When an AI agent accesses your CRM, retrieves database records, and sends emails on your behalf, whose identity is being used? And what are the implications if no one knows the answer? Alex Stamos, chief product officer at Corridor, and Nancy Wang, CTO at 1Password, explored the new identity framework challenges associated with agentic AI during the VB AI Impact Salon Series.
“At a high level, it’s not just who this agent belongs to or which organization this agent belongs to, but what is the authority under which this agent is acting, which then translates into authorization and access,” Wang said.
How 1Password became central to the agent identity issue
Wang outlined how 1Password found itself at the forefront of the agent identity issue through its product evolution. Initially a consumer password manager, the company expanded its enterprise presence organically as employees introduced the trusted tool into their workplaces.
“Once those people got used to the interface, and really enjoyed the security and privacy standards that we provide as guarantees for our customers, then they brought it into the enterprise,” she said. The same trend is emerging with AI, she added. “Agents also have secrets, or passwords, just like humans do.”
Within 1Password, the company manages the same tension it helps its customers with: enabling engineers to move quickly without compromising security. Wang mentioned the company closely monitors the ratio of incidents to AI-generated code as engineers utilize tools like Claude Code and Cursor. “That’s a metric we track intently to make sure we’re generating quality code.”
Developers facing significant security risks
Stamos highlighted a common behavior observed by Corridor: developers inserting credentials directly into prompts, which poses a major security threat. Corridor identifies such instances and redirects developers towards proper secrets management practices.
“The standard thing is you just go grab an API key or take your username and password and you just paste it into the prompt,” he said. “We find this all the time because we’re hooked in and grabbing the prompt.”
Wang explained 1Password’s strategy of focusing on the output by scanning code as it is written and securing any plain text credentials before they are saved. The ease of cut-and-paste access is a significant factor in 1Password’s design philosophy, which aims to minimize friction in security tools.
“If it’s too hard to use, to bootstrap, to get onboarded, it’s not going to be secure because frankly people will just bypass it and not use it,” she said.
Why coding agents differ from traditional security scanners
Another challenge in creating feedback between security agents and coding models is dealing with false positives, which large language models are prone to. These false positives from security scanners can disrupt an entire coding session.
“If you tell it this is a flaw, it’ll be like, yes sir, it’s a total flaw!” Stamos said. But, he added, “You cannot screw up and have a false positive, because if you tell it that and you’re wrong, you will completely ruin its ability to write correct code.”
This tradeoff between precision and recall is fundamentally different from what traditional static analysis tools aim for, requiring significant engineering to achieve the necessary latency, on the order of a few hundred milliseconds per scan.
Authentication is straightforward, but authorization presents challenges
“An agent typically has a lot more access than any other software in your environment,” noted Spiros Xanthos, founder and CEO at Resolve AI, during an earlier session at the event. “So, it is understandable why security teams are very concerned about that. Because if that attack vector gets utilized, then it can both result in a data breach, but even worse, maybe you have something in there that can take action on behalf of an attacker.”
How can autonomous agents be given scoped, auditable, time-limited identities? Wang mentioned SPIFFE and SPIRE, workload identity standards for containerized environments, as potential candidates being tested in agentic contexts, though she admitted the fit is not perfect.
“We’re kind of force-fitting a square peg into a round hole,” she said.
However, authentication is only part of the equation. Once an agent has a credential, what actions is it permitted to take? The principle of least privilege should be applied to tasks, not roles.
“You wouldn’t want to give a human a key card to an entire building that has access to every room in the building,” she explained. “You also don’t want to give an agent the keys to the kingdom, an API key to do whatever it needs to do forever. It needs to be time-bound and also bound to the task you want that agent to do.”
In enterprise environments, granting scoped access alone is insufficient; organizations must also track which agent acted, under what authority, and what credentials were used.
Stamos identified OIDC extensions as the leading contender in standards discussions, while dismissing the numerous proprietary solutions.
“There are 50 startups that believe their proprietary patented solution will be the winner,” he said. “None of those will win, by the way, so I would not recommend.”
At a billion users, edge cases become significant
On the consumer front, Stamos anticipated that the identity problem would consolidate around a few trusted providers, likely the platforms already central to consumer authentication. Reflecting on his tenure as CISO at Facebook, where the team managed approximately 700,000 account takeovers daily, he redefined the impact of scale on edge cases.
“When you’re the CISO of a company that has a billion users, corner case is something that means real human harm,” he explained. “And so identity, for normal people, for agents, going forward is going to be a humongous problem.”
Ultimately, the challenges CTOs face with agent identity arise from incomplete standards, makeshift tools, and enterprises deploying agents more rapidly than the frameworks designed to govern them. The solution requires constructing identity infrastructure tailored to agents, rather than modifying systems that were developed for their human creators.
