Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
When an AI agent needs to log into your CRM, pull records from your database, and send an email on your behalf, whose identity is it using? And what happens when no one knows the answer? Alex Stamos, Chief Product Officer at Corridor, and Nancy Wang, Chief Technology Officer at 1Password, joined the VB AI Impact Salon series to dive deeper into the new identity framework challenges that come with the benefits of agent AI.
"At a high level, it’s not just about who this agent belongs to or what organization it belongs to, but what is the authority under which this agent is acting, which then translates into authorization and access." Wang said.
How 1Password ended up at the center of the agent identity problem
Wang traced 1Password’s path into this territory through his own product story. The company started as a consumer password manager and its enterprise presence grew organically as employees brought tools they already trusted into their workplaces.
"Once those people got used to the interface and really enjoyed the security and privacy standards we offer as a guarantee for our customers, they brought it into the company." she said. The same dynamic is happening now with AI, he added. "Agents also have secrets or passwords, just like humans."
Internally, 1Password is going through the same tension that helps manage clients: how to allow engineers to move quickly without creating a security problem. Wang said the company actively tracks the ratio of incidents to AI-generated code as engineers use tools like Claude Code and Cursor. "That’s a metric we track closely to make sure we’re generating quality code."
How developers are incurring major security risks
Stamos said one of the most common behaviors Corridor sees is developers pasting credentials directly into messages, which poses a huge security risk. Corridor flags it and sends the developer back to the appropriate secrets management.
"The standard is to just take an API key or take your username and password and just paste them into the message." said. "We find this all the time because we are hooked and getting the message."
Wang described 1Password’s approach as working on the output side, scanning the code as it is typed and storing any plain text credentials before they are persisted. The trend toward cut-and-paste access is a direct influence on 1Password’s design choices, which is to avoid security tools that create friction.
"If it’s too hard to use, too hard to boot, too hard to incorporate, it won’t be secure because, frankly, people will just ignore it and not use it." she said.
Why you can’t treat an encryption agent like a traditional security scanner
Another challenge in generating feedback between security actors and coding models is false positives, which very friendly and nice large language models are prone to. Unfortunately, these false positives from security scanners can derail an entire code session.
"If you tell him this is a defect, he will say, yes sir, it is a total defect!" Stamos said. But, he added, "You can’t mess up and have a false positive, because if you tell him that and you’re wrong, you’ll completely ruin his ability to write correct code."
That balance between precision and recall is structurally different from what traditional static analysis tools are designed to achieve, and has required significant engineering to achieve the required latency, on the order of a few hundred milliseconds per scan.
Authentication is easy, but authorization is where things get tricky
"An agent typically has much more access than any other software in its environment." noted Spiros Xanthos, founder and CEO of Resolve AI, in an earlier session at the event. "So it’s understandable why security teams are so concerned about this. Because if that attack vector is used, then it may result in a data breach, but even worse, maybe you have something in there that can take action on behalf of an attacker."
So how do you give autonomous agents scoped, auditable, and time-limited identities? Wang pointed to SPIFFE and SPIRE, workload identity standards developed for containerized environments, as candidates being tested in agent contexts. But he acknowledged that the adjustment is difficult.
"We’re forcing a square peg into a round hole," she said.
But authentication is only half of it. Once an agent has a credential, what are they actually allowed to do? This is where the principle of least privilege should be applied to tasks rather than roles.
"You wouldn’t want to give a human a key card to an entire building that has access to every room in the building." she explained. "You also don’t want to give an agent the keys to the realm, an API key to do whatever needs to be done forever. It should be time-bound and also tied to the task you want that agent to perform."
In enterprise environments, granting scoped access will not be enough; Organizations will need to know which agent acted, under what authority, and what credentials were used.
Stamos pointed to OIDC extensions as the current frontrunners in standards conversations, while dismissing the crop of proprietary solutions.
"There are 50 startups that believe their patented solution will be the winner." said. "By the way, none of them will win, so I wouldn’t recommend it."
With a billion users, extreme cases are no longer extreme
On the consumer side, Stamos predicted that the identity problem will consolidate around a small number of trusted providers, most likely the platforms that already anchor consumer authentication. Leveraging his time as CISO at Facebook, where the team handled approximately 700,000 account acquisitions per day, he rethought what scale affects the edge case concept.
"When you’re the CISO of a company that has a billion users, the corner case is something that means real human harm," he explained. "And so identity, for normal people, for agents, in the future will be a huge problem."
Ultimately, the challenges CTOs face on the agent side come from incomplete standards for agent identity, improvised tools, and companies deploying agents faster than the frameworks intended to govern them can be written. The path forward requires building identity infrastructure from the ground up around what agents actually are, not modernizing what was built for the humans who created them.
