AI/ML, Identity, Application security

AI agents need both tougher standards and stricter identity controls

Close-up of a humanoid robot having a panic attack.

The rapidly expanding AI ecosystem is developing without appropriate security controls, and neither AI vendors nor AI connection standards like MCP and A2A are following security best practices, several participants said in a recent online webinar hosted by Okta.

What's needed is not only stricter identity controls to manage AI connections, but more visibility, more granular permissions and tougher standards for AI in general. Only then can we proceed in developing AI agents with the confidence that the agents and their output will be trustworthy and secure.

"The industry needs a new way to fully manage the AI agent lifecycle: an identity-security standard that gives enterprises confidence in what agents can access and gives developers freedom to build experiences that are secure and seamless by default," said Todd McKinnon, CEO and Co-Founder of Okta, in his introduction to the webinar.

"Just as we can't imagine the internet without HTTP or TCP/IP," he added, "the agentic future won't be possible without a new generation of protocols that are designed from the ground up to secure how agents connect, collaborate and act on our behalf."

Security isn't always top of mind

At the recent Black Hat security conference in Las Vegas, speaker after speaker repeated a common theme: AI security is so bad it's like Windows security was back in the '90s.

AI agents, LLMs, and their development tools can be fooled, subverted with malicious data, and socially engineered into disclosing sensitive information or creating malware. Eager-to-please LLMs can hallucinate fictional "facts," and AI agents may help attackers exfiltrate proprietary secrets.

"The future of AI depends on trust, and right now, many security teams can't fully trust agentic AI," observed Okta Senior Vice President and Deputy Chief Security Officer Charlotte Wylie, who hosted part of the webinar.

Some of these issues are due to the non-deterministic, "black box" nature of AI itself. But according to Alyssa Robinson, CISO at HubSpot, who spoke during the Okta webinar, the AI vendors deserve blame for the poor state of AI security.

"Some of the risks that we're seeing are actually not really related to agentic AI at all," Robinson told  Wylie. "We're seeing a lot of really new vendors, immature products being put out there ... but we haven't really gotten to the point where they're also thinking about security."

Echoing what was said at Black Hat, Robinson lamented "the lack of those basic controls that you expect to have, whether it be access controls, auditing, change management, just even those agent definitions and having some sort of source control and change management."

As for the Model Context Protocol (MCP), a server-client standard unveiled late last year by Anthropic to reliably connect AI agents to tools and applications, and Agent-to-Agent (A2A0, a peer-to-peer standard developed by Google earlier this year, Robinson had doubts.

"We're seeing lots of vendors that are jumping on the bandwagon for MCP and for A2A, but those standards don't have that much real security built in so far," she said. "I would really like to see much stronger standards out there, much stronger security built into the standards that we have, and vendors really jumping on those bandwagons and really trying to build those things up."

AI has built-in security issues

But, as Robinson said, part of the problem is that AI is fundamentally different from other software.

"There's just this continuation of the non-human identity problem that we were already seeing, the interconnections between apps," she said. "And then, of course, there's the unpredictability, the non-deterministic nature of LLMs themselves."

That unpredictability is part of the reason it's hard to tell if an AI agent has been corrupted by false or malicious data. When the agent can say anything, then nothing it says will seem wrong.

This leads to a very different sort of application security, and a different sort of access management, Writer CEO May Habib told Okta President and COO Eric Kelleher during the webinar.

"If you think about the 30 years we have all been shaping the software development life cycle, you are building for very deterministic processes," said Habib. "When it comes to agentic, it is a very different story. Agents challenge the concept of 'done.' You are iterating and building constantly."

"You've got agents that really only exhibit the kind of behavior you can track once they are in real-world, real-data environments," Habib added. "These are agents that are goal-oriented, that have objectives of their own, where the identity and the access needs to be managed on a goal-and-outcome basis, versus the access rights and permissions of the person who are who is building them."

Those permissions, or more specifically an excess of them, worry Robinson as well.

"The places where we have the largest concerns are anywhere that our most sensitive data, like customer data, is involved," Robinson said.

"We're worried about agents that might be over-permissioned, that might get access to data that we don't know they have, or that we didn't intend for them to have," she added. "We need strong controls there to really know what data things can access and to know what decisions agents might be making."

How to keep AI in line

Robinson and Habib agreed that AI agents and the protocols they use needed stronger controls.

"Many of the CIOs that we talk to aren't happy with the kind of security that the MCPs that are being built might have and want to be able to configure an extra layer that they control around the actions that are permissible, the data that is permissible," Habib told Kelleher.

"You absolutely need to have the ability to observe that at a meta level," Habib added, "even while you have given access and permissions to folks to build tooling and agents that are able to access the systems you've configured."

For her part, Robinson wanted basic security best practices observed, even if some AI start-ups might need to brush up on them.

"There are key things that we want to see. We want real transparency. We want auditability. We want very granular permissions," Robinson said.

"If we don't have good visibility into the data flows between them [AI agents and data sources], into exactly the permissions that each agent can take in all of these different spaces that they're now acting in," she added, "we're going to be in a world of trouble."

To control AI permissions, as well as human access to AI, Okta and other identity-security providers are working on an extension to the OAuth authorization standard.

Okta calls the extension Cross App Access and says it will permit any identity-security system that uses OAuth to easily and firmly manage AI agent access.

"Cross App Access is an open protocol that secures interactions between apps and agents and across ecosystems," said Arnab Bose, Okta Chief Product Officer, during the webinar. "It moves the control to the identity layer, allowing organizations to centrally define access, monitor agent activity and eliminate unnecessary consent prompts for users." 

Both Habib and Robinson felt the collaborative process that developed Cross App Access should be repeated to strengthen other aspects of AI security.

"I would like to see all of our vendors jumping on board to help develop those standards and to help drive them to a place that they're workable, but also really keep security in mind," Robinson said. "That's how we're going to be able to trust these things and really use agents to their full potential."

"No single company is going to solve this problem," said Habib. "We need a future that is a collaborative ecosystem."

Wylie agreed that the responsibility for AI security falls on the vendors, who need to work together to make AI safe for everyone to use.

"If you are building AI-native features, you cannot wait until it's too late or for regulation to force your interaction. The time to prioritize securing AI agent access and visibility is now," Wylie said. "Securing agentic access isn't something that one vendor can solve alone. It is a collective responsibility that we must tackle together."

An In-Depth Guide to AI

Get essential knowledge and practical strategies to use AI to better your security program.
Paul Wagenseil

Paul Wagenseil is a custom content strategist for CyberRisk Alliance, leading creation of content developed from CRA research and aligned to the most critical topics of interest for the cybersecurity community. He previously held editor roles focused on the security market at Tom’s Guide, Laptop Magazine, TechNewsDaily.com and SecurityNewsDaily.com.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds