
Who Governs Your AI Agents? Identity, Offboarding & Open Standards
Show notes
Are overprivileged AI agents the biggest emerging threat in cybersecurity? In a recent high-profile attack, a vibe-coding company had its entire source code stolen because an attacker exploited a long-lived, overprivileged token tied to a third-party AI agent.
In this episode, Ashish sits down with Ely Kahn, CPO at Okta, to unpack the challenge of managing Non-Human Identities (NHI) in the AI era. Ely explains why traditional, static human permissions completely break down when applied to autonomous agents. To solve this, Okta has spearheaded Cross-App Access (XAA), an extension of OAuth that uses an Identity Assertion Grant (ID JAG). This open protocol, backed by 25+ partners, including Anthropic, XAA securely passes the baton between apps without annoying consent pop-ups or dangerous static API keys.
We also explore the four maturity levels of agent authorization, ranging from broad API keys to the ultimate "North Star" of intent-based security. Learn the difference between SPIFFE (for internal cryptographic identity) and XAA (for downstream resource authorization), how the Linux Foundation is building an Agent Domain System, and why every CISO needs an immediate "kill switch" for rogue AI agents.
Guest Socials - Ely's Linkedin
Podcast Twitter - @CloudSecPod
If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels:
If you are interested in AI Security, you can check out our sister podcast - AI Security Podcast
Questions asked:
(00:00) Introduction(02:50) Ely Kahn's Background: From DHS to Okta CPO(04:00) Why AI Agent Identity is Different from Human IAM(06:30) The Danger of Overprivileged Tokens: A Source Code Breach Case Study(08:30) Introducing Cross-App Access (XAA) and ID JAG(11:00) Agent Identities: Acting on Behalf of a User vs. Autonomous Scopes(13:00) SPIFFE vs. XAA: Workload Identity vs. Resource Authorization(14:30) The Linux Foundation's Agent Domain System for Cross-Company Passports(18:00) Assuming Breach: Why Prompt Injection Makes Identity the Highest ROI Security Action(19:30) The 4 Maturity Levels of AI Agent Authorization(21:00) Intent-Based Security and Zero Standing Privilege(23:00) How to Offboard AI Agents and Manage Identity Governance (IGA)(27:00) The 3 Governance Questions Every CISO Must Answer(28:50) Implementing a Universal Kill Switch for Rogue Agents
Resources spoken about during the episode:
Learn more about how Okta and XAA are setting the new security standard for the AI era