The authorization problem that could break enterprise AI
When an AI agent needs to log into your CRM, pull records from your database, and send an email on your behalf, whose identity is it using? And what happens when no one knows the answer? Alex Stamos, chief product officer at Corridor, and Nancy Wang, CTO at 1Password joined the VB AI Impact Salon Series to dig into the new identity framework challenges that come along with the benefits of agentic AI.
"At a high level, it’s not just who this agent belongs to or which organization this agent belongs to, but what is the authority under which this agent is acting, which then translates into authorization and access," Wang said.
How 1Password ended up at the center of the agent identity problem
Wang traced 1Password's path into this territory through its own product history. The company started as a consumer password manager, and its enterprise footprint grew organically as employees brought tools they already trusted into their workplaces.
"Once those people got used to the interface, and really enjoyed the security and privacy standards that we provide as guarantees for our customers, then they brought it into the enterprise," she said. The same dynamic is now happening with AI, she added. "Agents also have secrets, or passwords, just like humans do."
Internally, 1Password is navigating the same tension it helps customers manage: how to let engineers move fast without creating a security mess. Wang said the company actively tracks the ratio of incidents to AI-generated code as engineers use tools like Claude Code and Cursor. "That's a metric we track intently to make sure we're generating quality code."
How developers are incurring major security risks
Stamos said one of the most common behaviors Corridor observes is developers pasting credentials directly into prompts, which is a huge security risk. Corridor flags it and sends the developer back toward proper secrets management.
"The standard thing is you just go grab an API key or take your username and password and you just paste it into the prompt," he said. "We find this all the time because we're hooked in and grabbing the prompt."
Wang described 1Password's approach as working on the output side, scanning code as it is written and vaulting any plain text credentials before they persist. The tendency toward the cut-and-paste method of system access is a direct influence on 1Password's design choices, which is to avoid security tooling that creates friction.
"If it's too hard to use, to bootstrap, to get onboarded, it's not going to be secure because frankly people will just bypass it and not use it," she said.
Why you cannot treat a coding agent like a traditional security scanner
Another challenge in building feedback between security agents and coding models is false positives, which very friendly and agreeable large language models are prone toward. Unfortunately, these false positives from security scanners can derail an entire code session.
"If you tell it this is a flaw, it'll be like, yes sir, it's a total flaw!" Stamos said. But, he added, "You cannot screw up and have a false positive, because if you tell it that and you're wrong, you will completely ruin its ability to write correct code."
That tradeoff between precision and recall is structurally different from what traditional static analysis tools are designed to optimize for, and it has required significant engineering to get right at the latency required, on the order of a few hundred milliseconds per scan.
Authentication is easy, but authorization is where things get hard
"An agent typically has a lot more access than any other software in your environment," noted Spiros Xanthos, founder and CEO at Resolve AI, in an earlier session at the event. "So, it is understandable why security teams are very concerned about that. Because if that attack vector gets utilized, then it can both result in a data breach, but even worse, maybe you have something in there that can take action on behalf of an attacker."
So how do you give autonomous agents scoped, auditable, time-limited identities? Wang pointed to SPIFFE and SPIRE, workload identity standards developed for containerized environments, as candidates being tested in agentic contexts. But she acknowledged the fit is rough.
"We're kind of force-fitting a square peg into a round hole," she said.
But authentication is only half of it. Once an agent has a credential, what is it actually allowed to do? Here's where the principle of least privilege should be applied to tasks rather than roles.
"You wouldn't want to give a human a key card to an entire building that has access to every room in the building," she explained. "You also don't want to give an agent the keys to the kingdom, an API key to do whatever it needs to do forever. It needs to be time-bound and also bound to the task you want that agent to do."
In enterprise environments, it won’t be enough to grant scoped access, organizations will need to know which agent acted, under what authority, and what credentials were used.
Stamos pointed to OIDC extensions as the current frontrunner in standards conversations, while dismissing the crop of proprietary solutions.
"There are 50 startups that believe their proprietary patented solution will be the winner," he said. "None of those will win, by the way, so I would not recommend."
At a billion users, edge cases are not edge cases anymore
On the consumer side, Stamos predicted the identity problem will consolidate around a small number of trusted providers, most likely the platforms that already anchor consumer authentication. Drawing on his time as CISO at Facebook, where the team handled roughly 700,000 account takeovers per day, he reframed what scale does to the concept of an edge case.
"When you're the CISO of a company that has a billion users, corner case is something that means real human harm," he explained. "And so identity, for normal people, for agents, going forward is going to be a humongous problem."
Ultimately, the challenges CTOs face on the agent side stem from incomplete standards for agent identity, improvised tooling, and enterprises deploying agents faster than the frameworks meant to govern them can be written. The path forward requires building identity infrastructure from scratch around what agents actually are, not retrofitting what was built for the humans who created them.