Agentic AI is breaking IAM – Identity Orchestration fixes it

Eric Olden: 

Part of where this all began was when I was trying to buy my daughter some concert tickets. She had asked me to get some tickets and these are hard to come by. And so she said, well, don’t you have one of those credit cards that have special purchasing? And, uh, you know, so you can get the tickets before, you know, all the bots take over and you have to buy them on resale. And I said, oh yeah, I have that through, uh, one of my cards, but I don’t have the time because I was on my way out the door. Yeah. And I thought, well, this is a great opportunity to maybe use an AI to do that. So, um, with all the hope in the world, I opened up on my phone, I got to the, uh, chat GPT and I said, you know, find me concert tickets for Kendrick Lamar. And I want to buy three tickets and I want to not spend more than $500 and it needs to be an 18 and up venue. And I want you to use my special card purchasing privileges. And I, you know, I let the agent come back and unfortunately, it came back and said, I can’t do that. That’s not possible. And I thought, you know, that’s really strange. Like, why can’t it do that? And so I wound up having to get the tickets directly and spend a bunch of time doing that. But I just kept coming back to that thinking, well, if these agents are going to be really useful, they got to be able to do something like that. And why can’t we do that today? And so I started to break that down and really start to unpack from an identity and security standpoint, what was holding this back and where that led is to a new product with Strata and it’s called Maverics for agentic identity. And I want to show you a little bit about that here today. So let me share something real quick.

Eric Olden: 

And so here we are. So I want to spend a little bit of time here today sharing what we mean by Maverics for agentic AI and how we see this as delivering the enterprise identity layer for agentic AI. You know, and it started with this use case. And I think what I was really trying to do is to find a way to prompt an AI to do a multi-step transaction on my behalf, but it has to be done in a secure and auditable way. And so kind of, you think about how this works, you know, it started with just asking the AI to do this and the response that it couldn’t, when I started to unpack that, what it really came down to is that today, those agents, they’re really not set up to do financial transactions. And they’re not really able to access sensitive data, right? Like my daughter needs, you know, she’s private information, like age and so forth. So that sensitive information that’s, hard to trust an agent with. The other part of it is that we don’t want these agents kind of doing all these things without some oversight. And then the last thing is how do we make sure that what we wanted to have happen happened? Or in the end, how to make sure that if there was a transaction that we don’t have this issue around non-repudiation where someone says, I didn’t actually want to buy those tickets. So I don’t want to pay for them. And so, you know, that really started me thinking, where are we with identity today? And, you know, we’ve been dealing with human identity for a long time now. And that includes all the things, all the A’s, right? So authentication and access control and so forth. And if you look here, there’s a lot of things that we need to do for the agents, but they’re going to be done in a different way, right? So when you think about agents and the way that they need to authenticate, they’re going to have to do authentication to validate and prove who they are, who they say they are, but it’s going to be done in different technologies and in a different scale. Similarly, with access control, we need to do zero trust and have continuous authorization. But now it’s going to be done with a different kind of notion or context of being task aware. Authorization, this is one of the biggest parts. And it’s in the name agents, right? And when you think about how agent-based authorization works, and it’s different than the way that we think about traditional human based authorization is that we have these agents that are working on our behalf. And a good example of that would be, remember the movie Jerry Maguire? Well, Tom Cruise was the agent for Cuba Gooding Jr. He, Tom Cruise wasn’t the one as the football player, but he represented the football player in the negotiations. And so you have this notion of agency where you’re working on behalf of somebody else. And in this new world of agents and software, that’s really what these agents are doing is they’re doing things on behalf of others. And typically that’s going to be a human, but it may also be another agent. And so the other part of authorization I think is really important here is that we need to keep a notion of a human in the loop. So we’re doing authorization and things like that. Auditing naturally, if we don’t have a way to record everything that happened, it’s going to be really difficult to show what happened for originating transactions and being able to stand behind the work that these agents are doing on our behalf. And then lastly, identity management. And I think this is one of the really big aha moments was that you know, if you think about the agent, it is working on the same level as a person or a human. And I think that’s a bit different than the traditional notion of non-human identities where you could have a service account that’s doing things as a process would. I think the difference between an NHI or non-human identity and what I think of as an artificial identity for an agent is that with the artificial identities, these agents, we need them to be on the same kind of same first order as the humans, because that’s how they’re going to have that ability to work on our behalf. And so some of the other things that come with that is when you think about how we get humans into an identity provider, we’ve got a joiner mover leaver kind of process and we’ve been doing that for years. And in the kind of human world, it doesn’t matter that they may take a couple human steps to approve something. But when we’re dealing with agents, we’re dealing with potentially very ephemeral kind of agents that come and go very quickly. And we don’t have time to have a human provision of identity of an agent into an IDP, we need to be able to do that just in time. so where humans may, you know, in many cases, you know, are delivered babies are delivered in a hospital in a, a nurse reward, but in the agent world, there’s no hospital involved. They’re coming out of software platforms and generally through CI-CD pipelines and so forth. And so really thinking about how do we make the agent identity work, we’re building off of the understood framework of humans, but we need to adapt it and make it work in a fundamentally different way, but do the same things. So you think of way that a lot of these…

Eric Olden: 

So it brings me to how we think about the role of agents in the enterprise today and how that comes together. Hey guys, I’m recording something. Flynn, I’m recording something. So that brings me to how the enterprise today is working with agents and they’ve got a number of different new challenges that we’re seeing here that didn’t exist just a year ago in many cases. And the issue is a couple things. One is that today we’re seeing organizations trying a lot of different vendors from how they’re getting these agents, how they’re building them. They may be using different platforms from Google or OpenAI and Anthropic and Azure, but really what they’re trying to do is create these agents. And there’s a lot of different technologies that are at play here today. And then the second issue is the scale of how many agents there are. And it’s astounding, right? If you choose a number, but what I’ve seen is anywhere from 50 to 80 times the number of agents to humans. And what this does is drives the need for IGA at a completely different scale than we’ve ever seen before. And humans aren’t going anywhere because of that notion of agency representing humans and agents and agents to agents to humans. Now we need to really think about how do you manage these things? at the same time, right? Where you’ve got agents on one hand and humans on the other. So it’s not a case of agent identity replacing human identity. It’s a matter of them working together. The next thing is that these need to run in a lot of different places. So there’s a lot of great platforms that will deliver agents in the cloud. That’s great for certain use cases. But there’s other use cases where, because you have confidential data or regulatory reasons or performance, you need to have these agents run on premises. so really thinking about the hybrid role of agents running in the cloud as well as on premises, I think is the default position today. And then you think about getting to mission critical utilization of agents, right? If these are going to really fulfill the potential of having agentic employees, then we need to make sure that they’re always up and available and that the identity systems that secure and control that are as performant and resilient as we do in the human world. And a lot of what this is driving is the need to control access to APIs. And the way in which we think about agents calling APIs is you know, now with the introduction of a new technology like MCP servers is a way to really get at the automation of the enterprise through using these APIs. Another issue that’s really important is linking a agent identity with an identity in an IDP. So imagine a scenario where you’re launching a a new agent out of Azure AI Foundry or the Google Vertex. Once that agent is instantiated, we need to create a record or a profile or basically an identity inside of an IDP. And that when you look at what are the identity requirements for these agents, and as we mentioned a moment ago, it’s pretty much everything, right? It’s authentication, access, authorization, auditing, administration, and so forth. So it brings me to the MCP side of things, which are a really powerful standard that Anthropic has brought to market. And a lot of people are adopting it. And MCP servers are going to be prevalent. And I think that’s a great thing because standards are always really good. But the thing is, that MCP servers on their own are like really designed as a way to streamline the way you access APIs. But they don’t do anything from an identity standpoint in terms of controlling or doing those types of things. So we need to think about how we bring that into the fold. And then you think about mission critical, we need to be able to…

Eric Olden: 

have the ability to fail over from one IDP to another in the event that one of your IDPs has a bad day or goes offline or isn’t able to keep up with the performance in the demands that are being asked of it. And because there’s a lot of changes here and people are testing a lot of different combinations, we need to be able to plug and play different IDPs without rewriting things, right? Without rebuilding. the agent just because we want to use a different IDP, we need to abstract that from the agent and make it so you could say use Microsoft on some agents and then say, well, you’re going to switch that out with Auth0 for others and then be able to go back if that’s what you want to do. So being able to mix and match those things is a big part of the challenge. And the last thing here is that these IDPs for a lot of the use cases we’re seeing need to also run on premises and they won’t necessarily work with the cloud IDPs for a number of reasons because of regulatory concerns and performance and then just security to be able to keep it on premises. So being able to use cloud-based IDPs in some cases and on premises IDPs and the other. So bottom line is in order to bring agents into the same level of security and control that we have for humans, we got a lot of work to do. And, you know, that really is what is the driver here behind Strata’s new product for agentic identity. So which brings me to introducing Maverics for agentic AI. I guess here, take two, Sarah. Which brings me to introducing Maverics for agentic AI, what we’re seeing as the enterprise identity layer for AI agents. And I want to take us through this a little briefly here. Take two. So the new requirements that we have for providing this identity layer for agentic AI, I want to start with the use cases. Because some people are asking me like, Hey, is this a consumer issue, a CIAM issue, or is it a workforce issue? I think it’s both. And I think we’re going to see the use cases for consumers where you have agents buying and selling things, maybe concert tickets, right? where agents need to manage sensitive data, could be age, things like that, because we want to be able to enforce kind of real world policies in the digital sphere. From an enterprise standpoint, a lot of different use cases, there’s been a lot of talk and interest in agentic employees and being able to take tasks and bring a software approach to it and do that in a kind of a workforce context. We’re also seeing agents in the DevOps world where you can automate a lot of things, but we need to think about the role of agents within DevOps. And then in the defense and public sector, right? We’ve been hearing people talk about, can we have some agents that will help us with navigation and be able to monitor to make sure ships are going in the right places and avoiding the things that they need to avoid. Or if you’re in a disaster response where time is sensitive and you need to be able to respond very quickly, the ability to have agents to coordinate things like first responders and things like of that type. So I think for the six use cases I mentioned here, there’s probably a million new ones that are coming out where people, what they need are the functional requirements. And I kind of net this out to four big things from the highest level. And the first is that we want to agentic identities just like humans. And you know, think about as first class citizens, so on par with all the things that we do with the human identity. The second thing we need to do is to manage that agency link. And that’s going to be tying humans and agentic identities together through a delegated model. And then the third point here is that it’s not just humans to agents, but it’s agents to agents to agents. And so how we chain different agents together has a lot of the same things that we need to do in the human to agent alignment. We need to do that and make that really kind of, in a sense, federate these different agents as they go through and do different tasks. And then point four. much like we see in the enterprise today, we need to be able to mix and match things because early on, I know my engineering team, when we were starting with agents last year, we were trying all the different platforms and we were saying, let’s try Anthropix platform. Let’s try Mistral. Let’s try OpenAI. Let’s try Llama. And we were just seeing which one is best for the purpose that we were building it for. And I think where we are today as an industry is very early on. And so the ability to do experimentation is really, really critical. From an architectural standpoint, I think what’s important here is that we really lean into standards and use the MCP protocol to make it really easy to surface APIs and the various tools. And we need to think about how to bring identity into that world. The next thing is that if we’re going to do this in a kind of a really meaningful way, we got to make sure that we don’t treat performance and security and resiliency as an afterthought. need to do that from the very beginning because I’ve never seen it successfully added after the fact, To start scalable means that you’re going to remain scalable. I’ve seen very few cases where things have not been scalable. and that you can easily make it more scalable in the future without rewriting everything. And then the last point here is that because of where all of these applications and APIs are running and different organizations’ tolerance for running things in the cloud versus keeping things on premises, is we really need to think about this as a base. Architecture deployment is hybrid, where you can run some things in the cloud, some things on premises. and make it really easy to go between the two. with these new requirements, we thought, well, what are the specific capabilities that we need to bring into the conversation? And the first one is guardrails, which is, you know, how do we put controls in place so that the agents are kept under governance, kept in control? Discovery is an important thing because of the scale. We need to be able to see where the risk is. Where are these agents? Where are they running? How do we put our arms around it so we understand the risks that we’re standing on? And then we need to be able to do this in a very continuous way, right? Because of the speed. If you just did a discovery once a month, you’re going to miss so many things that happen hour by hour. And so we need to really think about discovery in a continuous sense. Authentication, right? We’re going to be using zero trust and we’re going to do it continuously, but we got to do it for these agents. And I think some of the things that come out of the new type of authentication for agents is that it has to be passwordless. I mean, it’s time to just move beyond the vulnerable passwords and secret based model into truly secure passwordless authentication. let’s make sure that we start that with agents and don’t ever introduce the vulnerability of passwords and things that can be replayed. Authorization in terms of how we do this, I think it’s going to be a bit different. It’s going to be based more on attributes than on roles. And we need to really think about the human and the loop component of that. Observability, having a way to see where all these transactions are happening and be able to capture the intent and the context of a transaction. So, you know, share some specifics here in a moment, but really understanding like who is the subject and who is the actor and being able to have logging and reporting on those two important components. Delegation is about the on behalf of flow or the agent to agent or agent to human kind of model and really being able to embrace that natively as the mechanism to, you know, how these agents work on our behalf. Abstraction, think has been a really critical thing for identity orchestration and identity fabrics. It’s what makes it so powerful within the identity sphere, but now extending that abstraction to work with the agent frameworks as well as IDPs, as well as your applications and your APIs. And so really thinking about how to bring the power of abstraction into this new world. IGA, so identity governance and and administration, right? How do we manage these very different identities that have very different aspects to them? For instance, being, you know, ephemeral and need to do things very quickly and the profiles that agents are going to have are going to be different than what you see in the human world. And then lastly, you know, being able to run it where you need to. So that was all what we set out to solve here within this product. And so now let me take you through how this works with our new approach. In this case here, we have the subject, the person here on the left, and they’re going to identify themselves to the agent. And so when they do this in step two, we’re gonna be doing this with OIDC. And as you see here, you know, a very familiar kind of, choose your account that you want to use. I’ll just call out that, you know, there’s multiple different types of persona that someone may have. And in this case here, we may want to use our, cause you’re trying to buy the concert tickets. So that’s something I’ll use my consumer identity for, in which case that’ll pass, through the OIDC process. It’ll pass my identity using OAuth into the, agent. So now in this case here, we’ve logged into the agent, so the agent knows who the subject is. And the agent in this scenario will become the actor from an OAuth standpoint. So now what happens next? We want to go get those concert tickets. So in order to do that, the agent now is going to go call the ticket provider. And so to do this, this is where some new things start to come into play. So the first thing that we need to do is have the agent authenticate itself to the MCP bridge. And so at this point, why do we need that? Because we don’t want to just have any agent calling into the APIs. We need to start to identify this agent. So the way that we do that is using the OAuth PKCE flow or, you know, often called Pixie. So once we do that, there’s no passwords involved, right? We have a way to verify that this agent is an agent that we now know. And then the next thing that happens is that we need to create an identity for that agent. And so on the fly, what Strata’s Maverics product does is it will on the fly provision an identity for that agent. into whatever IDP in the identity fabric is appropriate. And so what we’re doing here is just basically saying, hey, we have this agent and we’re going to create a correlated account within the IDP. And then that will then be used to apply policy. So now that we’ve got that agent authenticated and now we have a correlated ID in the IDP, Now we evaluate the decision of can this agent on behalf of that subject purchase the ticket. And so at that point, the transaction is, goes through the HTTP proxy. And so this is your policy enforcement point. And we’re able to apply the policy here in step six on both the subject, the human and the actor. So here we’ve got a split where we can have a compound policy where on one hand we’re going to verify that we want the agent to be able to call this API. But in terms of whether the person who asked the agent to do that, that’s really who we care whether they can purchase a ticket or are they old enough in terms of maybe going to that venue. So at the control plane here, where we have the rules, we’re going to enforce the various identity questions by calling the IDP. And so this kind of process is a way to bring back the context of the transaction through the agent and the actor and the subject or the human and be able to do that compound decision. So assuming that we, in this example here, that they are going to be allowed, then we can pass the session token into the API. So you have the context that’s fed to the backend API so that the tickets are purchased. And then we want to kind of run that all the way through for both the human and the agent. 

Eric Olden:

 So that’s how the end-to-end… process works. We chain it together using OAuth, which is a very powerful standard. And we’re using our well-defined identity fabric to, to manage all of the policy. And then the auditing and the logging that happens, captures all of that stuff here, so that we can then go back and say, Hey, you know, if there was an issue, we can show that, you know, here’s how that transaction. the intent and the context of that transaction and what was decided and why a decision was made. So this is, I think, the overall framework in which the way to bring identity from the human world and make it work in the agentic world by using the common patterns and using standards so that all of these things work together. And we have a an end-to-end flow that is secure. So one other big concern that we hear is, well, how do we know that it’s really the human who called the agent to go do these things instead of an imposter, maybe a bot network that’s sending, creating these agents and using that to call on our behalf? Well, to do that, this is where the human in the loop comes out. And so In this case here, let’s pick up the transaction again. So we say, well, before we actually buy the tickets, we need to, for anti-fraud purposes and just good practice, we want to make sure that the person who had that agent do this transaction, we want to make sure that that is in fact a human and that they’re really there. And that we’ll also ask them for approval on that transaction. So the way that this happens is that, similar to how step up authentication works in classic identity orchestration. But in this case here, before we let the transaction go through, we’re going to do a liveness check. And the way Strata would do that is to run a liveness check with our partner over at HYPR And what HYPR does is they’ve got a really powerful identity assurance and validation capability. And so in this case here, we’ve got a liveness check, which is a way to make sure that the person is really the person you expect it to be, and it’s not a deep fake or it’s not a photo of a person. So once that liveness check is verified, Now we know, okay, we’re gonna log that and say, yes, we did a liveness check. And so here’s the audit record for that. And we’re also going to run the passwordless MFA process. So in this example here, using the Apple Face ID to say, look, it really was you with the assurance level of MFA. So we did the biometric scan. And then we said to the user, approve or deny this transaction. Do you want to buy the concert tickets? Because there are no refunds. And once you hit approve, then this transaction is going to go through and then we’ll be able to close the loop and know that we have the record here that showed that in fact, we did verify that it was a human and not a bot. We verified also that the authentication was of that individual. And then we joined the approval or denial to the human for them to put their control in the loop. And so with this capability through orchestration, we include the human in the loop into the decision here as well. So that’s the way that you bring the human in the loop in anti-fraud to have these reliable transactions that the AI agents are going to be doing on our behalf. So now want to go into a little bit more detail about how this works and what it looks like. And I think in the, this diagram here, what you’re seeing is more or less what I just reviewed. Take two. Now I want to show a little bit about how this works in more detail. And in this diagram here, which you’re seeing is pretty much the same transaction we just walked through. but calling out that the way that you control the policy is through Maverics Cloud Console. And so you’ll go into the Maverics platform, it’s your identity control plane, and now it works for both humans as well as agents. So you create the policy that the MCP and the orchestration engine, what it uses to enforce the policy. And so… The key here is that you are able to do your control plane for both agents and humans in one place and then use that to control what these agents do and how they interact with different systems and data. A little more detail on the authentication for the agents, the steps that go through here. By default, we use OAuth PKCE, but there’s another approach to doing that using SPPHI and SPIRE. Kind of an alternative, alternate path. If you prefer to use SPPHI, then it’s another way to securely identify a non-human identity, in this case an agent. But it’s really about using standards in either case. When we do the delegated human authentication, we use OIDC. And that’s important because That’s the way that we can make the human known to the AI without passing passwords around. The liveness check we are doing here is a redirect at the point in the transaction where we want to have that human in the loop happen. And then lastly, what Maverics is doing here is authenticating the agents to the MCP server. we can make sure that end to end we’ve got continuous authentication. When we talk about agent discovery, here’s a really important part of the life cycle is how are going to find all of these agents? Because there’s a lot of them and they’re not all in one place. And so what we’re seeing here is the need for a new registry that is what we call an agent fabric. And so this registry, the way that we populate that is through our discovery tool. And the Maverics discovery, which also does application discovery and API discovery, will also do agent discovery. And it’s important to know is that you do this without any download, no install, no changes. It’s very lightweight and designed to kind of show you the big picture, all of your agents across platforms in one place, and do that where you can see that both the forest as well as the tree. So you can go from everything down to one agent in particular. that cross platform discovery is really important. And then on the other side of the IGA is the account provisioning. Maverics uses SCIM to do that in just in time. So you can also write directly to the API. You don’t have to use SCIM, but for most use cases, probably the right way to go. And by using that, then you can send it to any of the IDPs in your identity fabric. So two parts, discovery and just-in-time provisioning. And we talk about delegated authorization and how we keep humans in the loop. What we’re using here is the OAuth OBO, or on behalf of flow. And you can see here what’s going on is that the human is instructing the agent to perform an action. And then the agent gets a token from the human and then adds to that with information about the actor, passes that over to the orchestrator, which then can say, okay, I see that this is a human, a subject that’s trying to do an action through an actor and therefore can make that whole. decision happen and as we shared earlier, how do you can do that with verifiable credentials and MFA to make sure that it’s truly the person you thought it was. Observability is a huge thing. Being able to see all of the activities is critical because we need to make sure that all of these things are logged and Maverics’ approach is to consolidate all the logs into one place. So we have a common single pane of glass that our customers can then use to see all of the different transactions across all of the different agents, no matter where they’re running in the cloud or they’re running on premises. And our approach is to feed other reporting systems. So we… you know, really focus on giving very detailed open telemetry formatted logs so that you can ingest them in, you know, whatever tool that you want, whether it’s Splunk or Grafana or Datadog, whatever it is that you use, we want to make sure that you can ingest all of the activity so that you can act on it. And I want to talk a little bit about abstraction layers. And the way that we see this is that this whole chain of humans and agents calling APIs all works against three key abstraction layers. An abstraction layer for your agent fabric, an abstraction layer for your identity fabric, and then an abstraction layer for your applications and APIs called the app fabric. And so the key with abstraction layers, it allows you to avoid rewriting things or having to do anything special for any one system. Ultimately it makes it easier to switch things out. and prevent getting locked into any particular platform or technology. And the last thing I want to take two. And one important thing is how to do this in a secure way where you can run the components that you need wherever you need to. And what we’re seeing here is the ability to run on these on-premises environment or in the cloud, but importantly to decouple the control plane shown here on the left. from the data plane or the identity plane at runtime here on the right. And by having this air gap architecture, you can deploy your orchestrators for agents wherever you need to. That could be in your data center, that could be in a cloud, it could be on a ship in the Coast Guard. So that’s a really important piece because you don’t know where your agents need to run and you need to be able to run your identity wherever it’s needed. And so this is accomplished. through this air gap architecture, which supports these distributed topologies. So some of the features and benefits here I’d like to share is, you you look at what we’re trying to do for agent authentication, human and API access control and auditability. really seeing a lot of capability, but in the end, the benefit is that you have visibility, you have control, and you can make things work in a very secure way. When you think about discovery and governance, that also is important because it works across a lot of different systems. Actually, we’ll cut this. I don’t want to have these two slides on here. Okay, so how do you get started with this? One of the exciting things that we’re doing at Strata is making this really easy for you to get your hands on and to start to learn how all of this works. And the way that we’re doing that is through this AI or agentic identity sandbox. And so what we’ve done is we’ve assembled all of the pieces to do that transaction about buying concert tickets in a fictional way by providing all of the tools that you want to use all in one place. So we’ve taken open-sourced components and we’ve assembled an agent, we’ve assembled multiple IDPs, multiple applications so that you can learn by doing. And so this sandbox is available on the strato.io website. So you can get up there and you don’t have to do anything, you have to download it, you can just play with it right on our website. But we’ll also make it possible for you to download the sandbox and to run it local. And then if you like what you see, then you can move into different layers of production. production and and so forth. So we’d love for you to, you know, to download this and to play with it. Take two. So we’d love for you to come to our website and to experiment with it, to play with it and engage with Strata. We’d love to work with you. Love to help you on your journey to learn how to secure the agentic identity and look forward to hearing from you and helping you make your project successful. Thank you.