![](\"https://images.ctfassets.net/jdtwqhzvc2n1/1nNxU4lCePcHgXl7pib5sq/b7448e6ae3c654ac267280113a2609fd/VB1P1343.jpg?w=300&q=30\")
When an AI agent needs to access your CRM, retrieve data from your database, and send emails on your behalf, whose identity is it operating under? This question, along with other identity framework challenges, was discussed by Alex Stamos, chief product officer at Corridor, and Nancy Wang, CTO at 1Password, in a recent session of the VB AI Impact Salon Series.
Wang emphasized the importance of understanding the authority under which an agent operates, which is crucial for authorization and access control. She highlighted the significance of managing identities for agents, similar to how humans handle passwords and secrets.
1Password’s Journey into Agent Identity
Wang explained how 1Password transitioned from a consumer password manager to an enterprise solution as employees brought the tool into their workplaces. Just as with humans, agents also require secure handling of credentials.
Internally, 1Password focuses on balancing speed of development with security measures to prevent incidents related to AI-generated code. Wang stressed the importance of generating quality code while allowing engineers to work efficiently.
Addressing Security Risks in Development
Stamos highlighted the common practice of developers pasting credentials directly into prompts, which poses a significant security risk. Corridor actively monitors and guides developers towards proper secrets management practices to enhance security.
1Password’s approach involves scanning code in real-time to identify and secure plain text credentials before they are stored. The goal is to streamline access without compromising security measures.
Challenges in Security Feedback for Coding Agents
Stamos discussed the challenge of false positives in security scanners, which can disrupt coding sessions. Precision and recall are critical factors in maintaining the integrity of coding models, requiring engineering efforts to achieve optimal performance.
Authentication vs. Authorization in Agent Identity
Xanthos highlighted the extensive access granted to agents, raising concerns for security teams. Wang suggested implementing time-limited identities for agents using standards like SPIFFE and SPIRE, despite the inherent challenges in adapting these standards to agentic contexts.
Additionally, Wang emphasized the importance of applying the principle of least privilege to tasks rather than roles, ensuring that agents have scoped and auditable access for specific functions.
Stamos recommended OIDC extensions as a leading standard for managing agent identities, cautioning against proprietary solutions that may not be widely adopted.
Scaling Identity Solutions for Billion-User Platforms
Stamos predicted a consolidation of identity solutions around trusted providers, especially on consumer platforms. He underscored the challenges of managing identities at scale, where even minor issues can have significant consequences.
In conclusion, the evolution of agent identities requires a fresh approach to identity infrastructure tailored to the unique nature of AI agents, rather than retrofitting existing frameworks designed for humans.
