Secure Identity Propagation in Agentic Systems
Key Points
- Organizations adopting generative AI, RAG models, and agentic systems are encountering the challenge of securely propagating user identities throughout complex agent flows.
- Traditional identity propagation patterns are reviewed, starting with **no delegation**, where the application accesses downstream services without any knowledge of the end‑user.
- **Trusted assertion** introduces an identity provider (IdP) that authenticates the user and passes a SAML (or similar) assertion to downstream services so they can enforce user‑specific privileges.
- **Simple delegation** shifts to token‑based delegation, where the application authenticates itself, obtains a token representing the user, and presents that token to downstream resources for access control.
- The core questions for agentic systems become “how do we propagate identity?” and “what actions is the user authorized to perform?”, emphasizing the need for robust delegation mechanisms and fine‑grained privilege checks.
Sections
- Untitled Section
- Token-Based Identity Propagation Risks - The speaker outlines how authentication tokens are used to carry user privileges through multi‑agent chatbot workflows and warns that malicious agents could impersonate users to hijack and misuse those propagated identities.
- Transitive Trust in Multi-Agent Systems - The speaker discusses the challenges of establishing user trust across dynamic, multiple agents and separate identity providers spanning organizational boundaries, emphasizing the need for transitive trust rather than trust in individual agents.
- Token Exchange in Agentic Flow - The speaker explains that at each hop of an agentic flow, tokens should be exchanged with the identity provider to validate the user, confirm endpoint authenticity, and establish trust, preventing impersonation and aligning with OAuth 2.0 concepts.
- API Gateways Centralize Token Exchange - The speaker explains that placing token‑exchange logic in an API gateway offloads developers, standardizes identity propagation across agentic AI flows, and enables centralized monitoring for security and compliance.
Full Transcript
# Secure Identity Propagation in Agentic Systems **Source:** [https://www.youtube.com/watch?v=wiU7VEvi1LM](https://www.youtube.com/watch?v=wiU7VEvi1LM) **Duration:** 00:13:58 ## Summary - Organizations adopting generative AI, RAG models, and agentic systems are encountering the challenge of securely propagating user identities throughout complex agent flows. - Traditional identity propagation patterns are reviewed, starting with **no delegation**, where the application accesses downstream services without any knowledge of the end‑user. - **Trusted assertion** introduces an identity provider (IdP) that authenticates the user and passes a SAML (or similar) assertion to downstream services so they can enforce user‑specific privileges. - **Simple delegation** shifts to token‑based delegation, where the application authenticates itself, obtains a token representing the user, and presents that token to downstream resources for access control. - The core questions for agentic systems become “how do we propagate identity?” and “what actions is the user authorized to perform?”, emphasizing the need for robust delegation mechanisms and fine‑grained privilege checks. ## Sections - [00:00:00](https://www.youtube.com/watch?v=wiU7VEvi1LM&t=0s) **Untitled Section** - - [00:03:07](https://www.youtube.com/watch?v=wiU7VEvi1LM&t=187s) **Token-Based Identity Propagation Risks** - The speaker outlines how authentication tokens are used to carry user privileges through multi‑agent chatbot workflows and warns that malicious agents could impersonate users to hijack and misuse those propagated identities. - [00:06:09](https://www.youtube.com/watch?v=wiU7VEvi1LM&t=369s) **Transitive Trust in Multi-Agent Systems** - The speaker discusses the challenges of establishing user trust across dynamic, multiple agents and separate identity providers spanning organizational boundaries, emphasizing the need for transitive trust rather than trust in individual agents. - [00:09:16](https://www.youtube.com/watch?v=wiU7VEvi1LM&t=556s) **Token Exchange in Agentic Flow** - The speaker explains that at each hop of an agentic flow, tokens should be exchanged with the identity provider to validate the user, confirm endpoint authenticity, and establish trust, preventing impersonation and aligning with OAuth 2.0 concepts. - [00:12:32](https://www.youtube.com/watch?v=wiU7VEvi1LM&t=752s) **API Gateways Centralize Token Exchange** - The speaker explains that placing token‑exchange logic in an API gateway offloads developers, standardizes identity propagation across agentic AI flows, and enables centralized monitoring for security and compliance. ## Full Transcript
Howdy everyone.
Organizations are embracing gen AI and rag models and agentic systems.
With that, we're starting to see a lot of challenges pop up.
One of the challenges we're seeing is how do we propagate an identity across an agentic flow?
And we really want to kind of dig into this now and see in agentic systems,
how are we going to securely propagate identities?
To do this, we need to start and step back a little bit and look at
kind of how we've evolved in identity propagation.
Let's start with our user.
And let's say that they're connecting to a database or some sort of system,
something that they want to communicate with.
We'll put a little application in here so a user has to connect to that.
And it connects off to this system.
So this will be our first pattern that we wanna start with.
Now, as we go through this, we're gonna look at a set of delegation patterns.
And these are the patterns, all the different patterns that exist that we want to kind of use.
The first one we're gonna look at is no delegation.
Now what this really says is that we have a user, they're gonna connect to this application.
The application is going to connect to the database on its own.
It has a secure connection or some sort of transaction set up here,
and it doesn't know anything about the user.
It doesn't need to know about the users.
You connect, you return some information.
That is what we call basically no delegation.
The next thing we want to look at is what we call trusted assertion.
Now we're going to start getting into the thought of, well, who is the user?
This is really starting to get into identity propagation.
So we're likely going to have an IDP.
So this is an identity provider.
The user comes in.
They authenticate against this system.
And then that is used to tell the database who that user is.
So that user's going to some sort of privilege out here.
And we want to use that.
Now, in the case of trusted assertion,
it's still this connection that we had before.
The system and the database have some sort of credential passing,
whatever it is they're using to make that connection.
And I'm going to assert who the user is.
And this can be in a SAML assertion.
There's different ways to do this.
But basically I will make the connection.
I will pass that identity of the user into the database so I can
check their privilege and return the right things.
There's another model of this that we will look at another pattern that is simple
delegation.
Now in simple delegation, basically it's the same kind of thing.
Instead of asserting who the user is,
I'm gonna come in, I'm going to authenticate myself, I'm gonna create a token that token
gets passed back and this becomes what I'm using for privilege.
So as we look at our challenges, what we're really trying to look at is one,
how are we propagating this identity?
The next challenger, challenge, is what can the user do?
And this really says, what am I allowed to access?
What actions am I allow to take?
All right, so this is great.
This kind of brings us up to where we're at in our systems today,
but now let's start introducing agentic.
So let's say that we're interfacing with a chatbot up front,
and that's our first interaction,
and then maybe that goes to a router,
and then that goes another agent.
So now we've introduced an agentic flow, there are multiple nodes and hops,
and let's say, just to keep this going, that we check here with our identity provider,
we authenticate ourselves, here is who I am, get my identity,
and then we want to propagate that identity through the system.
So when we start thinking about what are the challenges, what are problems with this,
what happens then if we have a bad actor who actually creates some agent or system
on their own and they connect here to the router and they pass in an identity.
They actually start impersonating you.
So this is Edwina Cutwater impersonating Roger Cobb and wants to be able to
take whatever privileges that that user has and propagate it through.
So if we're just merely propagating the identity from the starting point in,
how do we prevent that somebody inserts and says, hey, I am the identity of this person,
and now please give me back all the stuff that we want to,
that that person would be entitled to retrieve?
So this really then starts talking about our next challenge,
which is really then, how do trust the identity?
In other words, how does this agent down in this flow or an
agent up in this low or any flow that has created, how does it know?
It has no visibility to where this user came in and originally authenticated themselves.
How do they trust that the identity that is coming through the system is actually the
identity that is supposed to be used
and the privileges and the data, whatever it is that we're trying
to protect is actually going back to the person that we think it is.
So that becomes our next challenges.
How do we really then, from these systems, trust the identity?
I'm gonna introduce now another delegation pattern, which is on behalf of delegation.
Now this starts getting into a model where we have an agent and a user,
both of them are going to have identities.
They're both gonna be part of, they're gonna have tokens,
they're going to privileges, they're go have rights.
Now the agent is going to work on behalf of the user.
And the user trusts that agent, it knows who this agent is, and it trusts it to act on your behalf.
Now, what happens if we have multiple agents?
What happens if in agentic flows it's very dynamic and agents get introduced into this system?
How does the user then know to trust all the agents down throughout the system?
And this really starts introducing yet another
challenge, is how do we have a user accept transitive trust.
In other words, the user is not actually trusting an individual agent.
What they're doing is they're trusting the system to act and behave on their behalf.
All right, I'm going to introduce one final now pattern here.
And this is multiple IDPs, identity providers.
So what this really looks like then let's say that this is all a system here.
This is a company.
This is an organization.
Let's say this is company A
and we have another organization, we'll call this Company B,
and we're actually talking across organizational boundaries.
This could even be within divisions if things are really separated within a company,
but the point is, is we now have separate identity providers within these two organizations.
We may even have, as we cross over boundaries,
another router that figures how to send an agentic flow to get a prompt and a response,
but now we have to deal with independent ID providers and independent systems.
So we have across this. So these are the patterns and the challenges that we are really seeing emerging,
especially around identities and identity propagation in organizations.
And so let's start thinking about what are our strategies then.
To how to deal with this.
Now, of course, this is an emerging space, it's an emerging world.
The strategies I'm gonna outline here will work,
but they will also evolve as we start evolving agentic systems.
So the first thing that we really wanna look at as a strategy is we really want to use
OAuth 2,
and OIDC, OpenID Connect.
So this really says, let's stick to the standards.
We have standards on how to identify users and what their rights and privileges are.
Let's use that as our common base for talking.
This works really well if we have company A talking to company B,
they both operate on industry standards.
That makes it very easy to do this interaction.
So first thing we wanna do is use OAuth 2 and OIDc as our standards.
The next thing we want to do, is introduce a concept of a token exchange.
What this is really saying is that at each node along an agentic flow,
we actually want to go back to the IDP and we want to do an exchange of the ticket.
So we started with an original token.
We started with the original token here and we flowed that token through,
but each hop we actually wanna go exchange that token,
Aad this way we can really start looking at how do we validate that the user is the right user.
And really what this is starting to say is, if you remember back here,
we had this kind of a secure connection between this application and the database,
and we understood that connection.
Now, when we think about an agentic flow, it is an established flow.
We know endpoints, we know each hop along the way.
If at each hop, we evaluate and look at to make sure that the incoming endpoint,
the outgoing endpoint that we know are all the correct ones, we can exchange our token.
To make sure it works for that hop.
So that way, we can start preventing people
from coming and impersonating and injecting themselves into the flow
because it would not match our known flow and it would match our know end point.
So we can starting eliminating that.
So what it really kind of does then for us is it verifies our identity.
And it establishes trust.
We can even do this across company organizations as well,
same kind of establishment of trust.
All right, so we do a token exchange.
Next thing we want to do then, and this really starts playing
into the OAuth 2.0 concept is we want the leverage context.
We want to leverage scope and we want a leverage audience.
Now, this is really, really nice and important because what this is saying,
is that we don't want the user at the very beginning of our agentic flow.
We don't wanna say that they can do anything across the entire company, across the enterprise.
As they move along the nodes, as we have a context of the token that's moving through,
we want to only allow them the scope, or what they're authorized to do,
to be very narrow, and really ultimately narrow down to just the access to this database,
and along every node we want the narrow that scope
to what they are allowed to do along that process flow.
The other thing by adding audience we can say when we do this token
exchange that we know the next hop and we say that is our audience.
So when an agent somewhere in the flow receives an exchange token,
it should see itself as the audience.
It knows it has now taken the next action.
If the audience is incorrect or non-existent, it knows to reject that out.
So again, that starts preventing injections into this flow with impersonated identities.
So we really want to leverage some of
the capabilities and features that we're seeing in OAuth 2.
The next strategy we have, is we want to connect our nodes, our agents, and our flow via APIs.
So what this is really saying is we use API gateways.
We understand APIs, we understand REST APIs, we understand API economies.
We know that if we just pass, connect through from one node
to another along our agentic flow, and that goes through an API gateway,
it's that gateway now that can have the responsibility of doing the token exchange.
It's actually the thing that's going and exchanging the token.
That takes the burden off of the developers so they don't have to understand token exchanges.
It also centralizes, at least within an organization,
how we're going to do the token exchange.
So it brings a lot of value to how we perform
these strategies or how we execute on these strategies.
The final thing, and this is something we always wanna do, is monitor.
You know, when we start talking about compliance and security across the board,
we always want to monitor what is happening across that.
Agentic flow and make sure that the identity propagation is actually behaving the way we want.
Alright. So we know companies and organizations are embracing gen AI and agentic flows.
We know that there is a challenge with how do you propagate that
identity across that flow to make sure it is securely being used and leverages.
And I have presented a few strategies on how you can accomplish that.
Thank you very much.