Agent Identity Standardisation Efforts

Quick post. I come from an Identity and security background, and still work closely with the Microsoft Identity team, who do a lot of work in standards working groups. There’s currently a lot of new technology emerging for agent identities before new standards have been agreed (this is typically slow work, but there seems to be an urgency to the new efforts for agents). Some of this technology can already begin to address one of the major challenges for agent security: static authorisation grants for dynamic authorisation needs. But obviously everyone would rather this was all founded in standards (IMO nothing has improved web security more than the OAuth 2.0 and OIDC standards, relative to what preceded them). IMO there are two major authentication and authorisation challenges to address: Agents must never receive, hold or pass key material for onward authentication. Any services acting as middleware for these credentials is a massive target. As one reference from a current focus of mine, Entra Agent IDs can never authenticate (they don’t have that capability). They can only be delegates. Authorisation scopes need to be granular, time-bound, and (probably hardest of these) adaptable. Each of these authorisation needs are regularly oversimplified or overlooked when permissions are granted today. Normal OAuth consent flows are typically scoped more broadly than what’s strictly needed for an agent, and typically you need the context of what the agent is doing before you approve some adaptive permissions (otherwise you wind up saying yes to everything and revoking nothing).Much of the first of these needs can be met with available technologies. For instance, Anthropic document their support for Workload Identity Federation, but frustratingly they don’t seem to mention it in their recent Zero Trust for AI Agents whitepaper (which is broadly welcome, if IMO short of the mark in some areas like this). Dick Hardt shared an excellent critique of the Anthropic paper. I can’t