Episode 120 - GluuFederation/identerati-office-hours GitHub Wiki

Title: Adapting Existing Identity Infrastructure to Manage AI Agent Identities

• Host: Mike Schwartz, Founder/CEO Gluu
• Guest: Stan Bounev, VP Cybersecurity AI @ BlueLabel | Former Founder and CEO @ VeriClouds

Channels

• Linkedin Event
• Youtube Video

Description

As AI agents evolve from passive tools to autonomous actors capable of decision-making and goal-driven behavior, identity systems must evolve with them. This webinar explores how organizations can adapt their existing IAM infrastructure—built for humans and static workloads—to securely manage AI agents as first-class entities. We’ll examine the limitations of traditional RBAC/ABAC models when applied to autonomous agents, introduce Agent-Oriented Architecture (AoA) as a more suitable conceptual model, and outline a practical integration blueprint that adds policy-based intent evaluation, human-in-the-loop oversight, and full auditability. Security leaders will walk away with a clear understanding of how to modernize their identity governance without replacing core IAM systems—enabling safe, scalable adoption of AI agents in enterprise environments.

Homework

• WhitePaper: Agents
• WhitePaper: Authenticated Delegation and Authorized AI Agents
• OpenID Connect for Agent

Takeaways

• ⚡ Agentic authorization is a challenge for enteprises because it requires "non-deterministic input". For example, web-based worflows are very predictable. But it's much harder to define policies for a free-form AI prompt.

• ⚡ AI is used to both save money--for example, to perform monotonous identity governance tasks, like access certification campaigns, efficiently filtering out low risk approvals. It is also used to make money--for example, to identify potential asset acquisitions that meet certain criteria, like under-valued real estate. Both of these use cases require some level of security guardrails and audit logs.

• ⚡ It's hard to trust truly autonomous AI agents. So a common workaround today is to insert a human-in-the-loop (HITL) to approve an AI workflow, which limits scale. To scale, we need one or more AI approvers, specialized in a certain aspect of risk management.

• ⚡ Stan's view is that new JWT tokens and protocols are needed to enable delegated authorization from a person to an AI agent, especially as that agent connects to other tools and agents. He especially likes the idea of AI agents as "first class" entities with their own specific metadata, for example, how AI agents can make their capablitities discoverable.

Livestream Audio Archive

here