enforcement actions. HIPAA's Security Rule requires that covered entities implement access controls to ensure that only authorized users can access ePHI. The rule specifies both unique user identification and emergency access procedures, but it was written before AI agents existed. When an AI agent accesses ePHI on behalf of a user but does so using shared credentials that mask the user's identity, the technical implementation violates the spirit of the Security Rule even if it technically complies with the letter.
HIPAA's minimum necessary standard requires that access be limited to the ePHI reasonably necessary to accomplish the intended purpose. AI agents that authenticate to backend systems with over-provisioned service accounts routinely access more data than required because the credential cannot be scoped dynamically per request. A clinician using an AI agent to pull lab results for a specific patient might inadvertently trigger backend queries that retrieve results for multiple patients because the service account's permissions are provisioned broadly to support all possible agent use cases. Each unnecessary data access represents a potential minimum necessary violation that becomes a breach notification if the data is subsequently disclosed.
The breach notification rule requires covered entities to report unauthorized acquisition, access, use, or disclosure of unsecured ePHI. When an AI agent is compromised through prompt injection or when rogue agent behavior causes data exfiltration, determining whether a reportable breach occurred depends on reconstructing which data was accessed and whether that access was authorized. If backend audit logs attribute all access to a service account rather than tracking back to individual users, forensic investigation cannot determine the scope of unauthorized access. This forces organizations into worst-case reporting where they notify patients based on the maximum possible exposure rather than the actual data accessed, dramatically increasing notification costs and reputational damage.
OCR's proposed updates to the HIPAA Privacy Rule emphasize patient access rights and data portability through standards-based APIs. AI agents that facilitate patient access must preserve user identity through the entire data flow so that access logs accurately reflect which patients accessed their own records rather than showing generic service account activity. This is particularly important for patient-facing AI assistants that help individuals navigate their health data, schedule appointments, or communicate with care teams. If these agents authenticate to backend systems with shared credentials, the audit trail cannot demonstrate that each data access was patient-initiated, creating compliance gaps when OCR audits patient access implementations.
The Broader Context of Non-Human Identity Management
The agentic last-mile identity problem is a specific instance of the broader non-human identity management challenge that healthcare IT has faced for years but is now urgent as AI agents proliferate. Healthcare systems authenticate service accounts, API keys, device credentials, integration engine identities, and automated workflow processes, but these non-human identities rarely receive the same governance rigor as human user accounts. They are provisioned broadly during initial integration, granted long-lived credentials that are stored in configuration files or environment variables, and left unchanged for years because modifying them risks breaking critical clinical workflows.
IBM's analysis at Think 2026 and the HashiCorp Vault positioning as a non-human identity management platform signal that enterprise IAM vendors recognize this gap and are building solutions. For healthcare, the challenge is that non-human identity management tools were designed for cloud-native environments where APIs are the primary integration pattern and dynamic credential issuance is standard. Healthcare operates in hybrid environments where cloud-based AI platforms must integrate with on-premises legacy systems that were not built for dynamic credentials, short-lived tokens, or runtime authorization.
The path forward requires healthcare organizations to segment their integration landscape into modern API-based systems where best-practice identity management can be implemented immediately, and legacy systems where gradual migration to better patterns must be balanced against operational stability. Modern FHIR APIs should never authenticate agents with static credentials; OAuth tokens with user context should propagate through the entire execution chain. Legacy HL7 v2 interfaces should deploy authorization gateways that validate user identity and intent before forwarding messages, with roadmaps to migrate toward modern API-based integration patterns over time. PACS systems and laboratory information systems should be prioritized for modernization based on the sensitivity of data they contain and the frequency of AI agent access.
What Healthcare Security Teams Should Do Now
Healthcare information security analysts evaluating or deploying AI agents should audit current implementations against Miller's last-mile identity framework. The audit focuses on three questions: does user identity propagate to backend systems, is intent preserved through the execution chain, and can access be revoked immediately if compromise is detected.
For identity propagation, trace a representative agent workflow from initial user authentication through each backend system call and verify that audit logs at every layer attribute the action to the specific human user rather than a service account. If any backend connection uses static credentials, that connection represents a last-mile identity gap that should be prioritized for remediation based on the sensitivity of data accessed and the risk of agent compromise.
For intent preservation, verify that access control policies at backend systems evaluate not just who is requesting data but why and under what clinical context. This means validating that treatment relationships are checked, that break-glass overrides generate alerts, and that access outside normal clinical workflows triggers review. If backend systems lack context-aware access control, deploy authorization gateways or integration engines that enforce these policies before requests reach legacy systems.
For rapid revocation, test the ability to disable an agent's access immediately upon detecting compromise. This requires that credentials used for backend connections can be revoked without system downtime and that revocation propagates within seconds rather than the hours or days required for static credential rotation. Implementing this capability typically requires transitioning to vault-issued dynamic credentials with short lifetimes.
Healthcare organizations should also incorporate last-mile identity requirements into vendor evaluations for AI agent platforms. Vendors should demonstrate that their platforms support user token propagation to backend systems, that they integrate with healthcare IAM systems to issue dynamically scoped credentials, and that they generate audit logs with sufficient detail to reconstruct user identity and intent for every backend access. Vendors that authenticate to backend systems with static API keys stored in configuration represent technical debt that will require remediation as regulatory scrutiny of AI agent security increases.
Conclusion
Grant Miller's analysis of the agentic last-mile identity problem identifies a security vulnerability that is both well-known in healthcare IT and insufficiently addressed given the rapid deployment of AI agents. Healthcare organizations have operated with the implicit understanding that service accounts and static credentials create audit and access control gaps, but these gaps were tolerable when automation was limited to well-defined, audited workflows. AI agents change the risk calculus because they operate autonomously, chain tools dynamically, and can be compromised through prompt injection or adversarial manipulation. The last-mile identity gap transforms agents from productivity tools into privilege escalation vectors.
Closing this gap requires technical implementation of policy-based access controls, credential vaulting, and behavioral telemetry, but it also requires organizational commitment to prioritize security over convenience during agent deployment. Healthcare's legacy infrastructure makes perfect implementation impossible in the near term, but incremental progress is achievable. Modern systems should implement best practices now, legacy systems should be instrumented for visibility and gated behind authorization layers, and organizations should establish roadmaps to migrate toward architectures where user identity and intent propagate seamlessly from authentication through every backend connection. The alternative is deploying increasingly powerful AI agents atop infrastructure that cannot verify who authorized their actions or enforce limits on their access, which is exactly the security posture that leads to the breach patterns healthcare has experienced repeatedly.
Key Links
- IBM: Why AI Agents Break Zero Trust at the Last Mile (YouTube)
- IBM Think 2026: What identity means in the age of agentic AI
- IBM: Agentic AI Identity Management
- IBM: Establishing Runtime Security for Agentic AI
- EHR API Integration Guide for Healthcare Teams 2026
- EHR Integration Security: FHIR OAuth 2.0 Scope Creep, HL7 Risks, and the Premera $6.85M Settlement