SUMM

Bobby and Cam introduce themselves as engineers at OPZero, focusing on identity and access control for AI agent-driven environments
They describe recent work on projects like the oforgi platform, ozero MCP server, and their agent, Tenant Security Manager
Goal is to address challenges in delegation and access for agents acting on users' behalf

Agents executing real-world actions create new security risks, including secrets leaking into prompts, overly broad access scopes, and loss of visibility into agent actions
Without strong monitoring, it's hard to trace actions and respond to incidents
Excessive agency (per OASP) is a key risk: agents receive too much access without guardrails
Risks include unsupervised API access, credential misuse, and sensitive data exposure if not properly controlled

Common insecure pattern involves shared static keys reused across users and services, making it vulnerable and hard to audit
Improved pattern: use short-lived, user- and API-specific tokens via token exchange backend, providing traceability and easier rotation
Centralized token management supports scaling across many agents

Identity is crucial to attribute agent actions to specific users and enable proper control and auditing
Without clear user association, agents often run as generic service accounts, leading to the confused deputy problem
Solution: use open standards like OAuth 2.1, RAR, and token exchange to tightly control agent actions, preserve user identity, and refresh tokens securely

Retrieval Augmented Generation (RAG) systems require careful control of what data agents can access for each user
Fine-grained access control should be enforced at data retrieval, not within the LLM, to prevent sensitive data leaks

SIBA is used for agent-initiated user approval flows when a UI isn't directly available
Agent sends action request to authorization server, which contacts the user via a trusted device for decision
SIBA is effective for background agents and scenarios without direct user interface

MCP servers move agent execution from local to distributed systems, increasing security needs
Use OAuth 2.1 flows where user signs in via browser, MCP server handles token minting, and agent receives user-scoped tokens without storing credentials

Demo features a local AI trading assistant that initiates a stock purchase, requiring explicit user approval before execution
Three key components: user identification and context, token vault for secure credential storage, and SIBA for sensitive action approval
Application uses TypeScript CLI, with agent and toolcall flows integrated with OIDC and SIBA for user consent
Tokens are never embedded in code; managed via Ozero's token vault, focusing on token (not credential) management

Application maintains user context per session to identify users during agent actions
SIBA waits for user approval before executing sensitive operations, offering options to approve or deny with clear action context
After initial authentication, subsequent actions require only SIBA flow for approval, streamlining repeated sensitive actions

Developers are encouraged to adopt open standards (OIDC, SIBA, RAR) for identity and access in agent-based systems
Solutions like token exchange, token vault, async user confirmations, and fine-grained authorization are essential building blocks
OPZero and other platforms provide these features, but tools like OpenFGA also integrate with these patterns
The team is open to feedback and collaboration and is active in open specifications and community standards development

Securing Agents with Open Standards — Bobby Tiernay and Kam Sween, Auth0