Episode 171 - GluuFederation/identerati-office-hours GitHub Wiki
Title: Dynamic Authorization Update
- Host: Mike Schwartz, Founder/CEO Gluu
- Guest: Phil Windley, Author, IIW Founder and Organizer
Channels
Description
Stale permissions and manual access policy enforcement are a constant security risk. Dynamic authorization—automatic systems that eliminate permanent access grants and manual review-and-revise processes—can radically improve access control. How can you accomplish this? Phil is working on a book for Manning that lays out a practical guide for how to switch from crude yes/no permissions to flexible, policy-driven rules that adapt instantly.
Homework
- Manning Book Dynamic Authorization (Early Release)
- Why Authorization Is the Hard Problem in Agentic AI
- AI Is Not Your Policy Engine (And That's a Good Thing)
- What AI Can Tell You About Your Authorization Policies
Internet Identity Workshop IIWXLII #42 2026A
Takeaways
-
⚡ Even with the most careful prompting and even with the most restricted goals, it's unlikely we can predict what an AI agent might do that violates our morals, ethics, best practices, norms or common sense. AI agents don't have any sense of what's right and wrong.
-
⚡ The only answer we have is to build authorization into the agents and try to control them through some kind of policy. Yes we can hold organizations accountable, but then how do those organizations minimize risk?
-
⚡ We can't iterate through all the things that we want to say AI agents shouldn't do. What we have to do is be very careful in the list of things we allow them to do.
-
⚡ We need to start off small to avoid the blast radius of any potential problems of agentic behavior. Allowing an agent to make a wide range of decisions to best operate a complex business unit is too much scope. Summarizing meeting minutes and sending to the executive team is more approriate.
-
⚡ Buy Phil's book Dynamic Authorization! It will instantly become a key tomb in the cannon of authz orthodoxy!