Adapting Identity Protocols for Non-Deterministic AI Agent Security - Episode Hero Image

Adapting Identity Protocols for Non-Deterministic AI Agent Security

Overcommitted | Software Engineering and Tech Careers Insights · · Listen to Original Episode →
Original Title: Ep. 36 | Navigating the future of AI agent security with Dan Moore

TL;DR

  • Non-deterministic AI agents, unlike deterministic software, introduce new security risks by easily following arbitrary instructions, enabling them to access private data and transmit it externally, a threat amplified by their speed and unpredictability.
  • The "lethal trifecta" of AI agent security risks involves access to private data, exposure to untrusted content, and the ability to communicate externally, creating a novel threat model where unpredictable behavior can lead to data exfiltration.
  • Applying established security principles like separation of concerns and the principle of least privilege to AI agents, by segmenting data access and tool usage among sub-agents, can mitigate risks without reinventing identity protocols.
  • While industry standards for AI agent identity and authorization are still evolving, protocols like OAuth are being adapted, with client credentials and authorization code grants serving as foundational mechanisms for agent-to-agent and delegated access scenarios.
  • Developers need heightened security awareness for AI agents because current protocols are still being defined, creating a "wild west" environment where existing infrastructure may not fully cover emerging risks, necessitating careful authorization and understanding of potential liabilities.
  • Enterprise adoption of AI agents is currently characterized by experimentation, with significant potential in text evaluation and document management, but widespread successful public case studies remain scarce, suggesting challenges in brownfield development and integration.
  • For developers, staying close to business needs, understanding problem-solving, and maintaining awareness of evolving technologies like AI agents is crucial for career resilience, rather than solely focusing on becoming an expert in a nascent technology.

Deep Dive

AI agents, characterized by their non-deterministic nature and ability to execute tasks via natural language, introduce significant security challenges by blurring the lines between human and software actions. This shift necessitates a re-evaluation of traditional identity and authorization protocols, as agents can exploit existing vulnerabilities by accessing private data, processing untrusted content, and initiating external communications, creating a new threat model that demands robust, granular security measures.

The core of the security challenge lies in the inherent unpredictability of AI agents. Unlike deterministic software, agents can produce varied outputs even with identical inputs, making their behavior difficult to anticipate. This non-determinism, combined with their capacity to interact with sensitive data and external systems--termed the "lethal trifecta" by Simon Willison--creates new avenues for exploitation. An agent, even one with benign intent, could be manipulated through carefully crafted input to perform unauthorized actions, such as exfiltrating private data and sending it externally. This differs from traditional software, where inducing malicious behavior requires a higher technical bar. The implication for enterprise security is profound: systems must evolve to manage not just human users but also these autonomous entities, ensuring they operate within defined boundaries.

To address these evolving risks, established security principles like the principle of least privilege and granular permissions remain critical, albeit applied in a new context. Solutions are emerging to grant agents verifiable identities and controlled access. Standards like OAuth are being adapted, with protocols such as the Model Context Protocol (MCP) leveraging OAuth for agent-to-agent communication and delegation scenarios. For instance, client credentials grants within OAuth can secure agent-to-agent interactions, while authorization code grants are suitable for scenarios where a human delegates authority to an agent. The application of these existing protocols, supplemented by emerging extensions and adherence to concepts like Role-Based Access Control (RBAC) or Attribute-Based Access Control (ABAC), offers a path forward. The key is not to reinvent identity management but to extend and adapt current best practices to accommodate these non-human actors.

The broader business and technical implications point to a necessary evolution in developer awareness and enterprise strategy. While experimentation with AI agents is widespread, particularly in areas like coding assistance and text evaluation, widespread enterprise adoption for complex workflows is still nascent. This is partly due to the challenges of integrating agents into existing brownfield systems, which require significant contextual understanding compared to greenfield development. Furthermore, the legal and ethical ramifications of agent actions, including developer responsibility for unintended consequences, are still being defined. As an analogy, the current landscape resembles the early internet, a period of both immense potential and significant uncertainty regarding security and trust. Developers are urged to stay close to business needs, understand problem-solving, and remain aware of these evolving technologies and their associated security protocols, rather than becoming solely experts in a rapidly changing AI landscape.

Ultimately, the rise of AI agents signals a fundamental shift in how we secure digital systems, demanding a proactive adaptation of identity and authorization frameworks. While existing protocols like OAuth provide a strong foundation, their application requires careful constraint and adaptation to manage the unique risks posed by non-deterministic agents. Enterprises and developers must prioritize granular access controls and a deep understanding of these evolving standards to harness the benefits of AI agents securely, acknowledging that this is an ongoing process of standardization and best practice development.

Action Items

  • Audit AI agent permissions: Implement granular access controls (e.g., RBAC, ABAC) for 3-5 core agent functions to enforce least privilege.
  • Design agent authorization flows: Utilize OAuth tokens with scoped permissions for agent-to-agent and user-delegated agent interactions.
  • Create agent security awareness training: Educate developers on the "lethal trifecta" (private data access, untrusted content, external communication) and non-deterministic risks.
  • Evaluate agent separation of concerns: For 2-3 complex workflows, identify opportunities to break down monolithic agents into specialized sub-agents with distinct data/tool access.

Related Episodes

Key Quotes

"the way i think about it and this came up in a conversation the other day is it's really like a workflow or a set of pieces of software that can like accomplish workflows which we've had for decades right workflow software's been around for a long time the difference is that the workflow used to be defined in code or in stack configuration and now it's more in natural language and so the idea you can actually kind of give an agent a task in relatively natural language and have it not to overuse the word grope but grope towards accomplishing it which is what they do is to some extent a game changer"

Dan Moore explains that AI agents represent a shift from traditional workflow software, where processes were defined in code or configuration, to a more natural language-driven approach. This change is significant because it allows tasks to be initiated and guided using everyday language, fundamentally altering how workflows are created and executed.

"the way i think about it is that human beings are slow and non deterministic and software as written you know five years ago 10 years ago even the vast majority of software right now is fast and relatively deterministic right charity majors might have some issues about that how deterministic it is but it's pretty deterministic and easy to reason about whereas agents kind of fall in this middle ground and so they are fast and non deterministic"

Dan Moore highlights a key distinction between human behavior, traditional software, and AI agents regarding determinism and speed. He notes that humans are slow and non-deterministic, while most existing software is fast and deterministic. AI agents, however, occupy a middle ground, being fast yet also non-deterministic, which introduces new complexities.

"so there's this great thing called the lethal trifecta which simon willison who's written a ton about ai and llms in general talks about and the idea is that agents have access to private data which again software does too it's exposure on trusted content which again software does too and then there's the ability to externally communicate and so the issue is that because agents are non deterministic and because they read that untrusted content they can then be instructed to access your private data and then send off an email and this is a real i mean i would consider this to be a new threat because because of the ability to follow like arbitrary instructions"

Dan Moore introduces Simon Willison's "lethal trifecta" concept to describe a new threat model posed by AI agents. This trifecta involves agents having access to private data, exposure to untrusted content, and the ability to communicate externally. Moore emphasizes that the combination of non-determinism and the capacity to follow arbitrary instructions makes it easier for agents to misuse private data, representing a novel security concern.

"non deterministic in my mind means that or sorry let's start with deterministic deterministic is you give the same inputs and you get the same outputs so math is a perfect example of a deterministic system gravity to some extent is too right whereas non deterministic means you give it the same inputs and you not necessarily get the same outputs whether human society conversations with your partner like these are all things that are non deterministic because they're affected by the current state of things and so if you've ever asked the same question of an llm you're going to get back i mean here's the thing like they're they're slightly different right or they could be kind of massively different depending on on the way that well i should be careful here because i'm definitely not an llm like creation expert so but at the end of the day it's it's not a system where you put in the same thing and you get the same thing out"

Dan Moore clarifies the concept of "non-deterministic" by contrasting it with "deterministic" systems. He explains that deterministic systems, like math or gravity, produce the same output for the same input. In contrast, non-deterministic systems, such as human conversations or LLM responses, can yield different outputs even with identical inputs, due to various influencing factors.

"i think actually that points to one of the solutions to this is that you start to have these kind of sub agents that you know may have access like i mean one way to deal with the that lethal trifecta i mentioned is that like you have different agents that have access to different sets of tools or different sets of data and if you have one that can read your email and another that can send your email it's going to be really hard for an attacker to be able to kind of get that email you know that private data sent off because you have to like basically now attack two different llms so kind of more separation of concerns which again this is not software it's not revolutionary right it's a lot of the same principles we're just having to apply it in a new context right separation of concerns is a great thing for security"

Dan Moore proposes a solution to the "lethal trifecta" by advocating for the use of "sub-agents" with distinct access privileges. He suggests that by segmenting access to tools and data among different agents, such as one agent for reading email and another for sending it, it becomes significantly harder for an attacker to exfiltrate private data. Moore emphasizes that this approach leverages the established security principle of separation of concerns, applying it to the new context of AI agents.

"i think that granular permissions are the way to go for sure like and if you you know i think that the two paths you can lay out are like api keys and oauth tokens right or access tokens and i feel like to some extent we talked about echoes of the past like this whole ai making like software like calling other software services feels a lot like the api landscape of like the 2010s and we've been through that and i'm not saying oauth is perfect i'm not saying bearer tokens are perfect but there's like a lot of infrastructure around it and it's kind of a well known protocol and so i think that oauth tokens properly constrained with scopes and probably fine grained access behind that rback our back pback we talked about that a little bit is probably the path forward"

Dan Moore asserts that granular permissions are essential for securing AI agents, likening the current landscape to the API environment of the 2010s. He suggests that OAuth tokens, when properly constrained with scopes and supported by fine-grained access controls like RBAC (Role-Based Access Control) or ABAC (Attribute-Based Access Control), represent the most viable path forward. Moore acknowledges that OAuth is not perfect but highlights its extensive infrastructure and widespread recognition as key advantages.

Resources

External Resources

Articles & Papers

  • The Lethal Trifecta (Simon Willison) - Discussed as a framework for AI agent security risks.
  • Cross-custody trust boundary authentication (Aaron Parecki) - Mentioned as a draft related to agent identity.
  • OAuth for Model Context Protocol (MCP) - Referenced as a protocol for enterprise use cases involving AI agents.
  • MCP Specification - Mentioned for its authorization details.
  • OAuth for Model Context Protocol (MCP) Specification - Referenced for its evolving OAuth implementation for MCP clients.

People

  • Dan Moore - Senior Director of CIAM Strategy and Identity Standards at FusionAuth, guest expert on AI agent security.
  • Simon Willison - Author of "The Lethal Trifecta," discussed in relation to AI agent security.
  • Aaron Parecki - Mentioned for a draft on cross-custody trust boundary authentication.

Organizations & Institutions

  • FusionAuth - Authentication provider focused on customer authentication and AI agent security.
  • AWS (Amazon Web Services) - Mentioned for its AgentCore framework.
  • IETF (Internet Engineering Task Force) - Venue where AI was discussed in relation to standards.
  • Octa - Mentioned in relation to Aaron Parecki.

Websites & Online Resources

  • FusionAuth (fusionauth.io) - Provider of authentication services.
  • AWS Bedrock AgentCore (aws.amazon.com/bedrock/agentcore/) - An agent building framework.
  • LinkedIn (linkedin.com/in/mooreds/) - Dan Moore's professional profile.
  • Bluesky (bsky.app/profile/mooreds.com) - Dan Moore's profile name.
  • Model Context Protocol (modelcontextprotocol.io) - Specification for AI agent communication.
  • Overcommitted Podcast (overcommitted.dev) - The podcast hosting the discussion.
  • Brittany Ellich (brittanyellich.com) - Host of the podcast.
  • Eggyhead (github.com/eggyhead) - Mentioned in relation to Brittany Ellich.

Other Resources

  • AI Agents - Discussed as evolving software capable of accomplishing workflows via natural language.
  • Non-deterministic agents - Identified as a key challenge in AI agent security.
  • Granular permissions - Essential for securing AI agents.
  • Separation of concerns - A principle applied to enhance AI agent security.
  • Lethal Trifecta - A framework describing AI agent security risks (access to private data, exposure on untrusted content, ability to externally communicate).
  • Workload identity - A concept being considered for agent identity.
  • Agent identity - A topic of discussion and standardization efforts.
  • Agent to agent protocol - A communication method for agents with varying identity approaches.
  • Model Context Protocol (MCP) - A protocol for AI agent communication, often standardized on OAuth.
  • Principle of least privilege - A fundamental security practice applicable to agents.
  • RBAC (Role-Based Access Control) - A sophisticated authorization scheme.
  • ABAC (Attribute-Based Access Control) - A sophisticated authorization scheme.
  • PBAC (Policy-Based Access Control) - A sophisticated authorization scheme.
  • API Keys - A method for agent authorization.
  • OAuth tokens - A method for agent authorization.
  • Client Credentials Grant - An OAuth grant used for agent-to-agent communication.
  • Authorization Code Grant - An OAuth grant used for delegated access by agents.
  • GPL License - Mentioned in the context of sharing skills.

---
Handpicked links, AI-assisted summaries. Human judgment, machine efficiency.
This content is a personally curated review and synopsis derived from the original podcast episode.