Episode 191 - GluuFederation/identerati-office-hours GitHub Wiki

Title: Agentic AI: Pushing the gaps in existing protocols

• Host: Mike Schwartz, Founder/CEO Gluu
• Guest: George Fletcher, Identerati
• Guest: Karl McGuiness, ex-Okta Chief Product Architect

Channels

• Linkedin Event
• Youtube Video

Shorts

• George Fletcher
• Karl McGuiness

Description

The rapid deployment of agentic AI systems is illuminating the gaps in core industry protocols and creating an explosion of recommended extensions or brand new protocols to address the gaps. Proposals have been made to leverage what exists rather than just throw it all out and start over while other proposals have said that trying to build on existing standards unnecessarily constrains the available solution space. This session will dive into as many of these gaps as we can get to and hopefully drive discussion with the audience.

Gaps: Agent authentication, Agent trust/federation, User consent model, Securing the Agent, Crossing Trust-Domain boundaries, Privacy, Authorization Layers

Homework

• W3C Agent Network Protocol White Paper
• Karl's Blog

Sample mission

Pull the customer escalation history, draft a response, and send it to me before anything goes out.”

Takeaways

⚡ The pattern of agents dynamically spawning ephemeral sub-agents (e.g. Clawdrew's spawn...) breaks existing software identity assumptions. In days of yore, admins exchanged SAML metadata. OpenID introduced Dynamic Client Registration. Verifiable Credential introduced attestation based client authentication. Now we're seeing CMID style client attestation patterns. The trend is more and more lightweight...

⚡ Enterprises face a core security challenge, “continuity of authority” — determining whether an agent should continue acting constrained by it's original mission. How to create protocols to solve this problem might require throwing a lot of proverbial spagetti against the wall.

⚡ Even if we had perfect tokens and trust models, there are still challenges about how we could federate authorization policies across domains. How will domains map or align the policy schema for actions, resources and context? AuthZen requests are nice, but not enough--enterprises need agreement that for any data provided, obligations and constraints will be honored downstream.

⚡ Our immediate challenge is balancing rapid deployment of agentic systems with limited ability to properly govern it. The standards community is no longer designing the city before construction; it’s zoning neighborhoods while skyscrapers are already going up.

Livestream Audio Archive

here