As artificial intelligence continues to reshape enterprise systems, the way organizations manage identity and access is undergoing a fundamental shift. At the center of this transformation is Curity, an API-first identity and access management company headquartered in Stockholm. Leading this evolution is CEO Gustaf Sahlman, whose experience across security, AI, and enterprise software positions him at the forefront of modern access control innovation.
In this interview, Sahlman discusses Curity’s latest launch, Access Intelligence, and shares his perspective on how enterprises can navigate the growing complexity of AI-driven systems.
Q: You’ve built and scaled multiple technology companies. How has that journey shaped your leadership at Curity?
Gustaf Sahlman:
What stands out from building multiple companies is how often security becomes an afterthought. You solve the core product problem, then bolt access control on at the end, and that’s when things become fragile. At Curity, we start from the opposite premise: that identity and access are foundational infrastructure, not a feature layer. If you get that wrong early, it’s very hard to fix later. I’ve seen teams spend months unpicking access decisions that were made in a sprint. It’s not a technical problem by that point, it’s an organizational one. That shapes how we build the product and how we talk to customers.
Q: Curity recently launched Access Intelligence. What problem is it solving?
Gustaf Sahlman:
The core problem is that most systems still treat access as something you decide once. You authenticate, you issue a token, and from that point on access is largely assumed.
That model no longer holds up in modern environments, especially with AI agents. These systems act autonomously, interact across multiple services, and operate at a speed and scale that traditional access models weren’t designed for.
The industry is solving the wrong problem. It’s treating this as an identity problem. It isn’t. It’s an access problem. The question is not just who is making a request, but what they are allowed to do, in what context, and at that moment in time.
Access Intelligence addresses that by moving access control into the flow of how systems actually operate. Instead of relying on static decisions, access is continuously evaluated and enforced based on actual behavior and context.
Q: Can you explain how Token Intelligence works within this framework?
Gustaf Sahlman:
Token Intelligence is how we make authorization part of how systems actually operate.
A token shouldn’t just say you’re allowed in. It should define exactly what you’re allowed to do. That’s the shift. What we do is extend that model so the token carries the context needed to make informed access decisions at every step.
That includes who is acting, what they are trying to do, what they are allowed to access, and how much that action should be trusted. APIs can then evaluate that information continuously, not just once. If something doesn’t align with expected behavior or policy, access can be limited or denied immediately. So instead of treating authorization as a static check, it becomes an ongoing process.
Q: Access Intelligence is already in production. What does that look like in practice?
Gustaf Sahlman:
In practice, Access Intelligence gives organizations real-time control over what agents and applications are allowed to do across their APIs, enforced at every request, not assumed after login. We see this clearly in customers running AI agents against the same APIs as their mobile apps, without changing the security model.
Crucially, we’re not asking customers to replace their existing identity infrastructure. Built into the Curity Identity Server, Access Intelligence integrates with what they already have and works alongside existing identity providers and gateways, so they can introduce this level of control incrementally without the disruption of a rip-and-replace.
Q: Industry research suggests a high rate of AI-related security incidents. Why is that happening?
Gustaf Sahlman:
The problem isn’t that AI is unpredictable. It’s that the access model isn’t designed for it.
Most systems were built around authentication, verifying who is making a request, not controlling what happens after at the speed and scale that AI introduces.
AI agents act autonomously, often across multiple systems, and can trigger chains of actions rather than single requests. If your access model assumes a human user and a static session, you end up with blind spots.
Without the ability to evaluate and enforce access continuously, it’s very easy for unintended or over-permissioned actions to go unnoticed until they become incidents.
Q: How does this tie into the broader evolution of identity in the enterprise?
Gustaf Sahlman:
What we’re seeing is a shift from identity as a static concept to access as something dynamic and continuously evaluated.
Identity still matters, but it’s no longer sufficient on its own. In modern systems, especially those driven by APIs and AI, what matters is how access is controlled in real time.
It means moving from a model where identity answers ‘who are you?’ to one where the system continuously evaluates ‘what are you allowed to do right now?’ That’s the direction the entire space is moving in.
Q: What role does access intelligence play in helping organizations scale securely?
Gustaf Sahlman:
As systems scale, the traditional approach of managing identities and permissions becomes increasingly difficult to maintain.
Many solutions respond by creating more identities for agents, which leads to more lifecycle management, more access reviews, and ultimately more complexity. Our approach is different. We had a customer who had spun up over 30 agent identities in under six months. When we asked which ones were still active and what they needed access to, nobody in the room could answer with confidence. That’s not an edge case, that’s where most teams end up.
We don’t rely on creating persistent identities for every agent. Instead, we control access with tokens scoped to a specific interaction that disappear when that interaction is complete.
That means you’re not accumulating identities or permissions over time. You’re making precise, context-driven decisions based on what’s happening in that moment. That’s what allows organizations to scale without increasing their attack surface or operational overhead.
Q: Finally, how do you see the future of access and identity evolving?
Gustaf Sahlman:
Access control and identity will become much more tightly integrated with how systems operate at runtime. Decisions will increasingly be continuous, rather than tied to a single event such as login or token issuance.
AI will accelerate that shift. It introduces new complexity, but it also forces a more precise way of thinking about access.
We’ll also see a clearer separation between different layers in the architecture. Identity providers will continue to handle authentication, while access control becomes a dedicated control plane that governs what applications, services, and agents are allowed to do.
The organizations that get ahead of this won’t be the ones with the most identities or the most policies. They’ll be the ones that treat access as a live, intelligent layer, something that makes decisions continuously, not just once at login. That shift is already happening. Most architectures aren’t ready for it yet. But the ones that get there first will have a meaningful advantage, and not just in security terms.
Preparing for the Next Generation of Identity and Access
As enterprises continue to integrate AI agents into their operations, the importance of real-time, intelligent access control is becoming impossible to ignore. Under Gustaf Sahlman’s leadership, Curity is pushing the boundaries of identity and access management, offering a forward-looking approach that aligns with the demands of an increasingly autonomous digital world.
Learn more at curity.io.
