Skip to content

Blog26 June 20264 min read

Your agents authenticate like it's 2015

Autonomous software now acts at machine speed on credentials designed for humans at human speed. That gap is the open problem of the agentic era.

Agents act, and hand authority to sub-agents, at machine speed — carrying bearer tokens that were designed for a human clicking a login button. A captured token stays valid. A delegated one can be replayed. The tool executing the call can't check the scope locally. None of this is exotic; it's the default. This is a problem post, not a product post.

A problem post, not a product post. This essay is about a gap we think the industry is underweighting, written at the level of the problem. It deliberately does not describe how any particular solution works under the hood. If the framing is useful to you, that's the point.

There is a quiet assumption buried in almost every authentication stack in production today: that on the other end of the credential is a human, or a service standing in for one, moving at something close to human speed. A person signs in. A service fetches a token and holds it for an hour. The whole machinery — bearer tokens, refresh flows, revocation lists, the identity provider you call to check scope — was shaped around that tempo.

Autonomous agents broke the assumption, and they broke it fast.

An agent does not sign in once and act for an hour. It acts hundreds of times a minute, each action a call to some tool or API, and increasingly it spawns sub-agents and hands them a slice of its authority to go do something on its behalf. The number of non-human identities in a typical enterprise now dwarfs the number of human ones, and the ratio is widening. We have pointed agentic software at our most consequential systems — code, money, infrastructure, customer data — and we are authorising it with credentials built for a person clicking a button in 2015.

Three things follow from that, and none of them are edge cases.

Stolen is still valid. A bearer token — an API key, an OAuth token, a JWT — works for whoever holds it until it expires or someone revokes it. That was an acceptable bargain when a token was minted occasionally and lived behind a server. It is a worse bargain when an agent is carrying one on every single tool call and leaking opportunities to capture it at machine scale. The credential does not know it has been stolen. It just keeps working.

Delegation can't be checked. When an agent passes authority down to a sub-agent, and that sub-agent to another, you get a chain of delegated permission that no identity-provider round trip can realistically follow in the moment. The delegated grant, once issued, is typically just another bearer token: inert paperwork that anyone holding it can exercise. The thing we most need to be sure of in an agentic system — did this actor actually have the right to do this, right now, narrowed to exactly this? — is the thing the current model is worst at answering.

The tool boundary is naked. The Model Context Protocol did something genuinely useful: it made agent-to-tool calls uniform. But uniform is not the same as authorised, and it is not the same as auditable. The scope that says what an agent is allowed to do usually lives on a server some distance from the tool that actually executes the call. At the moment of action, the tool often cannot check, locally and for itself, whether this specific call should be allowed. It just runs.

Sitting underneath all three is a regulatory shift that turns an engineering inconvenience into a compliance problem. The EU's AI Act, DORA, and NIS2 increasingly demand something the old model was never built to produce: a durable, trustworthy record of which autonomous actor did what, under whose authority, and when. Application logs — mutable, vendor-held, trust-me-it-happened — are not that record.

None of this is a knock on the tools that got us here. OAuth, JWT, mTLS, vault-based secrets: these were the right answers to the questions of the cloud-microservice era, and inside that envelope they still are. The point is narrower and, we think, harder to argue with: the envelope has moved. The principals are now ephemeral, high-frequency, and delegating, and they act without a human in the loop. The authentication model has not moved with them.

We find this gap interesting enough that we have spent a long time on it — on what authorisation should look like when the thing being authorised is an agent acting at machine speed, when the right to act needs to be scoped to a single action and not outlive it, and when the tool at the boundary should be able to decide for itself. We are not going to make product claims in a problem post. We will write more as there is more worth saying.

For now we will leave it at the observation, because the observation is the part most worth sitting with: the agents are already here, already acting, already delegating — and they are doing it on credentials that were built for a slower, more human world.

If that gap is one you are staring at too, we would genuinely like to compare notes.

Found this useful?

Talk to us about how EdSSA fits your operating envelope.

Talk to us →