Maya Kaczorowski had started getting questions about AI identity and AI agent identity from people who did not have a primary place in the security industry.
“And it was very interesting because I just spent the past several months before that talking to a lot of CISOs and security leaders about the top pain points that they have, and this is not something that they were bringing up,” Kaczorowski said on the latest episode of The New Stack Makers.
Concern about AI identity came from people outside of the security industry. She concluded that OAuth served the purpose of authentication, the open standard for giving users access to applications without revealing their passwords.
And yes, that’s Kaczorowski’s conclusion. She’s a noted technologist in the developer community; she recently wrote about OAuth and AI agents, which caught our attention. Kaczorowski founded a new startup called Oblique, which lets teams use self-serve access controls to update access as projects change automatically. The concept is to help IT quell those endless tickets.
OAuth can help address AI agent identity concerns often related to working with a service like Claude or ChatGPT, Kaczorowski said. When developers use agents to explore a topic more deeply, they usually consider the AI agent an extension of themselves. The developer wants to give the user a subset of permissions.
“I want to give it access to some of my data and some of my capabilities in order to let it do its job,” Kaczorowski said. “And this is exactly what OAuth is supposed to do.”
AI Agents and Scaling Issues
The issues that come to the fore with AI agents are immense. There are all sorts of edge cases to consider, such as how desktop apps for AI agents work versus how a Software as a Service application works. There are new companies like AuthZed that take different approaches to authentication with AI agents for customer identity and access management..
“I don’t know that we’re going to need something significantly different for AI agents in terms of how we manage those authorizations,” Kaczorowski said. “What might be different is the scale and speed at which we need those things to be true, and whether the right model is something like relational-based access control, whether it’s something more traditional, like ABAC or RBAC.
“I think it is very much up in the air. And until [we have] the implementation details of what will make sense, the scale is going to be a scale that we haven’t dealt with before in a lot of these environments.”
What kind of scale are we talking about?
“How many numbers of users do we have in the world?”, Kaczorowski said.” How many number of computers do we have? Then, if you think about how quickly these numbers get large? Users to computers, computers to VMs, VMs to containers, containers to functions, functions to LLMs. You’re talking about exponential growth.
“And the number of things that you need to support authorization for users. It would not shock me that a very small organization ends up having 500,000 agents. Whatever solutions do well in this space will need to really support that scale.”
For the full interview with Kaczorowski, please check out this latest version of The New Stack Makers.
The post OAuth Works for AI Agents, but Scaling Is Another Question appeared first on The New Stack.
