Subscribe
Share
Share
Embed
Agents are popping up everywhere: tiny bots spinning up for a task, then dying off. They shouldn’t carry long-lived credentials any more than you carry a master key everywhere you go. What if each agent got a just-for-this-mission credential—scoped, temporary, context-aware, and gone when its task ends? That’s ephemeral authentication.
In this episode, F5's Lori MacVittie, Joel Moses, and special guest Bill Church dig into why traditional IAM (OAuth tokens, persistent keys) fails in agentic worlds. They’ll show how ephemeral auth can reduce blast radius, prevent credential replay, and force “least privilege in the moment.” Then they walk through how it might be built: token issuance on mission start, embedded attestation, automatic revocation, and scope tunneling per action. And yeah, there are tradeoffs—latency, credential churn, throttling limits. Listen in for the best path forward.
Read the arXiv article, A Novel Zero-Trust Identity Framework for Agentic AI: Decentralized Authentication and Fine-Grained Access Control: https://arxiv.org/html/2505.19301v1?utm_source=chatgpt.com
Read the arXiv article, A Novel Zero-Trust Identity Framework for Agentic AI: Decentralized Authentication and Fine-Grained Access Control: https://arxiv.org/html/2505.19301v1?utm_source=chatgpt.com
Find out more about the importance of policy in payload: https://www.f5.com/resources/white-papers/policy-in-payload-preparing-for-ai-agent-architectures
Creators and Guests
Host
Host
Lori MacVittie
Distinguished Engineer and Chief Evangelist at F5, Lori has more than 25 years of industry experience spanning application development, IT architecture, and network and systems' operation. She co-authored the CADD profile for ANSI NCITS 320-1998 and is a prolific author with books spanning security, cloud, and enterprise architecture.
What is Pop Goes the Stack?
Explore the evolving world of application delivery and security. Each episode will dive into technologies shaping the future of operations, analyze emerging trends, and discuss the impacts of innovations on the tech stack.
00:00:05:06 - 00:00:25:26
Lori MacVittie
Welcome back to Pop Goes the Stack, where emerging tech gets a health check and usually fails compliance. I'm Lori MacVittie, clipboard in hand, sarcasm fully enabled. Like that's a surprise. We got Joel again, which is awesome. He's sure to bring some
Joel Moses
Hey, Lori.
Lori MacVittie
interesting commentary. See right there? He just started.
00:00:25:27 - 00:00:28:12
Joel Moses
Yeah, sure. Yeah. Ready to roll for initiative, Lori.
00:00:28:18 - 00:00:58:10
Lori MacVittie
All right. Hey, I always win. I can, all right. We also have Bill Church as a guest today, and I'm sure he is excited about our topic, which is
Bill Church
So excited.
Lori MacVittie
Yeah, all about agents, right? AI and agents. Because what isn't about agents these days? And they're popping up everywhere. They're tiny, disposable workers. They're spinning up to fetch data,
00:00:58:13 - 00:01:20:17
Lori MacVittie
call on APIs, or rewrite config files, and then they die off like digital mayflies. That's good. And yet we keep trying to shove them into human identity systems built for people with job titles and quarterly reviews and all that goes along with that, right? But you know, when all you have is a hammer, everything looks like a nail.
00:01:20:17 - 00:01:33:11
Lori MacVittie
And that's what we've got, IAM. I AM, Identity and Access Management. Sometimes there's a D in there, right, for identity, some, it's IDAM or IAM.
00:01:33:13 - 00:01:35:07
Joel Moses
I don't, I don't keep track of acronyms anymore.
00:01:35:07 - 00:01:36:00
Lori MacVittie
Ah, okay, well that's
00:01:36:02 - 00:01:38:15
Joel Moses
I just make them up.
00:01:38:15 - 00:02:03:12
Lori MacVittie
I guess, well. It's not going to work. I mean that's, whatever we want to call it, it's it's a traditional security model. Agents are breaking that. And traditional credentials, traditional, you know, authorization, authentication, how we do it, tying it to identity is not working with something that might live like ten minutes, five minutes, 15 minutes, might live for two days. We're not sure.
00:02:03:14 - 00:02:08:12
Lori MacVittie
So let's talk about it. Like, it's broken.
00:02:08:14 - 00:02:29:14
Joel Moses
Yeah I don't know what you think about this Bill. But here here's my take on it: I don't think IAM is designed for the world of AI. It wasn't birthed there. It is, it is intended to be used in a direct user scenario. When when agents come into the picture, they automatically unhook from a sense of a timeline or a session.
00:02:29:16 - 00:02:44:28
Joel Moses
And things can be initiated ad hoc and outside of your view, and that that creates real pressure on IAM systems that exists today. I think that there's definitely a need to do something better here.
00:02:45:00 - 00:03:04:27
Bill Church
Yeah, I think you're right. You know, I always was terrified of this concept. I mean, I've seen Terminator. I've, you know, I've watched the movies. You know, the idea that we're we're going to, you know, in one hand, it's great. It frees me up from doing maybe tedious tasks and I, I love that idea. And I have done that.
00:03:05:00 - 00:03:29:26
Bill Church
On the other hand, you know, I'm giving pretty much at this point today unfettered access to something to act on my behalf. And, you know, I love convenience, but I also love not going to jail, you know, those are two things that, I mean, there's your there's your, you know, two ends of the spectrum, right? Because this thing could literally do anything as you if you give it the credentials or you give it the context to do what you want it to do.
00:03:29:26 - 00:03:39:12
Bill Church
So, as you said, IAM in its current form isn't structured to handle these types of agents.
00:03:39:14 - 00:04:01:01
Joel Moses
Yeah, I think IAM is structured around human convenience and human timelines. And so, you know, we like to log into a system and have it generate a nice JWT token for us that it, that hangs around inside our mobile application so that when we pop that mobile application open again, it will automatically create a session with the application for us.
00:04:01:04 - 00:04:25:07
Joel Moses
And when I'm when I'm thinking about the ramifications of that, I, I'm embodying, I'm imbuing an agent to do something on my behalf, but what I'm doing is I'm effectively giving it unfettered access to create any session it likes, with any length of time behind that session. So it's a little bit like just creating sessions ad hoc that hang around.
00:04:25:07 - 00:04:51:23
Joel Moses
And I can see, because I'm not directly in front of the system, the system is doing this on my behalf, I'm hoping no one's inside that system taking those sessions. That's what I'm particularly worried about. The the idea that this is unhooked from my view and now it's happening on the background and it's creating as many sessions as it needs, all of which could be subject to, you know, being hacked by somebody.
00:04:51:26 - 00:05:13:01
Lori MacVittie
Well, it's also and, and we kind of chatted about this when we were prepping, right, and talking over this subject, you know, MCP, RAG, they're connecting to other systems. And we kind of know that. We expect that. We set it up so they can do that, but they can also write their own code and go execute things that we never expected them to.
00:05:13:04 - 00:05:23:15
Lori MacVittie
So now we have like that problem that we have to deal with. And what's the, you know, the mechanism there when they suddenly just start going off the rails. We don't know.
00:05:23:18 - 00:05:49:17
Joel Moses
Yeah.
Bill Church
Yeah I would say that is that is my major concern is the idea that, I'm not exactly worried, I am worried, but I'm not worried about the agent itself doing something wrong, it's more of that that person in the middle intercepting those connections. And the idea that those are still, today, long live tokens typically, when we are dealing with other web applications or something else. All it takes is one person to be in the right place.
00:05:49:17 - 00:06:01:19
Bill Church
It could be upstream at the the provider or the SaaS provider you're using, or it could be on your, on your workstation. And taking that and doing what they always do with it, you know, all the bad stuff they do.
00:06:01:22 - 00:06:24:12
Lori MacVittie
Well and I see some people today, multiple solutions and we'll talk about, you know, one maybe in a minute. But one approach has been a lot of people saying, hey, we're just going to use certs. And, and I thought, wow, we have problems today rotating, renewing, like we that's a management issue in and of itself today. And then we're going to add all these agents and we're going to do it in real time.
00:06:24:12 - 00:06:34:08
Lori MacVittie
Like that's not going to scale. And that's going to make people quit. I mean, they're just going to be like, all right, I'm done. I it's enough. It's crazy.
00:06:34:10 - 00:06:56:23
Joel Moses
Yeah. Yeah, there's definitely room for something better here. And, you know, Bill as, as you probably, or you may or may not know, I'm a huge fan of, like, ephemeral credentials, especially those that are used to do a single task and then get out of the way. And, we, we're, we're posting kind of a link to an arXiv article on this.
00:06:57:00 - 00:07:12:03
Joel Moses
There's something that came out of a project called Nanda. Nanda is out of the MIT Media Lab, and it is the internet of AI agents. So just now, you know, instead of IoT, we're going to have to talk about the IoAIA.
00:07:12:05 - 00:07:15:01
Lori MacVittie
I, I need a moment. I need a moment.
00:07:15:03 - 00:07:40:25
Joel Moses
Yeah. So they they have a proposal about creating a new zero trust mechanism for agents to authenticate themselves to downstream services with an identity and also being able to validate the identity of the service that they are connecting to, all of which is being done using ephemeral credentials, meaning they are one shot, they're good for the job, and nothing else.
00:07:40:27 - 00:07:42:29
Joel Moses
What do you think about that?
00:07:43:01 - 00:08:04:01
Bill Church
I, I'm a huge fan, honestly. So I have worked on something like this in the past, and, you know, my my use case is a little different, but we had the situation where we had trust issues with a resource. And it could be that the resource or the accessor that we had the trust issues with.
00:08:04:04 - 00:08:36:16
Bill Church
And at the time, we were dealing with a lot of legacy systems. And, so it's kind of like almost an inverse problem. Right. Where we had systems that can only work with username and password, but we have people who are authenticating with modern authentication methods. And, what we did in that case was use ephemeral credentials in the same, same vein of, you know, we have a tuple of we have a user, we have a resource they want to access, and we have, you know, a credential we generate. We do that real time, send it off to that resource, that resource then actually comes back to the authentication system
00:08:36:16 - 00:08:59:10
Bill Church
to validate that. And if any one of those three things don't meet up, either the client IP or the user or the context or what they're trying to reach, we reject that connection. So I kind of see this as a similar, a similar method of handling those, well, ephemeral ephemeral agents, right? You know it's right there on the can.
Joel Moses
It's right there.
00:08:59:12 - 00:09:22:17
Bill Church
But I, you know, I think that's I think it's a great way to do that because, you know, the idea that this, this, you know, using session tokens that we've just been doing forever on webs web systems and applications, it's it doesn't work, I mean it works, too well. Right? That's kind of the problem. You know, I mean, as soon as somebody grabs that, you know, that token, it's off to the races with what
00:09:22:18 - 00:09:34:00
Bill Church
I really want to do. So, I, I love the ephemeral nature of that paper. It seemed very familiar to me. And yeah, so that's what what else do you did you, did you pull off there?
00:09:34:03 - 00:09:54:20
Joel Moses
Yeah. Well, one of the things I noticed in the paper, and I also think this is important, is that these systems, because they're acting on behalf of the user who's not sitting in front of a keyboard maybe right then, maybe they embodied it to do something over a period of a timeline, and it's just going off and doing what it needs to do based on original instructions.
00:09:54:22 - 00:10:20:21
Joel Moses
The ephemeral authentication token actually knows what the agent is doing and why on behalf of the requester, not just who is the requester. Which I think is also important. Although it's a little unclear to me how to enforce things by context, but I think the the idea of including a little additional context of why you're accessing the services is an important aspect of security.
00:10:20:23 - 00:10:39:27
Lori MacVittie
Well, if for no other reason than audit logs and knowing who what where, right, you know, answer the basic questions. And you're right. I mean that kind of context and like, what's the task? Who's the agent on behalf of? All of those kind of things are carried along in the context, or should be. Mechanisms exist for it
00:10:39:27 - 00:11:15:06
Lori MacVittie
whether people actually use it properly, right, is another matter. But let's assume that they do because they're good. They they want it to work. That's another piece of the security puzzle. Right, the existing infrastructure is not set up to deal with something like policy in the payload. It doesn't go there. We use other things. So that's it's another piece of the puzzle that has to shift in order to better secure, right, access and to very sensitive things sometimes. Right?
00:11:15:09 - 00:11:31:00
Bill Church
Yeah, actually, you know, one of the things I was thinking about here was, you know, this kind of dovetails into, you know, definitely the idea of zero trust, for sure. But I was thinking about how could you apply something of SPIFFE and SPIRE to this type of solution. Would that, does that make sense?
00:11:31:02 - 00:11:55:25
Joel Moses
Yeah. SPIFFE and SPIRE, of course, identify workloads and, and then control the ability to grant new workload identities. And I think that you still kind of need a structure like that to identify, say, an application to an MCP server and maybe, maybe even an MCP server to its downstream services. And, and there are things that are emerging that are, that are working a little bit like that.
00:11:55:25 - 00:12:16:29
Joel Moses
I, I look at the, the project called Wassette that Microsoft is stewarding, which creates an MCP server that has pluggable functions written in WebAssembly that that cast down into capabilities that the service has towards the systems that it connects to. And that that that's definitely a step in that direction and would make huge use of a workload identity.
00:12:17:02 - 00:12:41:06
Joel Moses
But, you know, I think that this is a little deeper than that. This is something that under that rides underneath and, and is a request. It's a transactional authentication and authorization system. And it's being done on behalf of a user, and it has the need to be, have, have a very ephemeral, a moment in time, a snapshot in time with context attached to it.
00:12:41:08 - 00:13:09:00
Joel Moses
There's a concept in security called scope tunneling that I think is really applicable here, where you, you know, everyone talks about you always want to abide by the principle of least privilege. But I think AI systems have a duty to go a little deeper than that. It has to be the least privilege in the moment. So narrowing down the access not just by role, but by action within the role, which I think these systems are going to have to grow to that point.
00:13:09:02 - 00:13:26:00
Joel Moses
To, to Nando's credit, they seem to be thinking about this at least. And so incorporating things about context aware scoping within the protocol is, is a is an important step. Now how all this is governed, that's
00:13:26:03 - 00:13:27:09
Joel Moses
I think a,
00:13:27:11 - 00:13:28:24
Lori MacVittie
You said the word.
00:13:28:26 - 00:13:32:16
Joel Moses
I think that that's going to be a real, real puzzle for us.
00:13:32:19 - 00:13:34:07
Bill Church
And for that reason, I'm out.
00:13:34:09 - 00:13:56:08
Lori MacVittie
Yeah. It's, he's he's like, that's it, I'm I'm I'm done, right. I mean, I know and I see people suggesting things like registries again for like tools, right, these tools are allowed, right. And then being able to clamp down at the MCP level in order to prevent at least that level of access. Like that's, we could do that today pretty much.
00:13:56:08 - 00:14:18:28
Lori MacVittie
I feel like that's not that hard and it's something we should probably be doing. Like you shouldn't have access to anything, right? Or you design your MCP a different way so that it's very restrictive. But you, that's not rocket science. It's really when you go beyond that and you're trying to match all of these different types of authentication, types of authorization.
00:14:19:00 - 00:14:41:01
Lori MacVittie
The, the, the scenario you brought up, right, a more modern token from an agent, like Joel described,
Joel Moses
Right.
Lori MacVittie
is now, might, trying to access a more traditional system again on the back end through MCP. Right. How do we deal with that? Is, you know, ephemeral again? Is that another, you know, how do we do this? It's it's a big mess.
00:14:41:01 - 00:15:02:19
Joel Moses
Yeah. You know, when I, when I see new proposals for new functionality that's built on top of authentication and authorization, you know, there's always cryptography underneath it. And when you're talking ephemeral credentials, you're talking about not creating tokens that live around a while, you're creating tokens that are in the moment. And that means you're creating more tokens.
00:15:02:21 - 00:15:24:22
Joel Moses
And more tokens with cryptography means more latency. It means more churn within the credential. So these systems are going to have to handle massive token issuance and massive expiration rates. It's going to be that, that, that I, I foresee is as part of this approach, a real challenge. Do you see any other challenges in this approach?
00:15:24:22 - 00:15:25:11
Joel Moses
Bill?
00:15:25:14 - 00:15:58:12
Bill Church
Well, the crypto pieces is is a concern because I think about right now with our current approaches of post-quantum and how large some of those, you know, the certificates are. And if we're talking about domain certificates for some of the stuff that, you know, it'll be ten times the request size, right, for just the certificate. So, there we we have to figure that out because, right now, at least in the United States, the current ephemeral or the current PQC proposals are gross.
00:15:58:15 - 00:16:15:05
Bill Church
I'll just say that, it's gross. And it's what we have but like, you know. So that's that's my concern is the latencies will absolutely go up. Now for some of these things it probably doesn't matter because, you know, it's an agent. It's going off and doing its thing. You're having fun somewhere else.
Joel Moses
Point in time.
Bill Church
And, you know, maybe it doesn't matter.
00:16:15:08 - 00:16:23:15
Bill Church
But I, I'm an engineer. I don't like inefficiency. So that that would bother me, you know, personally.
Joel Moses
Yeah.
Bill Church
But maybe I shouldn't take it personal.
00:16:23:17 - 00:16:43:20
Joel Moses
You know what I do think matters, and one of the things we'll also I have to contend with is how do you debug a system with short lived credentials? Extremely, in some cases, short lived credentials. You know, you're creating something that is used for one purpose, one job, one and one connection only. What happens if something fails mid task?
00:16:43:23 - 00:16:53:15
Joel Moses
How do you how do you actually debug systems for for whom you are granting scope instantaneously? That that that's that's an interesting area to study.
00:16:53:17 - 00:16:53:25
Lori MacVittie
Yeah, that
00:16:53:26 - 00:16:57:04
Bill Church
That's going to be
00:16:57:07 - 00:17:03:12
Lori MacVittie
It it's
Bill Church
A system, go ahead.
Lori MacVittie
We're like, well, collisions, which is kind of what I was going, wanted to like
Bill Church
Here we are.
Lori MacVittie
mention, right, like
00:17:03:13 - 00:17:09:21
Bill Church
Did we mean to do that?
00:17:09:24 - 00:17:52:27
Lori MacVittie
I don't, retransmit, retransmit. That that whole notion of massive scale and right, the, the unknown, right. Trying to handle all those tokens and then regenerate them. But the possibility of getting issued a token that somebody just used that hasn't exp-, is that possible or is that something that, right, just blows the system up even bigger in order to, you know, prevent kind of that almost collision of, oh, it's not actually expired. Or, you know, I'm going to reuse it and some system cached something somewhere it shouldn't and says, oh, you can do whatever you want.
00:17:52:29 - 00:18:25:28
Joel Moses
Right. So, so one thing I, I'm thinking about is, is how do these systems actually grow and, and improve in the future? So if you think about how you authorize access for, for another service today. If you think about how you authenticate to something from, from another service and it wants to use services that are, that are generated there's, with open ID for example, there's a, there's a negotiation that takes place. It says, okay, I'm authenticating and you can use information within my service for these particular purposes.
00:18:25:28 - 00:18:50:13
Joel Moses
And then you have to click allow or deny. I mean all of us have seen things like that. Now, what you're doing is you're essentially creating a long lived mapping between the application and that particular service for those particular scopes. Now, the trouble here is scopes change over time. What an application or service does might add or remove certain things from all granted scopes.
00:18:50:13 - 00:19:03:29
Joel Moses
And so they they'll change. They'll they'll have different things. Now, how does an agent recognize that the service scope has changed? Great question. At the moment I don't think it does.
00:19:04:01 - 00:19:06:02
Lori MacVittie
I was gonna. Are you going to answer the question? That's
00:19:06:02 - 00:19:44:24
Joel Moses
No, so so I, I foresee that systems like this in the future are probably going to have to negotiate scopes between agents and the systems that are using the agents. Meaning I granted, I was granted the rights to do this, that, and the other, now the user is asking me to do things that require additional scopes. So I'm going to communicate back with the system to see if the user will allow me additional scopes. And there will be some sort of negotiation process that has to occur to unlock additional things and that will have to be based on short lived tokens and strong identity typing.
00:19:44:26 - 00:19:46:29
Joel Moses
I can't see any other way around that.
00:19:47:02 - 00:19:50:28
Lori MacVittie
So the teenagers have to phone home to ask if they can go to a different friend's house.
00:19:50:28 - 00:20:02:17
Joel Moses
Dad, can I use the car?
Lori MacVittie
Right. Yeah, that
Joel Moses
I mean eventually the agents are going to have to to get smart enough to know when to communicate back to receive additional grants.
00:20:02:20 - 00:20:07:23
Lori MacVittie
It's going to be slow. It's going to be slow and it's going to be a mess.
00:20:07:28 - 00:20:32:06
Bill Church
Well, and then I think about too, so, you know I'm a user as well, so, and I know, what? Yeah, weird. But I think about I hate, I hate approving stuff. No, look, I am a security person, but also sometimes I just want it to work. I don't want to have to think about it. So I can see how this would be a a big user acceptance issue, or could be, right, if it's not implemented correctly.
00:20:32:08 - 00:20:49:03
Bill Church
And, I think we, we were talking about earlier about, you know, failing fast authentication, right, where you know right now with MCP, you know, authentication's kind of the Wild West. And, you know, the Silicon Valley idea of like, hey, when we want to fail fast. With authentication, that's not a thing we want to really play around with.
00:20:49:03 - 00:20:55:13
Bill Church
Right? We want to kinda get that right sort of the first time. But, you know, it never never works that way, but
Joel Moses
Yeah.
00:20:55:15 - 00:21:22:28
Lori MacVittie
Yeah. Well, and sadly, I don't think we're going to solve it. Although we were so close. We were right there.
Bill Church
Felt right.
Lori MacVittie
It felt right. But, you know, we should still it's still an important topic. And there are things that I think people should think about as they're putting agents in, and MCP and all of these systems, that they should at least be thinking about, seriously, so they don't get bitten, right, when something goes wrong.
00:21:22:28 - 00:21:29:26
Lori MacVittie
So what would you want them to be thinking about as they're starting to deploy agents?
00:21:29:29 - 00:21:51:07
Joel Moses
Yeah, I, that's a great takeaway I think Lori. And, you know, the the thing I'm taking away from this is kind of incorporated in that description of, Hey, dad, I need the car. It's helpful kind of to think about these systems as granting the rights to a teenager. And over time, the teenager's needs will change.
00:21:51:09 - 00:22:11:07
Joel Moses
And over time, your your desire to grant things to that teenager may change. And you need a way. You need to develop a way to, to change those scopes by context over time. And I think this, this technology will eventually have to incorporate systems that that work like that.
00:22:11:10 - 00:22:34:21
Bill Church
I like that. And I like the idea of, it's it's a little confusing, you know, when you think about it because I used to be so rigid in the way I created policies, right. It was a very simple branch, you know, a couple ors, an and here or there. With natural language, which is basically what we're dealing with here, you know, how do you how how weird could you describe this problem and how do you account for that?
00:22:34:21 - 00:22:56:10
Bill Church
So when those roles do change or those, the scopes change, how do you do that? And to me, you know whenever I design systems or try to architect system, I do try to think of, you know, that user interaction and how to make things easy. But we have to be careful of not making it so easy that people can get into trouble and overprovision. You know, just give it root and it's fine.
00:22:56:10 - 00:23:05:06
Bill Church
You know that type of mentality. We want it to not do that and I think this is an opportunity that we could probably reel some of that in, but we have to be careful.
00:23:05:09 - 00:23:25:05
Lori MacVittie
Careful, careful is is good. And and I think as, as people are deploying agents, right, the focus right now should probably be on like how do you, you know, architect it to interact with other systems and think about what you need to secure. Because a lot of the security tools that they will need don't exist yet.
Joel Moses
That's right.
Lori MacVittie
They're still coming.
00:23:25:05 - 00:23:55:25
Lori MacVittie
They're in papers. They're in people's heads. They're in, you know, POCs and in different places. It's not here yet. And you don't want to architect a solution based on everything you have, because that's what you have, and then have to change it again. Just be aware and be flexible that the answers will come, just not today, not tomorrow. I I'm guessing a few months at least, you know, but probably, you know, a year or so before I see real solutions.
00:23:55:26 - 00:24:11:14
Joel Moses
I agree. I don't, I I think everybody should know right now that in terms of AI agent identity and IAM for AI agents, we're in role-your-own-mode territory right now. And so think about the ramifications of that before you launch a project.
00:24:11:16 - 00:24:14:27
Bill Church
I'm just going to vibe code it.
00:24:15:00 - 00:24:30:28
Lori MacVittie
That's a wrap. That's a wrap. That is a wrap for Pop Goes the Stack. Keep your locks open, your sarcasm sharp, and don't forget to subscribe cause we'll be back with more glorious nonsense, soon.