Episode 202 - GluuFederation/identerati-office-hours GitHub Wiki

Title: When Identity Isn't Enough: Securing AI Agents at Runtime

• Host: Mike Schwartz, Founder/CEO Gluu
• Guest: Roshan Shaik, Founder & CEO RuntimeAI

Channels

• Linkedin Event
• Youtube Video

Description

AI agents authenticate with valid credentials, pass MFA, and then commit fraud — bulk data exports, cross-tenant queries, unauthorized payments — all with a clean token. The identity layer tells you who the agent is; it doesn't tell you what the agent should be doing. This session covers the emerging runtime enforcement layer for agentic AI: behavioral baselines, real-time fraud scoring, and why the post-2012 identity stack (DPoP, MTLS, device-bound sessions) is necessary but not sufficient when the threat is an authenticated agent acting outside its declared scope.

Homework

• FBI IC3 PSA on AI-enabled OAuth token attacks (May 2026)
• Identity ≠ AI Security : RuntimeAI post, 4.5K impressions, strong identity community discussion
• RuntimeAI platform overview: https://www.runtimeai.io/

Takeaways

Livestream Audio Archive

here