An engineer ships an agent to manufacturing this week. It must name an inner API, so it makes use of the important thing already sitting within the engineer’s setting. The agent runs. It additionally now holds each permission that engineer holds.
That’s the default state of most agent deployments right now. The agent has no id of its personal, so it borrows one. It really works on day one, which is precisely why the issue ships unnoticed. A non-human course of is now carrying a human’s full entry, and nothing in your audit log can inform the 2 aside.
This isn’t a configuration mistake. It’s a structural hole. Id and entry administration assumes an actor is one among two issues: an individual, or a long-lived service account with a static permission set. Each are secure. Each do roughly the identical factor day-after-day. Your controls, your audit mannequin, and your provisioning flows are all constructed on that stability.
Brokers are neither. They act on behalf of individuals, so they don’t seem to be service accounts. They spin up and tear down on their very own schedule, so they don’t seem to be individuals. They sit within the hole your IAM stack has no class for, and the hole is the place the credential will get borrowed.
Why you can’t simply patch this
The rationale current IAM can’t merely take up brokers is non-determinism. A service account calls the identical endpoints on the identical cadence each time. Give two brokers the identical permissions and the identical purpose, and so they can take completely different actions, as a result of each picks its device chain at runtime primarily based on its immediate, its context, and the output of no matter referred to as it.
The set of actions an agent will really take just isn’t knowable if you grant its permissions. That turns design-time least privilege right into a design-time reply to a runtime drawback. You might be deciding upfront what an actor might do, when the actor decides what to do solely as soon as it’s working.
That single reality is the backbone of this sequence. It’s why borrowed credentials fail, why scope needs to be slender, why a delegation chain has to remain inspectable, and why authorization can’t be a one-time grant. The query that issues just isn’t “who is that this actor.” It’s “what is that this actor licensed to do proper now, for this process.”
When you do nothing else this week
Earlier than the sequence goes deep, three checks you possibly can run right now in opposition to any agent already in manufacturing.
Search for human API keys being utilized by non-human processes. If an agent authenticates as the one that deployed it, you have got privilege inheritance in manufacturing proper now.
Verify whether or not your audit logs can separate agent actions from human actions. If they can’t, your incident response and your compliance story each break on the identical second.
Affirm you possibly can shut one agent off with out rotating a human’s credential or breaking three different issues. If revocation means collateral injury, you wouldn’t have an off swap. You will have a hostage scenario.
None of those is the complete repair. They’re the ground. Discovering the place they fail tells you the place to start out.
What fixing this really seems to be like
The remainder of the sequence builds the reply in layers, each resting on the one beneath it.
It begins with giving the agent a secure, verifiable runtime principal you possibly can authorize in opposition to, attribute actions to, and revoke by itself. Then it has to outlive contact with actuality: brokers name instruments, instruments name different brokers, and id has to remain intact throughout each hop so you possibly can nonetheless reply who initially requested and which actor is making this particular name. The credential the agent makes use of to make these calls has to remain out of the mannequin itself, the place a single immediate injection may learn it and ship it anyplace. Above that sits the query of the place the principles dwell, and who decides what an agent might do the second it acts someplace its personal platform doesn’t attain. Beneath all of it runs the lifecycle: an id you provision, scope, revoke, and re-evaluate whereas the agent runs, not a report you write as soon as and overlook.
Id is the muse the remainder is dependent upon. Authorization, governance, and observability all sit on prime of it. Get id unsuitable and nothing above it holds.
The place DataRobot matches
The agent platform from DataRobot treats agent id as first-class infrastructure, not an afterthought bolted on at deploy time. The path is the one this sequence argues for: give every agent its personal scoped id, preserve the delegation chain intact and auditable when brokers name instruments and different brokers, govern that id in a single management aircraft, and federate belief outward to the id suppliers and workload id techniques an enterprise already runs.
What’s coming
Half one takes aside the borrowed credential. Why inheriting a human’s secret’s privilege escalation by default, and why the repair is authority determined at runtime, not a passport stamped as soon as on the border.
Half two defines what a first-class agent id really is: a definite principal, scoped permissions, a transparent proprietor, and a kill swap. It additionally exhibits the way you make that principal reliable by way of attestation, then engages the query a great engineer is already asking. Is that this simply workload id? It is dependent upon three invariants, and the place they break is the place most actual fleets dwell.
Half three follows id by way of a delegation chain. RFC 8693 token change, the confused deputy you create if you flatten that chain, and the 2 protocol surfaces the place it’s preserved or destroyed in observe: MCP and A2A.
Half 4 retains the key out of the mannequin. An agent’s context is attackable, so a immediate injection can learn something in it. That’s the reason the uncooked credential ought to by no means attain the agent’s course of. A dealer holds it and injects auth on the boundary, and the agent solely ever will get a scoped functionality.
Half 5 is about the place authorization and governance sit. Govern natively, federate outward, dimension controls to blast radius, and the frontier no one has cleanly solved: what occurs when an agent acts throughout belief domains its issuing platform doesn’t management.
Half six treats id as a lifecycle. Simply-in-time, task-scoped credentials, no standing privilege, and steady runtime authorization. It closes the loop again to non-determinism and leaves you with a six-question audit to run in opposition to one actual agent.
Half one publishes subsequent.
If you would like a head begin, go discover one agent in your setting proper now and test whose credentials it’s utilizing. That reply is the place the sequence begins.

Leave a Reply