When an AI agent accesses your CRM, retrieves database records, and sends emails on your behalf, whose identity is being used? And what are the implications if no one knows the answer? Alex Stamos, chief product officer at Corridor, and Nancy Wang, CTO at 1Password, explored the new identity framework challenges associated with agentic AI during the VB AI Impact Salon Series.
âAt a high level, itâs not just who this agent belongs to or which organization this agent belongs to, but what is the authority under which this agent is acting, which then translates into authorization and access,â Wang said.
How 1Password became central to the agent identity issue
Wang outlined how 1Password found itself at the forefront of the agent identity issue through its product evolution. Initially a consumer password manager, the company expanded its enterprise presence organically as employees introduced the trusted tool into their workplaces.
âOnce those people got used to the interface, and really enjoyed the security and privacy standards that we provide as guarantees for our customers, then they brought it into the enterprise,â she said. The same trend is emerging with AI, she added. âAgents also have secrets, or passwords, just like humans do.â
Within 1Password, the company manages the same tension it helps its customers with: enabling engineers to move quickly without compromising security. Wang mentioned the company closely monitors the ratio of incidents to AI-generated code as engineers utilize tools like Claude Code and Cursor. âThatâs a metric we track intently to make sure weâre generating quality code.â
Developers facing significant security risks
Stamos highlighted a common behavior observed by Corridor: developers inserting credentials directly into prompts, which poses a major security threat. Corridor identifies such instances and redirects developers towards proper secrets management practices.
âThe standard thing is you just go grab an API key or take your username and password and you just paste it into the prompt,â he said. âWe find this all the time because weâre hooked in and grabbing the prompt.â
Wang explained 1Passwordâs strategy of focusing on the output by scanning code as it is written and securing any plain text credentials before they are saved. The ease of cut-and-paste access is a significant factor in 1Passwordâs design philosophy, which aims to minimize friction in security tools.
âIf itâs too hard to use, to bootstrap, to get onboarded, itâs not going to be secure because frankly people will just bypass it and not use it,â she said.
Why coding agents differ from traditional security scanners
Another challenge in creating feedback between security agents and coding models is dealing with false positives, which large language models are prone to. These false positives from security scanners can disrupt an entire coding session.
âIf you tell it this is a flaw, itâll be like, yes sir, itâs a total flaw!â Stamos said. But, he added, âYou cannot screw up and have a false positive, because if you tell it that and youâre wrong, you will completely ruin its ability to write correct code.â
This tradeoff between precision and recall is fundamentally different from what traditional static analysis tools aim for, requiring significant engineering to achieve the necessary latency, on the order of a few hundred milliseconds per scan.
Authentication is straightforward, but authorization presents challenges
âAn agent typically has a lot more access than any other software in your environment,â noted Spiros Xanthos, founder and CEO at Resolve AI, during an earlier session at the event. âSo, it is understandable why security teams are very concerned about that. Because if that attack vector gets utilized, then it can both result in a data breach, but even worse, maybe you have something in there that can take action on behalf of an attacker.â
How can autonomous agents be given scoped, auditable, time-limited identities? Wang mentioned SPIFFE and SPIRE, workload identity standards for containerized environments, as potential candidates being tested in agentic contexts, though she admitted the fit is not perfect.
âWeâre kind of force-fitting a square peg into a round hole,â she said.
However, authentication is only part of the equation. Once an agent has a credential, what actions is it permitted to take? The principle of least privilege should be applied to tasks, not roles.
âYou wouldnât want to give a human a key card to an entire building that has access to every room in the building,â she explained. âYou also donât want to give an agent the keys to the kingdom, an API key to do whatever it needs to do forever. It needs to be time-bound and also bound to the task you want that agent to do.â
In enterprise environments, granting scoped access alone is insufficient; organizations must also track which agent acted, under what authority, and what credentials were used.
Stamos identified OIDC extensions as the leading contender in standards discussions, while dismissing the numerous proprietary solutions.
âThere are 50 startups that believe their proprietary patented solution will be the winner,â he said. âNone of those will win, by the way, so I would not recommend.â
At a billion users, edge cases become significant
On the consumer front, Stamos anticipated that the identity problem would consolidate around a few trusted providers, likely the platforms already central to consumer authentication. Reflecting on his tenure as CISO at Facebook, where the team managed approximately 700,000 account takeovers daily, he redefined the impact of scale on edge cases.
âWhen youâre the CISO of a company that has a billion users, corner case is something that means real human harm,â he explained. âAnd so identity, for normal people, for agents, going forward is going to be a humongous problem.â
Ultimately, the challenges CTOs face with agent identity arise from incomplete standards, makeshift tools, and enterprises deploying agents more rapidly than the frameworks designed to govern them. The solution requires constructing identity infrastructure tailored to agents, rather than modifying systems that were developed for their human creators.
