When an AI agent needs to log into your CRM, pull records from your database, and send an email on your behalf, whose identity is it using? And what happens when no one knows the answer? Alex Stamos, Chief Product Officer at Corridor, and Nancy Wang, CTO at 1Password, join the VB AI Impact Salon series to explore the challenges of new identity frameworks that come with the benefits of agentic AI.
"At a high level, it’s not just who this agent belongs to or what organization this agent belongs to, but also what is the authority under which this agent is acting, which then translates into authorization and access," Wang said.
How 1Password ended up at the center of the agent identification problem
Wang found 1Password’s path into this area through his own product history. The company started as a consumer password manager, and its enterprise footprint grew naturally as employees brought tools into their workplaces that they already trusted.
"Once those people got used to the interface, and they really enjoyed the security and privacy standards that we provide as a guarantee for our customers, they brought it into the enterprise," He said. He said the same dynamic is now happening with AI. "Agents also have secrets or passwords, just like humans."
Internally, 1Password is addressing the same tension it helps customers manage: how to let engineers move fast without creating a security mess. Wang said the company actively tracks the proportion of incidents with AI-generated code as engineers use tools like cloud code and cursors. "This is a metric that we track to ensure that we are generating quality code."
How developers are taking big security risks
Stamos said one of the most common behaviors seen by Corridor is developers pasting credentials directly into the prompt, which is a huge security risk. The corridor marks it and refers it back to the developer towards proper secret management.
"The standard thing is that you just take an API key or your username and password and you paste it into the prompt," He said. "We get it all the time because we’re caught up in it and catching the signal."
Wang described 1Password’s approach as working on the output side, scanning the code as it is and vaulting any plain text credentials before they persist. The trend toward a cut-and-paste method of system access has a direct impact on 1Password’s design choices, which are meant to avoid security tooling that creates friction.
"If it’s too hard to use, bootstrap, onboard, it won’t be secure because obviously people will bypass it and not use it," He said.
Why can’t you treat encoding agents like traditional security scanners?
Another challenge in creating feedback between security agents and coding models is false positives, which very friendly and agreeable large language models are prone to. Unfortunately, these false positives from the security scanner can derail the entire code session.
"If you say this is a flaw, it would be like, yes sir, this is a complete flaw!" Stamos said. But, he further said, "You can’t mess up and have false positives, because if you tell him so and you’re wrong, you’ll completely ruin his ability to write correct code."
The tradeoff between precision and recall is structurally different from what traditional static analysis tools are designed to optimize, and requires significant engineering to correct for the required latency on the order of a few hundred milliseconds per scan.
Authentication is easy, but authorization is where things get difficult
"An agent typically has much more access to your environment than any other software," Spiros Xanthos, Founder and CEO of Resolve AI, said in the first session of the event. "So, it’s understandable why security teams are so concerned about this. Because if that attack vector is used, it could result in both a data breach, but worse, you might have something that the attacker could take action on."
So how do you give autonomous agents scoped, auditable, time-limited identities? Wang pointed to SPIFFE and SPIRE, workload identification standards developed for containerized environments, as candidates being tested in agentic contexts. But she admitted the fit is tough.
"We’re forcing a square peg into a round hole," He said.
But authentication is only half of it. Once an agent has a credential, what exactly is he or she allowed to do? This is where the principle of least privilege should be applied to tasks rather than roles.
"You wouldn’t want to give a key card to an entire building to someone who has access to every room in the building," she explained. "You don’t want to give an agent the keys to the state, even an API key to do whatever it needs to do forever. It should be time bound and also tied to the work you want the agent to do."
In enterprise environments, providing scoped access will not be enough, organizations need to know which agent acted under which authority, and which credentials were used.
Stamos pointed to OIDC Extensions as the current leader in the standards conversation, dismissing the crop of proprietary solutions.
"There are 50 startups that believe their proprietary patented solution will be the winner," He said. "Well, none of these will win, so I wouldn’t recommend."
At one billion users, edge cases are no longer edge cases
On the consumer side, Stamos predicted that the identity problem will consolidate around a small number of trusted providers, most likely platforms that already support consumer authentication. Leveraging his time as CISO at Facebook, where the team handled approximately 700,000 account takeovers per day, he redefined the concept of edge cases at what scale they impact.
"When you’re the CISO of a company that has a billion users, a corner case is something that means real human harm," he explained. "And so identity, for ordinary people, for agents, is going to be a big problem going forward."
Ultimately, the challenges CTOs face on the agent side stem from incomplete standards for agent identification, makeshift tooling, and enterprises deploying agents faster than they can build the framework to control them. The way forward requires building identity infrastructure based on what agents really are, not re-imagining what humans were created for.
<a href