<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Identity on RockB</title><link>https://baeseokjae.github.io/tags/identity/</link><description>Recent content in Identity on RockB</description><image><title>RockB</title><url>https://baeseokjae.github.io/images/og-default.png</url><link>https://baeseokjae.github.io/images/og-default.png</link></image><generator>Hugo</generator><language>en-us</language><lastBuildDate>Mon, 13 Apr 2026 12:00:00 +0000</lastBuildDate><atom:link href="https://baeseokjae.github.io/tags/identity/index.xml" rel="self" type="application/rss+xml"/><item><title>AI Agent Identity Framework: Teleport's Production Security Blueprint</title><link>https://baeseokjae.github.io/posts/ai-agent-identity-framework-guide-2026/</link><pubDate>Mon, 13 Apr 2026 12:00:00 +0000</pubDate><guid>https://baeseokjae.github.io/posts/ai-agent-identity-framework-guide-2026/</guid><description>A practical AI agent identity framework for production teams using Teleport Beams, Delegated Identity, LLM Proxy, and zero trust access.</description><content:encoded><![CDATA[<p>Production AI agents should not run on borrowed human tokens, static API keys, or broad service accounts. A useful AI agent identity framework gives every agent a short-lived identity, task-scoped authority, isolated runtime, model access controls, and an audit trail that connects prompts to infrastructure actions.</p>
<p>I have found that most agent security discussions start too late. They inspect logs after the agent has already called a tool, touched a database, or opened a production shell. That is not enough once agents move from Slack demos into deployment workflows, incident response, data analysis, or infrastructure automation.</p>
<p>Teleport&rsquo;s Agentic Identity Framework is interesting because it treats identity as the control plane for agents. The January 27, 2026 framework announcement was not just another &ldquo;secure AI&rdquo; positioning exercise. It made a concrete claim: autonomous and semi-autonomous agents need first-class cryptographic identities, ephemeral credentials, scoped delegation, runtime containment, and tamper-resistant audit. Teleport then made that more tangible with Beams on March 19, 2026, followed by Delegated Identity and LLM Proxy in the Beams public beta on June 16, 2026.</p>
<p>The practical takeaway is not &ldquo;buy one product and stop thinking.&rdquo; The useful part is the blueprint. Even if you use Microsoft Entra Agent ID for governance, Google Cloud IAM for cloud-native agents, Cloudflare for token hygiene, or SPIFFE/SPIRE in Kubernetes, the same production questions keep coming back: who is this agent, who delegated authority to it, what can it reach, what instructions did it receive, where did it run, and can we prove what happened?</p>
<h2 id="why-does-the-old-service-account-pattern-break-for-ai-agents">Why does the old service-account pattern break for AI agents?</h2>
<p>The old pattern is familiar: create a service account, put an API token in a secret manager, inject it into a job, and rely on logs if something breaks. That works tolerably for deterministic software with a narrow call graph. It breaks down for AI agents because the call graph is partly created at runtime.</p>
<p>When building internal automation around LLM tool calling, I ran into this exact problem. The agent did not just call <code>get_ticket()</code> and <code>summarize_ticket()</code>. It discovered tools, retried operations, chose between data sources, and sometimes asked for broader context than expected. The security question changed from &ldquo;does this service need the token?&rdquo; to &ldquo;does this agent need this authority for this task, after this instruction, in this runtime, right now?&rdquo;</p>
<p>Shared service accounts blur the evidence chain. If three agents and two cron jobs all use <code>prod-automation@company</code>, a later audit can tell you that the account changed something, but not which agent was acting under whose authority. Human tokens are worse. They make the agent look like the operator, which breaks least privilege and makes incident response awkward. Static secrets add another failure mode: once the token lands in a runtime, prompt logs, tool output, or a compromised dependency can leak it.</p>
<p>Cloudflare cited GitGuardian data that more than 28 million secrets were published to public GitHub repositories in 2025, with AI making leaks happen faster. That matches what I see in practice: LLM-assisted workflows increase the amount of generated glue code, config, and copied examples. If your agent security model depends on developers never pasting a token into the wrong place, the model is already fragile.</p>
<p>For related background on tool boundaries, see <a href="/posts/mcp-security-for-production-ai-agents/">MCP security for production AI agents</a> and <a href="/posts/llm-gateway-patterns-for-platform-teams/">LLM gateway patterns for platform teams</a>. The identity layer sits underneath both.</p>
<h2 id="what-is-teleports-core-claim-about-agent-identity">What is Teleport&rsquo;s core claim about agent identity?</h2>
<p>Teleport&rsquo;s core claim is that agent identity should be first-class, cryptographic, short-lived, and tied to infrastructure access. An agent should not impersonate a person. It should not borrow a general-purpose machine credential. It should have its own identity, and that identity should be constrained by delegated task authority.</p>
<p>That sounds obvious until you map it onto a real production workflow:</p>
<ol>
<li>A human operator asks an agent to investigate a failed deployment.</li>
<li>The agent receives a delegated task with a narrow time window.</li>
<li>The agent runs inside an isolated Beam runtime.</li>
<li>The agent sends model traffic through Teleport LLM Proxy.</li>
<li>The agent calls approved MCP servers or infrastructure tools.</li>
<li>The agent accesses only registered resources allowed by policy.</li>
<li>The audit log records the delegation, prompts, model responses, tool calls, access decisions, and runtime termination.</li>
</ol>
<p>The key difference is that identity is not just a record in an admin console. It becomes the enforcement point for model access, tool access, network access, and infrastructure access.</p>
<p>Teleport&rsquo;s survey of more than 200 infrastructure leaders found that 69% believed widespread AI adoption would require significant identity management changes, while only 2% disagreed. I would not over-read a vendor survey, but the direction is consistent with what platform teams are already discovering. Agents are non-human identities with unusual behavior: they are dynamic like users, automated like workloads, and often privileged like operators.</p>
<h2 id="what-are-the-five-layers-of-a-production-ai-agent-identity-framework">What are the five layers of a production AI agent identity framework?</h2>
<p>The framework I would use with a platform team has five layers: identity, delegated access, inference control, runtime isolation, and audit. Teleport&rsquo;s blueprint maps cleanly onto those layers, but the model is useful even outside Teleport.</p>
<table>
  <thead>
      <tr>
          <th>Layer</th>
          <th>Production question</th>
          <th>Teleport implementation</th>
          <th>Failure it reduces</th>
      </tr>
  </thead>
  <tbody>
      <tr>
          <td>Identity</td>
          <td>Who or what is this agent?</td>
          <td>First-class cryptographic identity, short-lived credentials, workload identity patterns</td>
          <td>Shared accounts, stale tokens, weak attribution</td>
      </tr>
      <tr>
          <td>Access</td>
          <td>What authority does it have for this task?</td>
          <td>Delegated Identity, per-Beam allow lists, zero trust policy</td>
          <td>Overbroad service accounts, privilege drift</td>
      </tr>
      <tr>
          <td>Inference control</td>
          <td>What instructions are shaping its actions?</td>
          <td>LLM Proxy inspecting requests and responses</td>
          <td>Prompt injection, invisible model traffic</td>
      </tr>
      <tr>
          <td>Runtime isolation</td>
          <td>Where does the agent execute?</td>
          <td>Beams running in isolated Firecracker VMs</td>
          <td>Secret theft, filesystem bleed, network sprawl</td>
      </tr>
      <tr>
          <td>Audit</td>
          <td>Can we reconstruct the action chain?</td>
          <td>Teleport audit log from lifecycle to resource access</td>
          <td>Unprovable incidents, compliance gaps</td>
      </tr>
  </tbody>
</table>
<p>The important engineering choice is to enforce these layers inline. After-the-fact monitoring helps with detection, but it does not stop an agent from using an overpowered token at 2:00 a.m.</p>
<h2 id="how-should-each-agent-get-a-first-class-cryptographic-identity">How should each agent get a first-class cryptographic identity?</h2>
<p>Each production agent should have its own identity, not just a label in a YAML file. In practice, that means the runtime can prove who it is using short-lived credentials, preferably bound to workload attestation rather than copied into an environment variable.</p>
<p>For infrastructure teams, this often means X.509-style workload identity, SPIFFE IDs, or a vendor-managed equivalent. A useful identity shape looks like this:</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-text" data-lang="text"><span style="display:flex;"><span>spiffe://example.com/agents/deploy-auditor/prod
</span></span></code></pre></div><p>That identity can be mapped to policy:</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#f92672">agent</span>:
</span></span><span style="display:flex;"><span>  <span style="color:#f92672">id</span>: <span style="color:#ae81ff">spiffe://example.com/agents/deploy-auditor/prod</span>
</span></span><span style="display:flex;"><span>  <span style="color:#f92672">environment</span>: <span style="color:#ae81ff">production</span>
</span></span><span style="display:flex;"><span>  <span style="color:#f92672">allowed_tools</span>:
</span></span><span style="display:flex;"><span>    - <span style="color:#ae81ff">read_deployment_status</span>
</span></span><span style="display:flex;"><span>    - <span style="color:#ae81ff">read_kubernetes_events</span>
</span></span><span style="display:flex;"><span>    - <span style="color:#ae81ff">read_ci_logs</span>
</span></span><span style="display:flex;"><span>  <span style="color:#f92672">denied_tools</span>:
</span></span><span style="display:flex;"><span>    - <span style="color:#ae81ff">kubectl_exec</span>
</span></span><span style="display:flex;"><span>    - <span style="color:#ae81ff">rotate_database_credentials</span>
</span></span></code></pre></div><p>The exact syntax depends on your stack, but the principle matters more than the file format. The agent identity should be separate from the user identity, the cloud service account, and the model provider key. That separation lets you answer three different audit questions:</p>
<ul>
<li>Which human or system delegated the task?</li>
<li>Which agent executed the task?</li>
<li>Which infrastructure identity was used for each resource access?</li>
</ul>
<p>Google Cloud&rsquo;s Agent Identity guidance points in the same direction by recommending per-agent identities instead of shared service accounts. Red Hat&rsquo;s emerging pattern uses SPIFFE for workload identity, RFC 8693 token exchange for delegation, and Kagenti for lifecycle and policy binding. Microsoft Entra Agent ID focuses more on enterprise identity governance, lifecycle, sponsorship, Conditional Access, and managed agent identity workflows.</p>
<p>Teleport&rsquo;s differentiator is that the same identity story is connected to production infrastructure access. That matters when the agent needs to reach databases, Kubernetes clusters, SSH hosts, cloud APIs, and internal services across environments.</p>
<h2 id="how-does-delegated-identity-change-least-privilege">How does Delegated Identity change least privilege?</h2>
<p>Delegated Identity is the most useful idea in Teleport&rsquo;s framework because it matches how real agent work is assigned. A human or parent agent grants an agent authority for a specific task, not broad standing access.</p>
<p>In practice, I would model effective permission as an intersection:</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-text" data-lang="text"><span style="display:flex;"><span>effective_agent_access =
</span></span><span style="display:flex;"><span>  human_delegate_scope
</span></span><span style="display:flex;"><span>  ∩ agent_policy_scope
</span></span><span style="display:flex;"><span>  ∩ task_scope
</span></span><span style="display:flex;"><span>  ∩ environment_scope
</span></span><span style="display:flex;"><span>  ∩ runtime_allow_list
</span></span></code></pre></div><p>If any one of those scopes does not allow the action, the action should fail. This is the difference between &ldquo;the agent has a production token&rdquo; and &ldquo;the agent can read deployment state for service A for the next 30 minutes because Alice delegated incident triage.&rdquo;</p>
<p>Here is a concrete example:</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#f92672">delegation</span>:
</span></span><span style="display:flex;"><span>  <span style="color:#f92672">delegated_by</span>: <span style="color:#ae81ff">alice@example.com</span>
</span></span><span style="display:flex;"><span>  <span style="color:#f92672">agent</span>: <span style="color:#ae81ff">deploy-auditor</span>
</span></span><span style="display:flex;"><span>  <span style="color:#f92672">task</span>: <span style="color:#ae81ff">investigate-checkout-api-deploy</span>
</span></span><span style="display:flex;"><span>  <span style="color:#f92672">expires_in</span>: <span style="color:#ae81ff">30m</span>
</span></span><span style="display:flex;"><span>  <span style="color:#f92672">allowed_resources</span>:
</span></span><span style="display:flex;"><span>    - <span style="color:#ae81ff">k8s:prod:namespace/checkout</span>
</span></span><span style="display:flex;"><span>    - <span style="color:#ae81ff">ci:github-actions:repo/checkout-api</span>
</span></span><span style="display:flex;"><span>    - <span style="color:#ae81ff">logs:datadog:service/checkout-api</span>
</span></span><span style="display:flex;"><span>  <span style="color:#f92672">allowed_actions</span>:
</span></span><span style="display:flex;"><span>    - <span style="color:#ae81ff">read</span>
</span></span><span style="display:flex;"><span>    - <span style="color:#ae81ff">summarize</span>
</span></span><span style="display:flex;"><span>  <span style="color:#f92672">requires_approval</span>:
</span></span><span style="display:flex;"><span>    - <span style="color:#ae81ff">rollback</span>
</span></span><span style="display:flex;"><span>    - <span style="color:#ae81ff">exec</span>
</span></span><span style="display:flex;"><span>    - <span style="color:#ae81ff">credential_rotation</span>
</span></span></code></pre></div><p>This is also where MCP security becomes practical. An MCP server is not safe just because it exposes a nice tool schema. The policy needs to decide which agent can call which tool, under whose delegation, with which arguments, against which environment. A read-only incident assistant and a deployment remediation agent should not share the same MCP permissions.</p>
<p>Cloudflare&rsquo;s Principal, Credential, and Policy framing is useful here. Their scannable token formats, OAuth visibility, resource-scoped RBAC, and automatic revocation help with token lifecycle and non-human identity hygiene. Teleport goes further on the infrastructure side by making delegated authority part of the agent runtime and access path.</p>
<h2 id="why-is-llm-proxy-different-from-a-generic-llm-gateway">Why is LLM Proxy different from a generic LLM gateway?</h2>
<p>Generic LLM gateways usually start with routing, cost control, provider abstraction, rate limits, and prompt logging. Those are useful. They are not the same as identity-aware enforcement.</p>
<p>Teleport&rsquo;s LLM Proxy sits between an agent and its inference endpoint, inspects every request and response, applies per-Beam allow lists, and writes activity into Teleport&rsquo;s audit log. The important part is the linkage: model traffic is connected to agent identity, task delegation, runtime, and downstream infrastructure access.</p>
<p>That linkage changes the control surface. For example, a gateway can say:</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-text" data-lang="text"><span style="display:flex;"><span>model request from beam-123 used gpt-4.1-mini and cost $0.02
</span></span></code></pre></div><p>An identity-aware proxy should help answer:</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-text" data-lang="text"><span style="display:flex;"><span>deploy-auditor received this prompt during task T,
</span></span><span style="display:flex;"><span>under delegation D,
</span></span><span style="display:flex;"><span>got this model response,
</span></span><span style="display:flex;"><span>then requested tool X,
</span></span><span style="display:flex;"><span>then accessed resource Y,
</span></span><span style="display:flex;"><span>and policy allowed or denied it for reason Z.
</span></span></code></pre></div><p>That is the evidence chain security teams need during incident response. If a prompt injection tells the agent to ignore previous instructions and dump environment variables, the proxy is one place to detect and block dangerous instruction patterns before tool execution. It should not be the only control, because prompt screening is imperfect, but it is valuable when combined with tool policy and runtime isolation.</p>
<p>I would still keep standard gateway controls: model allow lists, token budgets, provider failover rules, rate limits, data loss prevention checks, and redaction. The trade-off is latency and operational complexity. Every inline control adds another component that can fail or slow down the agent. For production infrastructure agents, I usually accept that cost for high-risk workflows and keep lighter controls for low-risk summarization or documentation tasks.</p>
<h2 id="what-role-do-beams-and-firecracker-vms-play">What role do Beams and Firecracker VMs play?</h2>
<p>Teleport Beams turn agent execution into a controlled runtime problem. Each Beam runs in an isolated Firecracker VM with filesystem and network isolation, built-in identity, infrastructure connectivity without secrets, and audit from start to termination.</p>
<p>That is a stronger boundary than running a privileged agent in a long-lived container with broad network access. Containers are still useful, but they are not a complete security model by themselves. A high-risk agent should not be able to scan internal networks, read unrelated mounted secrets, or persist state after the task ends.</p>
<p>The runtime controls I would expect for production agents are:</p>
<ul>
<li>Ephemeral runtime per task or session.</li>
<li>No long-lived secrets injected into the filesystem.</li>
<li>Outbound network allow lists.</li>
<li>Separate identities per agent and environment.</li>
<li>Resource access through registered services, not raw network reachability.</li>
<li>Automatic cleanup when the task ends.</li>
<li>Full lifecycle logging.</li>
</ul>
<p>The trade-off is operational friction. Firecracker isolation is heavier than a local process. It may complicate debugging, dependency packaging, and cold starts. For agents that only summarize public documents, that overhead may be excessive. For agents that can inspect production databases, trigger deployments, or touch cloud APIs, the isolation is exactly where I would spend complexity.</p>
<h2 id="what-should-an-audit-trail-prove">What should an audit trail prove?</h2>
<p>An agent audit trail should prove more than &ldquo;a request happened.&rdquo; It should reconstruct the chain from delegation to action.</p>
<p>For every meaningful action, I want to answer:</p>
<ul>
<li>Who or what created the task?</li>
<li>Which human, workflow, or parent agent delegated authority?</li>
<li>Which agent identity executed the task?</li>
<li>Which runtime hosted the agent?</li>
<li>Which prompt and model response preceded the tool call?</li>
<li>Which MCP tool, API, shell command, or database operation was requested?</li>
<li>Which policy allowed or denied the action?</li>
<li>Which resource changed?</li>
<li>When did the runtime terminate?</li>
</ul>
<p>This is where Teleport&rsquo;s infrastructure background matters. Audit logs are already central to SSH, Kubernetes, database, and cloud access. Extending that pattern to agents is more convincing than treating agent telemetry as a separate observability stream that security teams have to stitch together later.</p>
<p>For more on the workload identity side of this problem, see <a href="/posts/spiffe-workload-identity-platform-engineers/">SPIFFE and workload identity for platform engineers</a>.</p>
<h2 id="how-does-teleport-compare-with-cloudflare-microsoft-google-and-red-hat">How does Teleport compare with Cloudflare, Microsoft, Google, and Red Hat?</h2>
<p>No single vendor owns the whole agent identity problem. The better question is where each approach is strongest.</p>
<table>
  <thead>
      <tr>
          <th>Approach</th>
          <th>Strong fit</th>
          <th>Main limitation</th>
      </tr>
  </thead>
  <tbody>
      <tr>
          <td>Teleport Agentic Identity Framework</td>
          <td>Production infrastructure agents that need delegated access, runtime isolation, LLM Proxy controls, and audit across cloud and on-prem resources</td>
          <td>Best fit is infrastructure workflows; broader app governance and model governance still need integration</td>
      </tr>
      <tr>
          <td>Cloudflare non-human identity controls</td>
          <td>Token scanning, OAuth visibility, scoped permissions, DLP, and AI traffic hygiene</td>
          <td>Less focused on isolated agent runtimes and delegated infrastructure identity end to end</td>
      </tr>
      <tr>
          <td>Microsoft Entra Agent ID</td>
          <td>Enterprise identity governance, lifecycle workflows, Conditional Access, sponsorship, and Microsoft ecosystem integration</td>
          <td>Strongest inside Microsoft environments; runtime containment and cross-cloud access require more architecture</td>
      </tr>
      <tr>
          <td>Google Cloud Agent Identity</td>
          <td>Per-agent IAM and service access boundaries for Google Cloud workloads</td>
          <td>Excellent for Google Cloud estates, less complete as a cross-cloud or on-prem blueprint</td>
      </tr>
      <tr>
          <td>Red Hat Kagenti / SPIFFE pattern</td>
          <td>Open-source architecture using SPIFFE, token exchange, and Kubernetes or OpenShift policy binding</td>
          <td>More assembly required; operations maturity matters</td>
      </tr>
      <tr>
          <td>Credential brokers</td>
          <td>Short-lived token minting and reduced direct exposure to secrets</td>
          <td>Does not solve instruction-time control, runtime isolation, or full action audit by itself</td>
      </tr>
  </tbody>
</table>
<p>In practice, many large teams will combine these. For example, Entra may remain the enterprise governance layer, Teleport may control infrastructure access, Cloudflare may handle token scanning and edge policy, and SPIFFE may identify Kubernetes workloads. The risk is duplicate policy with inconsistent answers. The design goal should be one clear decision path for each action, not five dashboards that all know part of the story.</p>
<h2 id="what-reference-architecture-should-platform-teams-start-with">What reference architecture should platform teams start with?</h2>
<p>A practical starting architecture looks like this:</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-text" data-lang="text"><span style="display:flex;"><span>Human operator
</span></span><span style="display:flex;"><span>  -&gt; delegates task with scope and expiry
</span></span><span style="display:flex;"><span>  -&gt; agent starts in isolated Beam runtime
</span></span><span style="display:flex;"><span>  -&gt; runtime receives short-lived agent identity
</span></span><span style="display:flex;"><span>  -&gt; model traffic passes through LLM Proxy
</span></span><span style="display:flex;"><span>  -&gt; MCP/tool calls are checked against task policy
</span></span><span style="display:flex;"><span>  -&gt; infrastructure access goes through zero trust controls
</span></span><span style="display:flex;"><span>  -&gt; audit log links delegation, prompt, tool call, resource action
</span></span><span style="display:flex;"><span>  -&gt; runtime terminates and credentials expire
</span></span></code></pre></div><p>The first implementation does not need every possible control. I would start with one high-risk workflow, such as production incident investigation. Make the agent read-only. Give it access to logs, deployment metadata, Kubernetes events, and CI output. Deny shell execution, rollback, credential rotation, and cross-environment data movement unless a human approves the step.</p>
<p>Then test the uncomfortable cases:</p>
<ul>
<li>Can the agent access a namespace outside the delegated task?</li>
<li>Can prompt injection convince it to call a denied tool?</li>
<li>Can it reach an unapproved model endpoint?</li>
<li>Can it exfiltrate secrets through model output?</li>
<li>Can it keep working after the delegation expires?</li>
<li>Can an auditor reconstruct the whole session without asking the developer who built it?</li>
</ul>
<p>If the answer to any of those is unclear, the architecture is not production-ready yet.</p>
<h2 id="what-implementation-checklist-should-teams-use">What implementation checklist should teams use?</h2>
<p>Start with inventory. List agents, owners, model endpoints, MCP servers, tools, cloud APIs, databases, queues, CI systems, and internal services. Most teams underestimate how many unofficial agents already exist in scripts, notebooks, IDE extensions, and support workflows.</p>
<p>Then move through the controls in order:</p>
<ol>
<li>Replace shared accounts and embedded API keys with per-agent identity.</li>
<li>Use short-lived credentials with no standing privilege.</li>
<li>Define who can delegate authority, for what task, for how long.</li>
<li>Enforce least privilege at tool, MCP, network, database, cloud API, and model endpoint boundaries.</li>
<li>Put an identity-aware proxy or gateway in front of model traffic.</li>
<li>Run high-risk agents in isolated, ephemeral runtimes.</li>
<li>Add human approval for destructive actions, privilege escalation, production changes, and cross-environment data movement.</li>
<li>Log delegation, prompts, responses, tool calls, policy decisions, resource access, and runtime lifecycle events.</li>
<li>Review stale identities, shadow MCP servers, leaked credentials, and anomalous behavior.</li>
</ol>
<p>The sequencing matters. If you start with a beautiful audit dashboard while agents still use broad static tokens, you have observability but not control. If you start with isolated runtimes but no delegated authorization, you have containment but not least privilege.</p>
<h2 id="what-failure-modes-should-be-designed-out-early">What failure modes should be designed out early?</h2>
<p>Prompt injection is the obvious one, but it is not the only one. An attacker does not need to &ldquo;jailbreak&rdquo; a model if the agent already has a powerful token and a permissive tool surface.</p>
<p>The failure modes I would prioritize are:</p>
<table>
  <thead>
      <tr>
          <th>Failure mode</th>
          <th>Example</th>
          <th>Mitigation</th>
      </tr>
  </thead>
  <tbody>
      <tr>
          <td>Credential theft</td>
          <td>Agent reads <code>.env</code> or logs a provider key</td>
          <td>No injected long-lived secrets, short-lived identity, output scanning</td>
      </tr>
      <tr>
          <td>Overbroad delegation</td>
          <td>Read-only triage agent can trigger rollback</td>
          <td>Permission intersection, approval gates, denied actions</td>
      </tr>
      <tr>
          <td>Shadow MCP</td>
          <td>Developer adds an unreviewed MCP server with filesystem access</td>
          <td>MCP registry, signed configs, per-agent tool allow lists</td>
      </tr>
      <tr>
          <td>Prompt injection</td>
          <td>Ticket text tells agent to exfiltrate secrets</td>
          <td>LLM Proxy, tool policy, argument validation, runtime isolation</td>
      </tr>
      <tr>
          <td>Agent-to-agent privilege drift</td>
          <td>Parent agent delegates more authority than intended</td>
          <td>Delegation policy, max scopes, expiry, audit alerts</td>
      </tr>
      <tr>
          <td>Invisible model traffic</td>
          <td>Agent calls an unapproved inference endpoint</td>
          <td>Egress allow lists, model endpoint allow lists, proxy enforcement</td>
      </tr>
  </tbody>
</table>
<p>I&rsquo;ve found that the best design reviews ask boring questions repeatedly: where is the credential, who can grant access, what denies the action, and where is the audit record? If the team cannot answer those questions with specific configs, the agent is still a prototype.</p>
<h2 id="when-is-teleports-blueprint-the-right-fit">When is Teleport&rsquo;s blueprint the right fit?</h2>
<p>Teleport&rsquo;s blueprint is strongest when agents need production infrastructure access: SSH, Kubernetes, databases, internal services, CI/CD, cloud APIs, or multi-environment operational workflows. It is also a good fit when security teams already care about zero trust access, short-lived credentials, session audit, and privileged access management.</p>
<p>It may be more than you need for low-risk content generation, offline analysis, or agents that only operate on synthetic data. In those cases, a lighter model gateway plus scoped application credentials may be enough. The trade-off is future migration. Agents tend to grow from &ldquo;summarize this&rdquo; to &ldquo;take action on this&rdquo; faster than governance processes expect.</p>
<p>My default recommendation is simple: if an agent can change production state, read sensitive data, execute tools, or influence another system that can do those things, give it a real identity and a bounded runtime. Teleport&rsquo;s Agentic Identity Framework gives a concrete version of that model: first-class identity, delegated authority, LLM Proxy enforcement, Firecracker-backed isolation through Beams, and audit that follows the agent from prompt to action.</p>
<h2 id="faq">FAQ</h2>
<h3 id="what-is-an-ai-agent-identity-framework">What is an AI agent identity framework?</h3>
<p>An AI agent identity framework is a security model that gives each agent its own identity, scoped authority, runtime boundary, model access controls, and audit trail. The goal is to stop treating agents like scripts with API keys and start treating them like managed non-human identities.</p>
<h3 id="how-is-teleports-agentic-identity-framework-different-from-normal-iam">How is Teleport&rsquo;s Agentic Identity Framework different from normal IAM?</h3>
<p>Normal IAM usually governs users, service accounts, and workloads. Teleport&rsquo;s framework focuses on agents that receive dynamic instructions, delegate work, call tools, and access production infrastructure. It connects identity to task delegation, LLM traffic, runtime isolation, and infrastructure audit.</p>
<h3 id="is-llm-proxy-the-same-as-an-llm-gateway">Is LLM Proxy the same as an LLM gateway?</h3>
<p>Not exactly. A generic LLM gateway often handles routing, spend, provider abstraction, and prompt logging. Teleport&rsquo;s LLM Proxy is positioned as identity-aware enforcement tied to Beams, delegated authority, inference endpoints, and Teleport&rsquo;s audit log.</p>
<h3 id="do-ai-agents-need-isolated-runtimes">Do AI agents need isolated runtimes?</h3>
<p>High-risk agents do. If an agent can reach production systems, sensitive data, or privileged tools, runtime isolation limits filesystem access, network reachability, credential exposure, and persistence after the task ends. For low-risk agents, the overhead may not be justified.</p>
<h3 id="should-every-agent-have-its-own-identity">Should every agent have its own identity?</h3>
<p>Yes for production use. Shared accounts make attribution weak and least privilege difficult. Per-agent identity lets teams apply scoped policy, short-lived credentials, delegated authority, and audit records that show exactly which agent acted under which task.</p>
]]></content:encoded></item></channel></rss>