Healthcare’s auth-layer problem is worse than manufacturing’s.
HIPAA-grade audit and patient-consent delegation push agent-identity requirements past what generic enterprise auth can handle. Healthcare will produce the first specialized agent-auth vendor — and it will not come from the existing health-IT incumbent set.
Manufacturing’s agent-identity problem (Piece 11) is hard but tractable: scope agents at the IT/OT boundary, audit every state-changing action, expire credentials reliably. Generic enterprise auth — Microsoft Entra Agent ID, NHI vendor primitives — gets most of the way there. Healthcare’s problem is structurally harder, and the gap between what generic enterprise auth handles and what healthcare requires is wide enough that healthcare will produce the first specialized agent-auth vendor — and it will not come from the existing health-IT incumbent set.
This piece argues the case for healthcare-specific agent identity infrastructure: why HIPAA-grade audit, patient-consent delegation, break-the-glass workflows, and minimum-necessary-access requirements push beyond what generic agent identity can deliver, and where the new vendor category is most likely to emerge.
Why healthcare needs more than generic agent auth.
HIPAA audit requires per-PHI-element provenance, not just per-action.
Generic agent auth answers “who did this action.” HIPAA audit asks “who accessed this specific PHI element, with what minimum-necessary justification, under whose authority, and was the access logged with sufficient granularity to support a 6-year audit trail.” Few generic identity systems track per-data-element access; healthcare requires it. The agent-auth layer for healthcare has to inherit and extend HIPAA audit primitives natively.
Patient consent is a delegation primitive that has no analog elsewhere.
Patients can consent to specific uses of their data, withdraw consent, scope consent to specific providers or specific time windows. The agent that touches PHI inherits the consent envelope of the patient whose data it accessed — and the consent envelope can change in real time. Generic delegation chains do not model patient consent natively. The healthcare-specific layer has to carry consent state alongside identity state at every step.
Break-the-glass workflows require structured override and re-audit.
In emergencies, clinicians break access controls to reach data they would not normally be authorized to see. The system has to permit the override, log it precisely, trigger after-the-fact review, and integrate the override into the audit chain without compromising the integrity of the rest of the access logic. Generic agent auth has not historically modeled emergency override; healthcare cannot operate without it.
The new vendor will not come from the EHR incumbents.
Epic, Oracle Health, Athenahealth, and Meditech could in theory ship the healthcare-specific agent-auth layer. They will not — not in time. Their roadmaps are bound by the EHR-centric architecture, their integration partners are the existing identity vendors, and the strategic move (decouple identity from the EHR) cuts against their commercial model. The new vendor will come from outside the incumbent set, likely from the intersection of NHI security and healthcare compliance — Astrix or a similar player extending into healthcare, or a healthcare-native security firm building the layer from scratch.
The strongest argument against this position.
The strongest counter is that healthcare CISOs will configure generic agent identity (Microsoft Entra Agent ID + Purview) with healthcare-specific policies and call it sufficient. This is the path of least resistance and it will work for many use cases. It will not work for the use cases that hit the hard edges of HIPAA — break-the-glass, complex consent revocation, multi-party data agreements, research data use. For those edges, the configuration approach hits walls that the specialized vendor approach does not. The CIO who chooses configuration over specialization makes a defensible choice but should plan for a 24-month rebuild when the first edge case produces a Notice of Privacy Practices violation.
Three things to do this quarter.
01 · Audit your current agent deployments against HIPAA per-element provenance. If your audit log can’t answer “which agent accessed this specific PHI element on this specific date for what purpose,” you have a 6-year liability accruing.
02 · Watch the NHI vendor base for healthcare-specific extensions. Astrix, Token, OASIS, Strata, Permiso are the most likely candidates. The first credible healthcare-specific roadmap from this set is the leading-indicator signal.
03 · Build break-the-glass and consent-aware delegation into your agent design from day one. Retrofitting them at audit time is significantly more expensive than designing for them upfront.