Why Ai Agents Need Their Own Identity, Not Yours

AI autochthonal startups decidedly service nan non-human crowd.

An AI supplier can’t really person a quality identity, according to Jake Moshenko, CEO of AuthZed. That premise comes to carnivore erstwhile considering really AuthZed useful pinch OpenAI and nan production-scale retrieval augmentation procreation (RAG) authorization exemplary OpenAI has deployed.

“It’s a communal misconception that you’re going to want to deploy an supplier arsenic ‘me,’” Moshenko said. “A batch of nan worth that group are going to effort to seizure retired of agents are autonomous processes that tally arsenic portion of your company.”

The Problem With Tying AI Agents to Human Identities

Remember backmost successful nan day, nan havoc that occurred erstwhile services shared nan personality of personification who had near nan company?

“If nan personification leaves nan institution aliases changes roles, you’re not going to want that to automatically restrict each supplier they’ve ever deployed,” Moshenko said. “It’s for illustration making a hiring determination — if I alteration nan manager, that doesn’t mean I want each nan labor that worked for that head to conscionable spell away.”

Let’s say, though, nan agents do get bound to a person.

“Just because I deployed an supplier to thief codification reappraisal immoderate things doesn’t mean I want that supplier to beryllium capable to do Jake-like things from [a quality resources] aliases fundraising perspective,” Moshenko said.

AuthZed’s support exemplary treats agents arsenic taxable types. It allows organizations to federate entree for agents nan aforesaid measurement they do for humans. Still, location are gaps.

“Just because you tin spot that it’s reference delicate financial information and possibly penning immoderate numbers back, that isn’t, successful and of itself, a verification exemplary for saying nan supplier is doing nan correct thing,” he said. “If I bring connected an accountant, I’ll unfastened nan books to them — they person to, to get their occupation done. But that doesn’t mean they aren’t doing thing incorrect aliases nefarious pinch nan books.”

Moshenko said unreality autochthonal tooling provides authorization, controlling what agents tin entree done support boundaries. Cloud autochthonal tooling besides provides observability, search what actions agents take. But verification? You can’t automatically find if it made nan correct decision.

The Limits of Automated AI Agent Verification

But moreover utilizing deterministic devices can’t needfully make it easy. There are ever quality and non-human factors. Automated supplier testing, utilizing information scanning, linting, and different tools, tin beryllium foiled.

“Sufficiently clever humans tin make things look wholly benign that are really rather nefarious,” Moshenko said. “Sufficiently nefarious group and/or AIs could decidedly walk each of your linting tests and portion tests and integration tests, but still beryllium doing thing they’re not expected to do.”

He cited “Reflections connected Trusting Trust,” by Ken Thompson, a Turing Award winner. The insubstantial elaborate really you can’t spot it if a compiler has already been compromised. Compilers whitethorn inject vulnerabilities that re-inject themselves erstwhile compiling nan compiler itself — making them efficaciously undetectable done accepted testing.

“Really, it’s for illustration hiring a human: Everything becomes ‘trust but verify,’” Moshenko said. “We do codification reappraisal pinch group successful nan loop, because that reduces our vulnerability to nefarious activity erstwhile it has to make it done 2 humans alternatively of conscionable one.”

Production astatine Scale: The OpenAI and AuthZed Case Study

AuthZed points to its capacity successful providing OpenAI pinch nan RAG authorization capacity nan starring ample connection exemplary (LLM) supplier is using. AuthZed worked wth OpenAI connected its ChatGPT Enterprise Connector, which demonstrates a usage lawsuit for its authorization technology, based connected nan Google paper astir its world authorization system, Zanzibar.

“They make judge that whoever is asking astir Q4 net really has entree to nan root archive that existed connected Google Drive,” Moshenko said. “They’re not injecting immoderate discourse that that personification wouldn’t person been capable to spell and dredge up themselves.”

AuthZed allows OpenAI to ingest endeavor data. What happens adjacent is key. The authorization information gets associated pinch nan documents. At that point, earlier feeding nan archive fragments into an LLM’s discourse window, they verify permissions pinch AuthZed. Better, location is nary request to cheque pinch nan sources upstream. And nan numbers are significant. AuthZed has processed 37 cardinal documents arsenic of this fall.

And nan quality pinch unreality autochthonal tooling is striking. Traditional systems authorize APIs. AuthZed post-filters which archive enters nan LLM discourse based connected personification permissions.

AuthZed provides authentication, but verifying that nan agents’ behaviour still does not get afloat resolved without a deeper attack to validation.

Jentic useful connected nan premise that infrastructure for AI workloads is simply a spot for illustration being successful 1996. They link disparate systems, moving pinch endeavor architects who are untangling and filling gaps successful their method debt.

“I deliberation if each LLM improvement stopped tomorrow, it’s going to beryllium different 5 aliases 10 years earlier we fig retired precisely what to do, what nan champion practices are, each sorts of processes and methodologies and ways of moving pinch it,” said Michael Cordner, Jentic’s CTO and co-founder, successful an question and reply pinch The New Stack at AWS re:Invent.

Dorothy Creavan, Jentic’s co-founder and COO, besides said successful an question and reply pinch The New Stack that  it’s a spot for illustration older times erstwhile caller technologies started getting adopted, but now location is nary scenery for connecting nan world of APIs pinch nan activity of AI. You person to person machine-readable archiving for APIs to go useful. Then you’re capable to create these deterministic workflows that you tin really trust on.

Said Cordner, “Part of our level centralizes each authentication successful 1 spot … Centralized authentication and being capable to observe what agents are doing.” In a batch of cases, agents are “being developed, benignant of for illustration a protector IT organization.”

How Intuit’s GenOS Platform Accelerates AI Adoption

At KubeCon + CloudNativeCon North America, successful Atlanta, Intuit’s work mesh squad showed its proprietary GenOS, to accelerate AI take successful its products. It’s an soul level pinch an supplier and devices registry, tracing, representation guidance and information built in.

Intuit demonstrated really on-call debugging agents entree logs, metrics, alteration logs, and Envoy consequence flags, past usage RAG to lucifer against soul documentation, guidelines origin analyses, and architecture reviews.

Intuit has much than 350 Kubernetes clusters, 2,000 rollouts and deployments, 16 cardinal regular transactions, and 292,000 highest transactions per second. Debugging is challenging connected specified a scale, to opportunity nan least.

“Working pinch specified standard intends that you are generating a immense magnitude of information done each nan interconnected services that you person done logs, metrics and traces,” said Kartikeya Pharasi, ​​a unit package technologist from Intuit. “In cases of an incident, you mightiness walk a batch of clip coming up pinch analyzable queries aliases going done archiving connected nan alert successful a high-pressure situation.”

Pharasi said nan correct instrumentality prime becomes critical. It’s almost much important than nan devices themselves, “because what’s moreover much vulnerable than not being capable to do this benignant of debugging is if you prime nan incorrect instrumentality and nan incorrect benignant of measurement is executed.”

Why AI Agents Require Machine-Specific Interfaces

Evident? The machines request different interfaces than humans do. We spot this again and again, successful nan interviews I conducted astatine AWS re:Invent pinch companies participating successful nan AWS Generative AI startup program.

Cordner said Jentic sees agents arsenic nan early of package that runs connected APIs. The problem: a mismatch betwixt AI workloads, unsuitable infrastructure and APIs not system for machines.

“Imagine a world wherever each your API furniture is truthful good documented that AI has an easy clip turning your business processes into deterministic workflows,” Creavan said. “That’s wherever it is.”

You spot nan scenery changing erstwhile considering nan connection obstruction pinch deterministic systems and really it breaks down, and successful immoderate respects, makes for descriptions that amended specify their intent successful nan organization.

“If you deliberation astir thing for illustration penning a usability to undo a costs transaction, you mightiness sanction that usability thing for illustration reverse_transaction aliases revert_record,” said Ryan Tay, a package technologist astatine Intuit. “But a personification and similarly, an LLM is not going to deliberation of that arsenic reversing a transaction, right? They’re going to telephone that thing for illustration a refund.”

It’s much astir nan readability that nan instrumentality needs. For instance, LlamaIndex, different startup, on pinch Jentic, successful nan AWS Generative AI program, said it turns documents into tokens utilizing RAG, deepening nan discourse for nan agents.

“The wide reasoning capabilities are ever improving, but nan halfway is conscionable amended specialized context,” Liu says. “If agents understand each this worldly successful a very meticulous manner, each of a abrupt they tin really make decisions.”

Intuit is besides looking to nan Model Context Protocol (MCP) to stock crossed teams.

“We’re presently looking astatine different teams trying to build for illustration a full-on incident consequence supplier that tin telephone our instrumentality and immoderate different platform-specific tools,” Tay said. “The Model Context Protocol … allows nan agents to talk to devices that you define, and besides nan devices that different teams and possibly different organizations are defining.”

The missing piece: agent-specific authorization —something AuthZed addresses but Intuit hasn’t yet implemented.

The Future of AI Agent Management and Security

In 2025, nan disorder astir infrastructure for AI workloads surfaced much arsenic companies raced to adopt AI successful nan enterprise. The method indebtedness remains successful nan shape of human-centric APIs. That will alteration successful nan adjacent twelvemonth arsenic teams build retired information frameworks, supplier personality models and create sandbox environments, among different initiatives.

Agent guidance will return different forms. Adam Draper, merchandise creation lead astatine Weights & Biases, talked astir managing agents by breaking them down into smaller agents, while his colleague, Ayush Thakur, a instrumentality learning technologist astatine W&B, said immoderate companies whitethorn return different approaches.

“Some of nan large labs want to person 1 supplier which has basal devices for illustration codification execution, record strategy tools, etc … LLMs are really powerful to constitute code,” Thakur said. “A one-agent attack allows agents to person entree to each nan databases and systems, and to constitute pieces of codification that execute themselves successful a sandbox.

Clarity matters. “The much clear and concise you tin make those prompts, nan much predictable you are going to create an supplier that’s functioning nan measurement you want,” Draper said.

Sandbox isolation becomes critical. Thakur said he has ne'er seen agents fixed guidelines access. He said immoderate companies containerize each nan sandboxes truthful nan supplier tin do worldly successful that sandbox, and past termination it erstwhile nary longer required.

Moshenko, though, said verification has basal limits sloppy of approach.

“Sufficiently clever humans tin make things look wholly benign that are really rather nefarious,” he said. “Sufficiently nefarious group and/or AIs could decidedly walk each of your linting tests and portion tests and integration tests, but still beryllium doing thing they’re not expected to do.”

Again, it each points to nan request for quality oversight.

“Really, it’s for illustration hiring a human: everything becomes ‘trust but verify,’ ” said Moshenko. “We do codification reappraisal pinch group successful nan loop, because that reduces our vulnerability to nefarious activity erstwhile it has to make it done 2 humans alternatively of conscionable one.”

Group Created pinch Sketch.