The Agent Security Stack: Transport, Identity, Policy, Runtime
9 hours ago
- #agent-security
- #identity-access-management
- #runtime-governance
- The agent security stack has four key layers: Transport (entry-level connectivity and validation), Identity and Delegation (agent identification and delegated authority), Policy (access control decisions), and Runtime Behavior and Governance (post-access monitoring and credential management).
- Transport solutions (e.g., MCP gateways) verify client connections and token validity but cannot determine user authorization or agent legitimacy, and are protocol-specific, making them vulnerable to changes in communication standards.
- Identity and Delegation addresses agent authentication, user representation, and task-specific permissions, moving beyond static API keys to dynamic solutions like workload identity (e.g., SPIFFE), delegation primitives (e.g., RFC 8693), and unified IAM for agents (e.g., Keycard).
- Policy engines (e.g., Cedar, Open Policy Agent) evaluate whether specific actions are allowed based on identity and context, but assume credentials already exist and do not manage credential issuance or broader context.
- Runtime Behavior and Governance includes guardrails for detecting attacks like prompt injection, non-human identity inventories for credential hygiene, and audit logs, but it operates after access and cannot enforce initial access control.
- Integration of identity and policy at credential issuance (via solutions like Keycard's Security Token Service) ensures credentials are only issued if policy permits, enhancing security by preventing credential leakage and enabling step-up authentication, while remaining protocol-agnostic to withstand transport changes.
- When evaluating agent security tools, consider their coverage across layers, whether policy is evaluated during credential issuance or usage, protocol agnosticism, and scalability across multi-agent workflows.