SUMM

CIAM means customer identity and access management, focusing on authentication (authn) and authorization (authz) for AI agents
AI products, especially in B2B SaaS, increasingly require robust identity solutions
AI agents need access to multiple systems (like databases, Jira, Salesforce, Slack) to be effective, raising unique identity and security challenges

Illustrative story: an agent with broad access could mistakenly delete a production database, demonstrating real risks
Agents differ from bots/integrations; they require wide, dynamic access and first-class identity management
There is urgency for new standards to ensure safe agent deployment and user protection as enterprises rapidly adopt agentic solutions

Agents need headless login (no web interface), persistent yet secure credential management, and long-lived sessions
Least privilege models are difficult since agents often need wide and dynamic access
Compliance is key, as actions must be attributed to humans when necessary for legal/audit reasons
Agents operate at large scales and speeds, increasing the importance of observability and logging

Persona shadowing: Agents use a "shadow" identity linked to a human with restricted permissions, allowing for isolation and accountability
Delegation chains: Use of cryptographically signed tokens (e.g., JWTs) that pass permission step-by-step through systems
Capability tokens: Time-bound, self-contained tokens granting specific, limited actions, similar to a secure voucher
Escalation to humans: Human-in-the-loop approval for sensitive actions; practical but risks user consent fatigue and broad, insecure approvals
Combination of these methods is often necessary based on application and environment

OAuth: Widely adopted authorization delegation framework, but originally designed for human consent, not machines
OpenID Connect (OIDC): Extends OAuth for identity, increasingly applied to agent use cases
User Managed Access: OAuth extension for users to proactively define agent access policies via a central server, enforcing these on resource APIs
GNAP (Grant Negotiation and Authorization Protocol): Designed for dynamic negotiation of token scopes, more flexible than static OAuth scopes, but less widely implemented
OIDCA (OIDC for Agents): Experimental standard to embed agent identity and delegation in OIDC; still early/uncertain stage
Verifiable credentials (W3C): Standard for issuing cryptographically validated credentials, being adapted for agents

Industry trends favor middleware solutions between agent code and enterprise systems to manage trust boundaries, logging, and dynamic enforcement
Middleware can detect fraud, abuse, and enforce authorization independently of the agent's behavior
Examples include WorkOS's own identity/authorization middleware, Microsoft's workload identities, and Cloudflare's network layer authentication solutions

Traditional trusted/untrusted distinctions in IT are dissolving; many apps previously "trusted" can now take unpredictable actions via agents
Current app usage: ~95% human-driven, 5% automated; predicted to shift to 95% agent-driven interaction in the future
This shift enables greater productivity and collaboration but makes robust agent identity and security critical
Anticipation of trillions of agents operating globally, requiring scalable identity management frameworks

Adoption will vary by sector; some products (like delivery-only "ghost kitchens") already interact primarily via agents/APIs
Some platforms now offer agent-exclusive interfaces, signaling the shift is underway, though unevenly distributed across industries

CIAM for AI: Authn/Authz for Agents — Michael Grinich, CEO of WorkOS