CIAM for AI: Authn/Authz for Agents — Michael Grinich, CEO of WorkOS

By AI Engineer

AITechnologyBusiness
Share:

AI Agents and Identity: O Login for Agents

Key Concepts:

  • CIAM for AI: Customer Identity and Access Management for AI applications.
  • Agentic Systems: Non-deterministic systems that can perform actions autonomously.
  • Headless Login: Signing in without a traditional web browser interface.
  • Least Privilege Access: Granting agents only the necessary permissions.
  • Persona Shadowing: Giving an agent an identity that mirrors a user with limited privileges.
  • Delegation Chains: Passing verifiable permissions through a chain of systems using tokens.
  • Capability Tokens: Tokens that grant the ability to perform a specific action.
  • OAUTH, OpenID Connect (OIDC), User-Managed Access (UMA), Grant Negotiation and Authorization Protocol (GNAP), OpenID Connect for Agents (OIDCA), Secure Credential Presentation (SCP): Emerging standards and protocols for agent identity.
  • Middleware for Agents: A layer between agent code and enterprise systems for trust and security.

The Problem: Agents Need First-Class Identity Support

The core issue is that AI agents, unlike traditional bots or integrations, require a new approach to identity management. They need broad data access to perform tasks on behalf of users, but this access must be controlled to prevent unintended consequences.

  • Example: An IT support agent deletes a production database due to a flawed instruction.
  • Challenge: Agents need access to various systems (Jira, Salesforce, Slack, email), making it difficult to restrict their actions.
  • Key Argument: Agents are a new paradigm, requiring collaboration to develop new standards for agent identity to ensure user safety and scalability.
  • Distinction from Machine-to-Machine Auth: Agents behave more like people within systems, requiring a hybrid approach to identity.
  • Urgency: The rapid adoption of AI agents in enterprises necessitates immediate attention to identity and security concerns.

Challenges in Implementing Identity for Agents

  1. Headless Login: Agents need to authenticate without a traditional browser interface, requiring long-lived sessions and secure credential storage.
  2. Least Privilege Access: Balancing the need for scoped-down access with the agent's requirement to access a wide range of data and systems.
  3. Dynamic Permissions: Agents require permissions that can change dynamically based on their tasks.
  4. Compliance: Ensuring accountability and traceability of agent actions, especially in regulated environments (e.g., SOC 2).
  5. Visibility and Observability: The ability to monitor and log agent activities to detect and prevent malicious behavior.
    • Quote: "To err is human, but to screw up 10,000 times per second you need a computer." - Highlighting the potential for rapid and widespread damage by agents.

Architectural Patterns for Agent Identity

Four architectural patterns are proposed, not as prescriptive solutions, but as starting points for securing agentic systems:

  1. Persona Shadowing:
    • Description: Creating a secondary user identity for the agent that mirrors a human user but with a subset of privileges.
    • Benefits: Isolation, accountability, and explicit tie to a human identity.
    • Example: Creating "agent one Michael" and "agent two Michael" personas with scoped-down access.
  2. Delegation Chains:
    • Description: Minting tokens with verifiable permissions and passing them along a chain of systems.
    • Mechanism: Each link in the chain carries forward the original user's authorization.
    • Technology: Can be supported by OIDC extensions.
  3. Capability Tokens:
    • Description: Creating tokens that grant the ability to perform a specific action for a limited time.
    • Benefits: Self-contained, time-bound, and simplifies verification.
    • Example: A token that allows agent X to read Bob's calendar for the next 60 minutes.
    • Related Technology: Macaroons (Google).
  4. Escalation to Humans (Human in the Loop):
    • Description: Requiring human approval for every agent action.
    • Drawbacks: Consent fatigue, leading users to blindly approve requests.
    • Conclusion: Not a secure model despite potential compliance benefits.

Recommendation: A combination of these techniques is likely the best approach, depending on the application, access patterns, and customer requirements.

Emerging Standards and Protocols

A review of emerging standards and protocols for agent identity:

  1. OAUTH:
    • Description: Standard authorization delegation system.
    • Limitations: Built for human consent, static scopes.
    • Benefits: Widespread adoption and integration.
  2. OpenID Connect (OIDC):
    • Description: Extension of OAUTH for identity and authorization delegation.
    • Integration: Can be added to MCP servers.
  3. User-Managed Access (UMA):
    • Description: Extension to OAUTH that allows users to proactively grant access to resources.
    • Mechanism: Users set policies for what an agent can do, enforced through OAUTH-based handshakes.
  4. Grant Negotiation and Authorization Protocol (GNAP):
    • Description: Designed for dynamic negotiation of token scopes.
    • Benefits: Allows agents to request additional permissions as needed.
    • Status: Well-designed but lacks widespread implementation.
    • Reference: RFC 9635.
  5. OpenID Connect for Agents (OIDCA):
    • Description: Emerging protocol for baking agent identity claims and delegation chains into OIDC.
    • Status: Still in development, potentially unofficial.
  6. Secure Credential Presentation (SCP):
    • Description: Applying verifiable credentials (originally for people) to agentic systems.
    • Example: An agent having a verifiable credential stating "Alice agent works at work OS."
    • Organization: WC3

Industry Trends: Middleware for Agents

The emerging pattern is to use middleware to create a trust boundary between agent code and enterprise systems.

  • Rationale: Agents should be treated as untrusted due to the risk of prompt injection and other vulnerabilities.
  • Benefits: Managed, dynamic, and can enforce policies and log activities.
  • Examples:
    • WorkOS: OKIT (identity product for MTP), FGA (granular access to permissions).
    • Microsoft: Workload identities.
    • Cloudflare: MCP off (leveraging their network layer position).

The Future: Agents Will Dominate

The traditional black-and-white view of trusted vs. untrusted apps is breaking down due to the rise of agentic behavior.

  • Prediction: The current ratio of 95% human/5% automated traffic will shift to 50/50 and eventually to 5%/95% in favor of agents.
  • Impact: New levels of collaboration with machines, increased productivity, and connection to third-party systems.
  • Requirement: A new way of thinking about identity for agent systems to ensure security and user trust.
  • Analogy: Ghost kitchens - apps used exclusively through agents.
  • Example: Perplexity's ability to book hotels through an API without a traditional interface.
  • Quote: "The future is already here – it's just not evenly distributed." - Alan Kay
  • Vision: Trillions of agents acting as a "giant army of interns" to enhance productivity.

Conclusion

The development of secure and robust identity solutions for AI agents is crucial for realizing their full potential. Collaboration and the adoption of emerging standards and architectural patterns are essential to navigate this evolving landscape. The future will be dominated by agentic interactions, requiring a fundamental shift in how we approach identity and access management.

Chat with this Video

AI-Powered

Hi! I can answer questions about this video "CIAM for AI: Authn/Authz for Agents — Michael Grinich, CEO of WorkOS". What would you like to know?

Chat is based on the transcript of this video and may not be 100% accurate.

Related Videos

Ready to summarize another video?

Summarize YouTube Video