AWS re:Invent 2025 - Securing AI Agents: The Future of Identity & Access Control (SEC328)

Securing AI Agents: The Future of Identity & Access Control

The Challenges of Identity and Access for AI Agents

• AI agents are becoming increasingly prevalent, with the speaker noting a significant increase in adoption over the past 6 months
• Agents pose new challenges for identity and access control compared to traditional human users:
  • Agents need long-lived, headless access to systems without frequent re-authentication
  • Agents may require broad, dynamic permissions that are difficult to scope down to the principle of least privilege
  • Agents can perform actions extremely quickly, making it difficult to audit and monitor their behavior
  • Agents blur the lines of responsibility - if an agent deletes a production database, who is accountable?

Architectural Patterns for Agent Identity

The speaker discusses four emerging patterns for addressing agent identity and access:

1. Persona Shadowing

• Agents are given their own distinct identities derived from human users, such as "Matt Agent 1"
• Provides isolation and accountability, but can be difficult to scope down permissions appropriately

2. Delegation Chains

• Agents pass a credential or token between systems as they call out to other services
• Preserves end-to-end context and authorization, similar to concepts like JWTs

3. Capability-Based Tokens

• Agents are granted highly scoped, single-use tokens or "capabilities" to perform specific actions
• Provides fine-grained control, but requires a centralized service to manage and distribute the tokens

4. Escalation to Humans

• Certain agent actions require explicit approval or consent from a human before being executed
• Helps maintain human oversight, but can lead to "consent fatigue" if overused

The speaker notes that the most effective solutions will likely combine multiple of these patterns to balance security, usability, and flexibility.

Emerging Standards and Protocols

The presentation covers several new and emerging standards and protocols for agent identity:

OAuth and OpenID Connect (OIDC)

• Traditional OAuth/OIDC was designed for human users, posing challenges for agent authentication
• Extensions like User-Managed Access (UMA) and the OpenID for Agents (OIDCA) proposal aim to adapt these protocols for agent use cases

Grant Negotiation and Authorization Protocol (GNAP)

• Designed for dynamic negotiation of token scopes and capabilities, potentially well-suited for agents

Secure Credential Presentation (SCP) and Verifiable Credentials

• Leverages cryptographically-signed credentials that can be verified across systems
• Enables stateless, machine-to-machine credential passing

Industry Approaches and Tools

• Middleware-based architectures that isolate agent code from external systems, providing a secure identity and authorization layer
• Examples include Work OS's OKIT product and Microsoft's Entra Agent ID
• Industry standards bodies like the Identities Governance Foundation are also working on agent identity solutions

The Future of Agent-Centric Applications

• The speaker predicts a future where agents become the dominant users of applications, rather than humans
• This will require a fundamental shift in how products and companies are architected, moving towards "agent-first" designs
• Managing the identity, access, and compliance challenges of these agent-centric systems will be critical for companies to remain competitive