Thursday, July 9, 2026

Your identification stack was constructed for 2 sorts of actor. Brokers are a 3rd.


An engineer ships an agent to manufacturing this week. It must name an inner API, so it makes use of the important thing already sitting within the engineer’s setting. The agent runs. It additionally now holds each permission that engineer holds.

That’s the default state of most agent deployments at present. The agent has no identification of its personal, so it borrows one. It really works on day one, which is precisely why the issue ships unnoticed. A non-human course of is now carrying a human’s full entry, and nothing in your audit log can inform the 2 aside.

This isn’t a configuration mistake. It’s a structural hole. Identification and entry administration assumes an actor is one in all two issues: an individual, or a long-lived service account with a static permission set. Each are secure. Each do roughly the identical factor day by day. Your controls, your audit mannequin, and your provisioning flows are all constructed on that stability.

Brokers are neither. They act on behalf of individuals, so they don’t seem to be service accounts. They spin up and tear down on their very own schedule, so they don’t seem to be individuals. They sit within the hole your IAM stack has no class for, and the hole is the place the credential will get borrowed.

Why you can’t simply patch this

The explanation current IAM can’t merely take up brokers is non-determinism. A service account calls the identical endpoints on the similar cadence each time. Give two brokers the identical permissions and the identical aim, they usually can take totally different actions, as a result of each picks its device chain at runtime primarily based on its immediate, its context, and the output of no matter known as it.

The set of actions an agent will truly take is just not knowable while you grant its permissions. That turns design-time least privilege right into a design-time reply to a runtime downside. You’re deciding upfront what an actor could do, when the actor decides what to do solely as soon as it’s operating.

That single truth is the backbone of this sequence. It’s why borrowed credentials fail, why scope needs to be slender, why a delegation chain has to remain inspectable, and why authorization can’t be a one-time grant. The query that issues is just not “who is that this actor.” It’s “what is that this actor approved to do proper now, for this process.”

In the event you do nothing else this week

Earlier than the sequence goes deep, three checks you’ll be able to run at present towards any agent already in manufacturing.

Search for human API keys being utilized by non-human processes. If an agent authenticates as the one who deployed it, you might have privilege inheritance in manufacturing proper now.

Examine whether or not your audit logs can separate agent actions from human actions. If they can’t, your incident response and your compliance story each break on the similar second.

Verify you’ll be able to shut one agent off with out rotating a human’s credential or breaking three different issues. If revocation means collateral injury, you should not have an off change. You might have a hostage scenario.

None of those is the total repair. They’re the ground. Discovering the place they fail tells you the place to start out.

What fixing this truly seems to be like

The remainder of the sequence builds the reply in layers, each resting on the one under it.

It begins with giving the agent a secure, verifiable runtime principal you’ll be able to authorize towards, attribute actions to, and revoke by itself. Then it has to outlive contact with actuality: brokers name instruments, instruments name different brokers, and identification has to remain intact throughout each hop so you’ll be able to nonetheless reply who initially requested and which actor is making this particular name. The credential the agent makes use of to make these calls has to remain out of the mannequin itself, the place a single immediate injection may learn it and ship it wherever. Above that sits the query of the place the foundations reside, and who decides what an agent could do the second it acts someplace its personal platform doesn’t attain. Beneath all of it runs the lifecycle: an identification you provision, scope, revoke, and re-evaluate whereas the agent runs, not a report you write as soon as and overlook.

Identification is the muse the remaining will depend on. Authorization, governance, and observability all sit on high of it. Get identification flawed and nothing above it holds.

The place DataRobot matches

The agent platform from DataRobot treats agent identification as first-class infrastructure, not an afterthought bolted on at deploy time. The course is the one this sequence argues for: give every agent its personal scoped identification, hold the delegation chain intact and auditable when brokers name instruments and different brokers, govern that identification in a single management airplane, and federate belief outward to the identification suppliers and workload identification methods an enterprise already runs.

What’s coming

Half one takes aside the borrowed credential. Why inheriting a human’s secret’s privilege escalation by default, and why the repair is authority determined at runtime, not a passport stamped as soon as on the border.

Half two defines what a first-class agent identification truly is: a definite principal, scoped permissions, a transparent proprietor, and a kill change. It additionally exhibits the way you make that principal reliable via attestation, then engages the query engineer is already asking. Is that this simply workload identification? It will depend on three invariants, and the place they break is the place most actual fleets reside.

Half three follows identification via a delegation chain. RFC 8693 token trade, the confused deputy you create while you flatten that chain, and the 2 protocol surfaces the place it’s preserved or destroyed in follow: MCP and A2A.

Half 4 retains the key out of the mannequin. An agent’s context is attackable, so a immediate injection can learn something in it. That’s the reason the uncooked credential ought to by no means attain the agent’s course of. A dealer holds it and injects auth on the boundary, and the agent solely ever will get a scoped functionality.

Half 5 is about the place authorization and governance sit. Govern natively, federate outward, dimension controls to blast radius, and the frontier no one has cleanly solved: what occurs when an agent acts throughout belief domains its issuing platform doesn’t management.

Half six treats identification as a lifecycle. Simply-in-time, task-scoped credentials, no standing privilege, and steady runtime authorization. It closes the loop again to non-determinism and leaves you with a six-question audit to run towards one actual agent.

Half one publishes subsequent.

If you’d like a head begin, go discover one agent in your setting proper now and verify whose credentials it’s utilizing. That reply is the place the sequence begins.

Related Articles

Latest Articles