Episode 195 - GluuFederation/identerati-office-hours GitHub Wiki

Title: The Crazy Road of AuthZ: Are We Really Ready for Agents?

• Host: Mike Schwartz, Founder/CEO Gluu
• Guest: Bhavna Bhatnagar, Fractional CTO at VigourSoft Global Solutions

Channels

• Linkedin Event
• Youtube Video

Description

In the 2000s, Bhavna helped build one of the first commercial policy decision points at Sun Microsystems, and was one of the lead developers and architects on the Sun OpenSSO access manager product. As one of the OG's in authorization and federation, she has some doubts about the industry's current readiness. Do we need to stack up a bunch of new technologies to solve the problem of agentic authorization? Is the industry up to the task?

Homework

• IIW Slides

Takeaways

1. ⚡ Agentic authorization is exposing immature enterprise authz--even for workforce applications. Many systems still rely on scattered if/else logic, static RBAC, and unclear enforcement boundaries.

2. ⚡ Software identity is now less stable than human identity. The industry hasn't settled on a strategy for how to identify agents (or sub-agents), agents are using new infrastructure (MCP) and it's not clear how to identify the human behind the agent, or the human's intent.

3. ⚡ Graph authorization systems and policy engines solve different problems. Graphs efficiently model relationships and facts, while policy systems define the governing rules and constraints; conflating the two creates confusion in modern authorization architectures--even if both graphs can answer a PARC request (e.g. an AuthZen Authorization API request).

4. ⚡ Enterprises can no longer afford to block progress on authZ while authN gets figured out. Centralizing policy authoring, review and publication is essential to scale in the face of this new agentic deluge.

Livestream Audio Archive

here