David Fowler recently asked an excellent question that’s been on my mind as well.

As the tech industry embraces autonomous agents, we really need to figure this out.

Autonomous agents have the potential to change how we work with systems. We can delegate tasks to these AI assistants and have them not only complete those tasks without manual intervention but also make decisions on our behalf. With so much autonomy comes responsibility... and also risk!

The Agentic Access Dilemma

For autonomous agents to truly be helpful, they need access to the same systems, tools, and data that we use. But how do we ensure that this access is secure, limited, and traceable? Especially since we may need to grant multiple agents access to multiple systems. Here are some key questions we need to answer (and quickly!):

• What’s the best way to authenticate agents? Do we use the same systems we use for humans, or do we need something entirely new designed just for them?
• How do we make sure agents only get the access they need? For example, an agent managing your calendar shouldn’t be able to poke around in sensitive HR documents.
• How do we ensure that when agents act on your behalf (like making an API call or interacting with a system), their actions align with your intentions and do not exceed their intended scope?
• How do we trace what agents do and what they accessed, as well as when and why?

Authentication for Agents

It’s tempting to think we can use the same authentication methods we use for humans. But we must remember that agents need credentials that they can use programmatically. Not only that, their access requirements can vary for each task they need to perform. So this kinda rules out API keys, as they are static and won't be able to adapt to an agent's dynamic needs.

OAuth offers a more flexible approach that allows permissions to be refreshed dynamically, but the constant re-authentication when the scope of a token needs to be updated can lead to bottlenecks for intensive tasks. This doesn't even get into the possibility of misuse if the credentials are leaked or exploited.

Do we create an entirely new framework for authenticating agents? Perhaps an agent-specific identity layer like Verifiable Credentials or Decentralized Identifiers could work. But even then, how do we securely issue and manage these identities at scale without creating a usability nightmare for humans?

Scoping Access

The principle of least privilege applies here more than ever. We wouldn’t give an intern root access to our production systems, so why would we give an AI agent carte blanche?

We need granular access control that is flexible enough to handle the dynamic nature of agents’ tasks. For example, an agent might need temporary access to send an email on your behalf or edit a specific file. How do we design permissions that expire after use or are automatically revoked if the agent exceeds its scope? And if we grant these temporary access tokens, how do we avoid the burdensome manual task of having to re-authorize the agent every single time it needs to perform a task? Balancing security and usability is the real challenge here, and finding that sweet spot will be key.

Intent Alignment

Even with scoped access, there’s the matter of ensuring agents behave as intended. If I ask an agent to "update the meeting agenda," how do I confirm it doesn’t also email the draft to everyone on the team prematurely? This is where intent alignment comes into play.

One approach might involve policy enforcement mechanisms that predefine what an agent can and cannot do in various contexts. Another could be real-time oversight, where agents run their actions through a validation layer before execution. But how do we balance oversight with efficiency? After all, the point of using agents is to save us time, not bog us down with manual approvals for every step they take.

Traceability

When agents make mistakes, it would be great to be able to trace what happened so that we could potentially course-correct. Logging every action an agent takes (what it accessed, when, and why) can help us audit their behavior and mitigate risks.

But agents operate at machine speed, which means they can generate logs at a pace that humans can’t realistically parse. We’ll need tools that summarize and highlight unusual behavior so that we can quickly identify when something’s gone wrong. My first thought was "oh we can just use an LLM for this!", but then I realized that these logs could very likely contain sensitive information (remember we gave the agents access to our systems and data!). So maybe a local LLM... idk.

Let's Discuss

It’s clear that security and access management need to be front and center in the conversation, and I'm so happy that David raised the question! As engineers, these are exactly the types of things we should be considering and discussing.

It’s an interesting challenge. If we lock things down too much, agents won’t be able to do their jobs. If we’re too lenient, we’re opening the door to potential disasters.

Building smarter AI isn't enough. We have to make sure we're creating the infrastructure to support them safely and responsibly. Solving these authentication and authorization challenges is going to take all of us working together.

For those developing agentic tools, what strategies have you implemented to balance functionality with security? I’d love to hear your thoughts.