#390 - Identity Management for Agentic AI with Tobin South

This is identity at the center. Welcome to the Identity at the Center podcast. I'm Jeff, and that's Jim. Hey, Jim. OK, Jeff, how are you? Oh, not so bad yourself. Good. Guess what? I did something today that you could never do. I mean, there's so many things I can't do. Yeah, the first one is. It should be within your power. So I received my iPad today. OK. Couple hours ago and I have not opened the box yet. Well. I, I question all your priorities.

If you get a box, you open it. That's like, it doesn't matter what it is. Could be an iPad, it could be, you know, I think a Chapstick. You open the box when it comes in. I don't know how you just let it sit there. You're an animal, dude. Yeah, especially brand new technology so but I'm excited after the call I'm planning on cutting into it and playing for hours have. You ever had an iPad before? Is this your first iPad? This is my first iPad.

Wow. 2025 Congratulations. Yeah, and it's the latest and greatness, which is even more unlike me. Well, like, oh great, the iPhone 17 came out, it's time to get the 16. Well, yeah, I'm expecting to get text from you later, like, OK, how do I do this? How do I set this up? You know, 5:00, It's a cool little device. You know, with the exception of that stupid, stupid, stupid Apple commercial of that little girl saying, what's a computer like?

Very a very punchable face on that girl, unfortunately. Wow. Cut. Cut that out of the broadcast. Just so annoying. Maybe that's just me being old and decrepit, but you know this little, I don't know what she must have been like, what 1314 and she kind of has this hottie. What's a computer? You you know what a computer is. Boomer. Yeah, right. OK. What else we got? Yeah, hit me.

No, I'm excited for conferences, but I did want to throw in one of the thing which is kind of talked about what the later note question is. I'm really excited to jump in on that. That is like now we're getting to gym territory, something where I can actually add value. So I'm excited about that. And so for those who don't know, who never stuck around till the end, we always end every show with a later note. And it's just the idea that kind of humanizes Jeff and I and our guests.

And we picked topic that's not identity related and we talked about it for a couple of minutes. I think if you're not interested in that, go ahead and drop off. Can't wait to hear it. Feel free to Fast forward toward the end. Well, I mean, don't drop off hit, you know, just turn the volume down and go somewhere else, do something. But I call that like and. Subscribe right? Yeah, that's like, you know, that's a perfect opportunity to hit the like and subscribe

button. That's like meantime, like I like to have conversations about a whole bunch of different things and we usually try to pick something that's kind of fun and, you know, kind of joke around a little bit and maybe tease each other or find out something new, whatever. Maybe I could say right now I'm not going to be able to add any value to this later note. So I'm going to be relying on both you and our guests. Exactly, exactly.

I know it's not your in your wheelhouse, but I was going to bring up also, you know, by the time this episode drops, it'll be probably the week of Gardner. So we're already starting to think about the 2026 calendar. You know, in the US we've got like Denniverse, in Europe, we've got EIC. Now by saying in US and in Europe doesn't mean you have to live there to only go to those conferences. I actually highly recommend folks from Europe go to

Identiverse and vice versa. These folks from North America, US go to EIC usually learn so much, get so much new perspective. Yeah, We had a real good time. It was our first time going to Berlin earlier this year, 2025 as we record this and we know we're so excited to do it again. So we've kind of partnered up with Cooper, Dracole and Ian, the EIC folks. So we've got discount code. So look, I get it. Going across the pond, you know, at least for the US is sometimes pretty expensive.

So we've got codes on our website. So if you go to the IDAC podcast.com, just Scroll down, all of our active discounts are there, but you'll see one for EIC. So we've got 25% off ID, AC25, MKO. It's been a while since we read like a discount code for a while there. We had like 8 or 9 of them going once it was like, all right, we'll do an entire episode just reading codes. So now we just direct people, go to the website, codes are there.

We're looking forward to it. You and I are going to be there, Jim. And yeah, trying to, you know, recreate the magic of 2025 there. Yeah, it was fantastic. I mean, even if like obviously it was a great conference, but it was also great being in Berlin and going on like we went on that river dinner cruise the one night and got to kind of have the canal ride. I thought it was just so cool. It's like a memories for a lifetime. It was fun.

I think I sat there with Henrique and a couple other folks just kind of chatting. I, I didn't actually go outside the entire course. We were just sitting at a table just chatting about, you know, just that the other thing. So it was a fun time. It was good times. Looking forward to it. And I'm sure you'll, you'll weave in some, you know, some travel, you know, to other places. I have not yet figured out what I'm going to do yet, you know, outside of the trip to Berlin.

So. Well, you mentioned how it can be expensive for people from North America to go over to Europe and vice versa. I'm sure the biggest key I can say is book way ahead of time. I mean, you know, I got my round trip to Europe last year for about the price of a last minute booking domestic flight. So it can be done. Just book, you know, six to four months in advance if you can.

Yeah, or try to get your company to pay for it. That's the way to do it. Well, yeah, or both. Sure, Yeah, whatever you can get away with. All right, so let's get to our topic today. You've probably read the title already. It's identity management for agentic AI. We've got with us today Tobin S He's the Co chair of Open ID Foundation's AI Identity Management community group. So welcome to the show, Tobin. It is great to be here, thanks for having me. Thanks so much for taking the

time. I feel like it's kind of like a mouthful identity management for agentic AI, you know, dot, dot, dot, and there's so much probably more behind it. Let's start a little bit though, with kind of your background. So how did you get into this space of AI and identity? Take us through your origin story. Yeah, I, I do find myself nowadays swimming in a sea of acronyms and jargon that is kind of terrifying to confront. I I didn't intend to end up here.

I have always been someone who's really interested in in AI and that was the scope of what I was really interested to work on when I joined MIT for my PhD. And kind of the broad question

was how do we build more robust security and safeguards on AI? And this is before ChatGPT, before it kind of aid the world. And over the course of my PHDAI got better and better chat bots became a thing. And this idea of AI agents started popping up where these crazy, wacky ChatGPT language models were going to go and do things that interact with services. And it just become became remarkably apparent that access controls and identity was going to matter more and more as part of that.

And so I, I started shifting my research towards that direction. And ever since then, that has been everything that has consumed my mind for the last year or so is identity access management for agents, the future of robust consumer marketplaces for agents, as well as the kind of enterprise questions around how we deploy agents.

Did your definition of AI change the first time you kind of became cognizant of things like a large language model and you know, specifically like the generative AI component? Because I feel like it was AI before it was really like machine learning and sort of pattern matching, right, and things like that. And then I saw what opened up and I was like, Oh my gosh, that's AII want that. I'm curious if you felt the same or felt differently.

Even for folks who had seen language models before, small language models that would, you know, generate a couple tokens, generate a couple words, give you a poem. I do think the ChatGPT moment still changed a lot of minds. And even beyond there once tool calling anything when when language models could go and and write a Jason that could then query an API. I think that really changed the minds of a lot of people very quickly in space.

Yeah. Now we've got, you know, things like vibe coding and all kinds of different things that people are doing. Tell me what about your role with Open ID? So tell me about the AI Identity

Management Community group, which is not a working group. I know there's a very clear, you know, differentiation, but tell us about that role that you're serving on there. Yeah. So in, in January or February, we put out this paper on authenticated delegation and authorization and delegated authority is this topic that people have often cared about where, you know, maybe I want to delegate authority to, to an agent to, to like a human, human agent to a sub process that's constrained.

But with AI agents, this kind of blows up. We're going to have these chat bots that are non deterministic that can go out and do things for us. So we hosted a series of workshop at workshops at Stanford to get people talking about this and figure out what the future is. And it was clear there was just a a need for space for a community to talk more and more

about this. And so the Open ID Foundation put together a community group which I now Co chair, to host these discussions and figure out what we need to build to make a safe future with agents. So, Tobin, I wanted to ask you early. I wanted to go back out. It's happening too quickly for me to get my follow up question. But like you talked about that ChatGPT moment and I felt like it was when GPT 4 kind of came out.

Like that seemed to be where everybody's like eyes started to really open and you'd hear about it and you're like, oh, I've got to go out and check this out. It's like, whoa, can't believe a computer's actually doing this. I thought like it took an

instruction and it kind of like figured out how to spit out an answer. But this thing is much more so, Is that the moment for you? I think it was there's this idea

in AI of instruction training. So language models were just trained on spitting out text, not doing what you want them to do. You know, anyone who was a machine learning practitioner was constantly fighting against the idea that AI does what the data tells it, not what you want it to do. That was the whole art form of being a machine learning engineer. And instruction following changed that on its head.

It created AIS that could, you could give it a natural language instruction and it would go and do a thing. And kind of from that moment onwards, we've seen this slow trend towards it being better and better at doing what you want it to do, to the point where today you can tell it to do a thing and it might do it wrong, it might not use the right tools. It gets confused along the way.

And that's why a lot of people kind of have this skepticism about AI agents and they haven't had their ChatGPT moment yet maybe. But to me, it seems like a really smooth trend where we're just getting better and better at having an AI do what you want it to do, no matter what that magically entails. Yeah, I'm actually working on a project that I guess I'm getting into all the details, right?

It's like a chat agent or I feel like the term assistant is better, but let's say it's an agent that can have a

conversation with a person to figure out what training makes sense for them. And it understands all the rules of like, hey, you got to do these things, these are some required trainings, things like that. And it kind of where I really want to take it is it can get to the point where it says, OK, Tobin, these are some courses that you should take. Would you like me to go onto your calendar and set a reminder or would you like me to go and

register you for this course? And I, I think that's where the difference between a user and an agent identity really it goes. So it might let me ask the question of simply is like, what's the difference between a user and an agent? But kind of understanding that I already realized what the difference is, I guess I'm wondering from an identity perspective. Yeah. So I, I think to start off with the term agent is terrible and has made all of our lives, you know, much harder.

At least it found this podcast interesting. You know, it's, it's, it does well on search engine optimization and it makes for good podcast titles. But in practice, when you're building systems, it's kind of confusing. And so AI can mean many different things. Sometimes it is a human being talking to an AI, more of an assistant context and that AI is

just helping them do something. And this is not that much different from a a user interacting with the surface, subtly different but but not massively. Then there is I use an AI and ask it to go and do stuff and I gesture towards what that stuff looks like, but I don't really tell it. This is more like vibe coding. You know, my my clawed code has access to MCP servers for GitHub and to Super Bass, and it can spin up databases and use them as required. This is no longer me really

being in the loop. It's more of a delegated authority use case. And then there is AI, which kind of acts like a service account. It's a theme that runs in the

background. I never touch it and it goes and it just runs AII use a a workflow that drafts replies to emails on my behalf based on a bunch of custom system prompts and access to services. And this is nothing like ChatGPT right in, in an from an identity management perspective, this is just a a service account workload. And yet we kind of throw these all under the heading of agent, even if it doesn't make any sense.

Yeah, I feel like I've been hearing this comment a couple of Times Now recently where like you think of Agent as a bot. We spent our career keeping the bots out and now we have to figure out how to let the bots in or the right bots in and let's do the right things. Just what do you think when you hear that? Yeah, I mean, I think the concept of a bot is a is a terrifying word to use nowadays. So one of the ways AI can interact with services is

through the web. And like we've been trying to fight bots on the web for years and years and years. And now one of the things people want is like, oh, we, we want those bots. Because if, if I'm going to use Chat GPTS agent mode, which, you know, opens a browser and clicks buttons very slowly to buy stuff, if I block that bot, well, then people stop buying stuff on my website.

And so then you go to whoever is building the bot blocking software and says, well, we, we don't want the bots, but we do want those bots. And this has led to this kind of blossoming of questions and solutions. Web Bot Auth, which is a standard supported by Cloudflare, a browser based to identify bots on the web. Payment questions, people doing X4O2 where you know, four O 1 being the the authorization needed error code, four O 2

being payment needed. And so there's all these wacky questions that you know people had written off over the last decade or two that now are coming back into question. It's a fun time to be in the Internet. I find it so fun that we are, you know, we've spent the last decade trying to prove that we are not bots. You know, pick all the pictures of a hot dog, pick all the pictures of a motorcycle. And what are we doing now? We're training our bots to do those things, you know, on our

behalf. That's just where we are. If anything, I think AI is getting better at doing captures than I am. Yeah. Well, I, I'm not very good at it. A lot of times it's like pick the, pick all of the pictures with the bus. I'm like that one with traffic there. Is that a bus? I don't know. I don't know. I usually get through those, so I figure I must not be answering that poorly for now, you know? We might remove your human status soon. You know, so in my mind, there's

different kinds of agents. And I like I said, I like the term assistant because I can see a scenario where people are creating their own assistance. And so wondering from like an

identity standpoint when you're talking about AI agents and the ability for them to impersonate a person, right? And I think that's a big topic that's in the paper that you wrote. It's like, ultimately that's what we're driving toward, right? Is the ability to set up an identity for this assistant agent bot, you call it what you want. Who's setting that up? Is that kind of coming with the package or is the end user setting that up?

Or does it make sense for an administrator to set that up? And please tell me that we don't end up just put your username, password into this agent and we're just going to log in as you. I mean, isn't that like the the worst case scenario? That that that use case scenario keeps me up at night. The so think of this back when, when we had human assistance. I like the term assistance. We've had human assistance for many years. And how would you give someone access to your services?

You could just give them or your password, give them your one password admin login. Not a great idea, but people do do it. There's a version of that you can do with AI, But the question is, how much do you trust that human being? And so if you want to, you know, have some modicum of security involved, you probably want to give them selective access to some services. And you probably want to know what actions are taken by them versus taken by you. Was the e-mail sent by an

assistant or was it sent by you? And the reason AI is interesting here is because this is just expanded in, you know, the the scope of what can be done is expanded. More people are going to have these assistants helping them and there's going to be, you know, exponentially greater risks as these AIS do things faster than you can oversee. And that is why I think we really need to rethink identity

for this. I think to kind of answer the question you actually asked of who is setting up this identity, I think a lot of the owners in a consumer application is on the consumer chat box, people who are building these assistants. It's also on the web and standard setters to build robust notions of identity into that. And then in the enterprise use case, we, I think a lot of the really robust identity

infrastructure comes to play. It's on enterprises to have sensible policies and procedures around identity access management of ages. So when we talk about this, I mean, there's essentially there's major topic that you brought on, it took on in the paper impersonation versus delegation. I haven't. It's interesting because it brought me back to what I see

like in my early days in IT where an executive would have an executive assistant. The executive didn't even know how to go in and do an access review, if you even had that at that point. But they didn't know they would go in and like, approve access and. I actually work for people where their assistant would print out their emails and put a stack of paper on their desk so they could go through their emails. Yeah, such situation.

But it kind of, it's kind of the human version of this process Now. I guess the question is like, what is the right way? Is that what you guys are driving toward? And is it to set up some kind of standard for like what is acceptable, what is best practice? Because I think from a practitioner standpoint, there's one of those areas where it's like, just tell us what to do. Well, Jim, I can build you an AI agent that will print out all your emails so you can go back

to handwriting them. I think that maybe that's a better world. We do need to stop using all these phones all the time, so. Maybe that I'll just say please don't like. Yeah, I just got an iPad. It's still in the box but I'm going to just doing my emails there. You know, I, I think a lot of people believe that AI agents are going to solve all of our problems. And I think much in the same way you think an iPad is going to make you better at replying to

emails quickly. It's not you're the problem. And it doesn't matter how good I have an AI that writes emails for you, drafts emails, and yet this limiting reagent is still me clicking set because I'm not going to let AI send the emails on my behalf. Draft, OK, but send would get hairy very quickly. So your question, what is the right solution? I really wish I could come on this podcast and say to you that like here is a magic fix that will solve all your problems that doesn't exist.

It's not ever going to exist and anyone trying to tell you it will is selling you a product instead. There's a bunch of steps we can do with current web identity infrastructure, delegated authority tooling and enterprise identity infrastructure to make things ready for AI agents or or you know, be using them already and you see this already in kind of the enterprise use case. You want to have an enterprise

assistant, human assistant. We have some tools for that in whatever identity provider you use. Well, most of these identity providers are also setting up tooling around agents so that you can declare that something is an AI agent, that it is delegated on behalf of a human being. You can provision it, de provision it in enterprise identity management tooling. And essentially everyone in this ecosystem is very aware that this is a problem and working towards it.

And so I may not have one solution, but I'm promising you will get a lot of emails over the next year of people selling you solutions to fix them. So we've got that to look

forward to it every conference. You know, it's already starting to show up as like manage your agentic AI. You talked about that delegation and you know, that's going to be a big part of it because the whole point of agentic AI is autonomy, right? It's doing things on your behalf. And so of course, it has to have some level of delegated authority. But that delegation does not absolve, you know, the governance, the consent, right, that needs to take place.

Say, yes, I do authorize Jeff Bot to go do these things. How do I keep track of that? Because that human oversight that is supposed to be there, typically over like a human level ID operating at human time scale is going to be very different when you're talking about agentic, meaning millisecond time scale and hundreds, thousands maybe of these bots, maybe millions of these bots kind of all doing

their own thing. Like how do you manage that that automation and make sure that's governed and that the right consent is in place to for it to for it to do those things? Yeah, I mean, I really like that comment that AI is about autonomy and I think the better AI is the more autonomy you give it. The dream of everyone building these highly effective long running AI agents is to give them one instruction or maybe an amorphous goal and they continuously run and solve problems for you.

That is the exciting part. That is what all the evaluations for AI Labs is built upon, and I think they're going to solve that. I think all of the AI models will get better at long time horizon tasks. The expression that has been going around Stanford recently is that AI is the worst it's ever going to be.

And so if you don't believe that an agent is capable of continuously running a task effectively using tools right now, at some point in the future, whenever that is, you can believe whatever timeline you want, it will get better. But I think the block on that, the thing that's going to stop it being able to do stuff is access is commissions, human oversight, management of the access to services for AI agents is going to be the limiter on really cool agents.

So I find interesting that you mentioned that because we've been saying that for a while, like this is the worst it will ever be. I've had to change that saying though, because worst implies to some people good and bad. And So what I've said is like, this is the least capable AI will ever be is right this second. You know, as we're recording this, it will be better or it'll say it'll be more capable. 5 minutes, 10 minutes, right and

so forth and so forth. So I do find interesting that, you know, hey, Jim, we're, I can, we're, I can good circles here. We're we're thinking like Stanford folks. I know it's really, it's really eye opening. You know, one thing that I kind of feel like I've found is some of the call centers that we dial into like the AI is getting really, really good. We can, I mean, some companies are under invested and you know,

there should be a wall of shame for that because you get on and it's like your AI is garbage and you just say I need to speak to a human, I need to speak to a human. But there are others where they're actually good. But I feel like no matter how good they are, eventually they hit some kind of guardrail where it's like the AI agent just isn't going to solve that problem for you. It's like, hey, I got billed twice last month and I need you

to refund me the money. I was like, OK, well, this could be a fraud scenario, so we're actually going to forward you to a person. And why do I bring all that up? Because I kind of feel like if you, you know, you can say, OK, here's Tobin. He's a human being and he's got these five agent identities and those agents go off and do something. You almost potentially could say, well, I didn't know what that agent was going off to do,

right? Like if there's not enough logging and accountability behind those agents. So you almost have to in addition to just logging it, but you have to have the right guardrails. And maybe it's maybe it's a matter of having the right authorization so that it can't do things that you wouldn't expect it to do. But I also think there's process

guardrails. And so identity management and identity security bump up to you know, we've got some of this has got to fall back to the business process. Yeah, I, I think the element that you're describing with respect to liability is a huge, huge issue here. We, we have a bunch of work on going at Stanford in collaboration with part of the Stanford Law School on what liability looks like in AI. The law has a concept of agency with not to be confused with AI agents, but the idea that an

individual can take actions. And if you have the agency to take an action, you may have the liability as part of that. And it's very unclear when you tell ChatGPT or Claude to go and do a thing and then it does that thing kind of wrong, right? You go and say, buy me a new couch and it doesn't have enough money to buy a couch. So it remortgages your house in order to pay for it. Who's responsible for that loan, right? Like that's a, that's a

consequential action. And so I, I deeply believe that the way organizations and business processes are structured is someone needs to be fireable for anything to work. And if you just have AI doing a bunch of things and something goes wrong, who do you yell at? You can't really yell at ChatGPT. Yeah, I mean, you can. It will. It will accept it, it will apologize. It doesn't. It doesn't feel the same. You're right, I did make a mistake.

You don't want that. It, it, it doesn't fight back enough, right? Yeah. So I, I think guardrails matter there. Part of guardrails is, is you know, this alignment problem, making sure that AI stays on task. Part of it is just limiting its access so it can't remortgage your house and then part of it is understanding when you design AI system that assistance where the risks and the liabilities are in that business process automation.

Well, this is sort of like the, you know, trillion dollar question is who is responsible for the actions of the agent, right? Ultimately probably a human somewhere, but they're not going to be able to keep up with their own agents, let alone all the agents within an organization. So let me try to spin this into a way that we can make this helpful, helpful for people listening.

Yeah, I'm going to sit down and I'm going to vibe code, you know, an app that prints out all of Jim's emails and sends, you know, the post surface, you know, Postal Service to him. So to do that, I'm going to have to do some things around agentic AI and maybe some other things, right, to tap into. I, I want to talk about MCP in a little bit, but I'm, I'm doing

this type of thing. So what do I do as a developer or an enterprise Oregon, even a consumer to say how do I get ready for this from an identity management perspective? Yes. So every tool that lets you plug in a tool such as using the model context protocol and something like clod or if you're using clod code accessing different tools, there are usually interfaces designed for humans and then there are interfaces designed for AI

agents. And to give a concrete example, if you're vibe coding, you like clod code and you want to use GitHub, there are two different ways you can use GitHub to make PRS, you know, make a, you know, merge them, manage your commits, manage your, your, your branches. And one of them is the command line. You can just Claude knows how to write a, a GitHub command and

the other one is an MCP server. Now this is like lesser known about that MCP server, but if you use the GitHub MCP server, it has explicit restrictions on what can and cannot be done. And it will make sure that when PRS are made, it's tied to an agent identity. GitHub is tracking when something comes through MCP, when it comes through an AI agent, as opposed to coming through your command line, which looks like you. That is one of those benefits of using the right interface for AI.

And I think this analogy can apply a bunch about across a bunch of different tools. There's a bank that has an MCP server that will let you read banking information and automate your finances. Now it's read only. Everyone can remain calm. We're not vibe coding our banks yet, I hope. But having that interface and declaring an upfront, especially if you're building AI tools, I

think it's super helpful, not just for you and your own management, but to offer to your consumers to, you know, other folks using the tools you build. That something is AI and work towards this better identity infrastructure. So talk to us a little bit about MCP, just if you just kind of like start with the level set of what MCP is and then talk about identity and authorization and how that plays in how that works through MCP. Brilliant. We enter the three letter acronym territory.

OK, so the model context protocol MCP is a protocol that came out in November, December last year, has rapidly taken over the world. Every company I know is thinking about the MCP strategy. And I think the best, worst way to think about it is as a wrap around APIs. People are used to the concept of an API. You have some resource, you have some SAS app or Gmail, whatever that you want to expose to someone building sub link to allow them to perform actions. This is always had notions of

scopes. Often they involve API keys or an overflow where users consent to give access to services to resources and MCP behaves as a kind of first approximation as a wrapper in front of that. That makes it really easy to connect to an AIA agent. So it kind of operates in

natural language. It's this translational barrier between a natural language interface that's happening in Claude dot ChatGPT and the API which is in more of a machine readable format now, so. Basically, if you're so let's just make sure I understand, but if you're of course trying to develop an AI agent to do something like create that calendar reminder, the MCP gives you a simple or should I say a common way to interface with the e-mail system.

Is that right? Yeah, so in this instance, you already have a Google Calendar API, but that's super painful to plug into Clot. Like if you go to the ChatGPT website right now, there's no way to give it access to that something you've custom built in terms of, you know, sending emails. But if you make it an MCP server, now you can add that to ChatGPT.

And now, you know, each morning when you wake up and you want to, you know, have your like friendly morning conversation with your friend, ChatGPT, you can go and, and send some emails while you're at it. And so it's just this connective tissue that lets you write instructions in natural language. You literally, when you build an MCP server, write text that explains how to use different APIs, how to use different tools to connect to resources.

So practically speaking, if I'm creating enterprise applications, am I getting my MCP server? I guess I probably have options, but what is going to be the typical enterprise you see? So are they going to have a SAS MCP server that has all the plugins that you could possibly want? Or is this something that I'm going to stand up or am I going to get it from my AI large language model provider? So I really like the internal

enterprise example use case. We're going to talk about external use cases later if we want. But you as an employee have a bunch of extremely boring tasks you perform on a day-to-day basis that involve opening a

website and clicking a series of buttons in the same manner every single day. We all do. And there are in many cases APIs that could do that for you, but you are not going to build button clicking automations because you're busy clicking buttons and you know you've only got so much time in the day. What MCP lets you do within a company is take those operations, which can be done programmatically and put them in a natural language interface.

So wrap them in an MCP, plug that into your company employees, chat bots of choice, whether it's ChatGPT, clawed goose cursor and then the human being, it can go and say, you know, make you know, check my compliance report can pull relevant information. It can, you know, write relevant things, change state externally and do those workflows that you always had to do by hand, but now do them with a chat bot. And as you know, you find yourself doing these repeated

chat bot operations. I always do the same thing. Check the versal deployment for any logs, pull it in, suggest a fix, write that code, make a new PR, and if you keep seeing this happen repeatedly, now you can build a semi autonomous agent that goes and just does this workflow repeatedly. And I like that mental model of of automating you as a human being by replacing you with an AII. Kind of think of like the Matrix and the key master.

So, and this is just my feeble brain trying to wrap my head around this, and I think of each door that the key master has a, you know, key to is a portal into another world in the MCP context of MCP, maybe somewhat redundant right there at the word context, but it's how, you know, a individual, a thing, an agent, a bot or whatever it may be can traverse boundaries in a

controlled method. That's the way I kind of look at it. It's like, OK, yeah, you got Neo and the agents going through, you know, a bunch of portal

doors kind of in the Matrix, and they shut them behind them. And when they're shut behind, no one else can kind of flow through it or, you know, go back into it, those sorts of things. Am I crazy or you know, did the Matrix invent MCP? I, you know, I'm not sure I'm willing to go on record to say the Matrix invented MCPI. Think David from Anthropic might be a bit annoyed at that claim. But I do think that mental model

makes sense. It is giving you this portal, two things that have already existed, these these resources, these APIs or always existed, but now making them accessible to both AI and through AI humans in a really interesting way. I want you to put your Nostradamus hat on a little bit here, right? And talk about MCP. Is this like the next SAML or is that not a good analogy?

Like I'm just thinking you were SAML, you got this humongous adoption and like there's all these like ID PS that are SAML enabled and you can plug in and you can have single sign on to hundreds or thousands of applications overnight. And I'm wondering if MCP is going to be that. Because I think with SAML, it got to the point where I was like, if you're going to provide a web application online, you pretty much need to support SAML if you're going to sell to

enterprises. Because unless you're like the only one in the market, you're going to need that. And I'm wondering if like MCP becomes that standard, do they just publish APIs and let somebody else worry about doing the MCP layer? Yeah, I, I, I, I'm not sure SAML is the protocol I'd pick, but I totally agree with that analogy of I think that's what it's going to become.

Maybe it's closer to to to REST in that it's a thing that everyone decides we should start doing and then everyone does, and then we all get annoyed at the limitations of it and it causes a constant pain for developers. Speaking of that, they're coming. Behind you if it gets you. Yeah, I, I, I, I've said something wrong. I, I'm in San Francisco on Market Street, which is not the calmest place on planet Earth, but it is where all the MCPS are being built.

So I, I, I really think employees and organizations are going to expect if you're selling them a SAS app, that that SAS app is accessible to people who want to just operate out of a chat bot. We work a lot with folks at Cursor who build cool apps and they love MCP at Cursor and one of many coding agents. All the coding agent folks do, and they want to vibe code their whole lives. They just want to sit and have AI do all the things.

And so they really want all of their services to have MCP servers so that they can, you know, stay inside of cursor for the rest of their lives and never have to go and open a website. Well, that's a, you know, that's a monetary driver too, right? Because that MCP is a two way door. You know, if we're doing consumption based from a product perspective, that's how you adequately control and secure those things to make sure that, you know, obviously the data they're getting is is what it

should be and and so forth. So to me, that makes a lot of sense. Like, yeah, of course you want to build that. It's almost like like that should be a function that is just standard at this point. Or is it too soon to call it standard? I think we are now at a point or or let me give you this in like December 20th of 2026, the standard there are working groups, essentially every company that I know has someone

working on IMCP. And I like deeply believe that there will be a product push over the next year for everyone who wants to be AI forward to support something. And so we'll see if this collapses. I mean, look, AI may be one big bubble, but I think this protocol is here to stay at least as a really clean, robust way to communicate that tooling is designed for AI and optimize

the agent experience, right? API is a design for a developer experience. Your website is designed for humans. We need an interface that's optimized for agents. So talk to me a little bit about the concept of recursive delegation and scope attenuation, because these are things that I picked up from the white paper. And I should say we're going to have the white paper LinkedIn, our show notes, so people can kind of go and read that. It's like 30 pages.

It's, it's, it's very in depth, right? That sort of thing. But talk to me about what those things are and why should I care about them as an identity person? Those are a lot of big words. Frankly, very scary. Let's unpack them. OK, delegation. You. When you want a task dub, you delegate it to something or someone or some agent. I ask Claude, my favorite AI assistant, go read all of my emails and find what needs to be addressed. Great.

That's one step of delegation. Claude's now handling everything. Now for one of those emails, I need to go retrieve information, which maybe requires me to ping someone or go do other stuff. And so Cord has this idea of sub agents where it can spin up a new AI agent. Now really all that's happening is a sub process is being spawned in a system with a clean system prompt, right? So a lot of AI is about context management. If you have a lot of nonsense in your context window, AI gets

confused. And so it makes a lot of sense to spin up a sub agent with a reduced context. It's focused on exactly what it needs to do, and it can go out and do that and retrieve relevant information. So now I have delegated to an AI, which is delegated to an AI. Now let's take a enterprise use case that now this second agent needs to orchestrate something in Salesforce, needs to pull from ACRM. Well, Salesforce has Agentforce,

the whole big agent strategy. And so it's now going to send a natural language request to an external system that we don't control and which, you know, agent force will go and it'll pull the CRM and find someone that might be relevant. And then it can send it back to the sub agent, sub agent, which can send it back to the sub agent, which can send it back to me. Now this is cool. It helps with context management, but this recursive delegation is multiple steps of delegation.

Each one abstracts you, the original person, further and further away from what's going on and means you have less control over what's actually happened. And so I might give my main court access to all my tools, but I don't necessarily want everything that Claude creates to go do a task to have access to all my banks, all my text

messages, all my emails. And so we really need robust attenuation of scope so that when AIS go and use other AIS, they don't just give all the permissions to the next AI. And that's what we mean about scope attenuation for a cursive delegation. A terrifying sentence. That is like a a $25 word. If you're playing Scrabble, you know, you probably just won right there. Or words of friends, or whatever your word choice is for.

Their If anyone ever plays Scrabble and gets attenuation, please e-mail me. Immediately. There you go, open invite. I'll put your LinkedIn and our show notes. You know, you heard it here first. The the gauntlet has been thrown down for a challenge. All right, so we're like 45 minutes here and I want to start to wrap things up. But what I want to do is offer the people listening some nugget

that they can take away. So if I'm listening to this and I remember one thing that came out of this entire conversation around agentic AI identity management, what is it that I

should be taking away from this conversation? Just remember this one thing. We don't need to reinvent the entire identity stack of the Internet to solve agents, and we're not going to. But each step of the existing identity stack, whether it's web identities logging in, whether it's SAML, whether it's Skim and identity management agents with your identity provider, each one of those steps is going to require some incremental improvements to support agents.

And we're not going to change the world entirely, but everyone is going to have a responsibility to upgrade their systems to support agents. And then I think we're all going to be OK. There we go. You make it sound so simple, like this is this is it? This is just how we solve it. So you said originally you, you didn't have, you know, a way to solve it.

It sounds like you just did. I think we have so many fun incremental problems to solve that whether we have AGI or not, we're all going to stay employed for a while as identity management professionals. Yeah, judge it by some of the outputs that I get out of the tools that I use. Like, OK, yeah, we're not quite there yet. But you know, this is the least capable it will ever be right this second. It's just going to get more and more capable. Now it's on us to figure out how

do we make it secure? You know, how we use it appropriately, right? All that good stuff. So as long as I can, you know, use, you know, things like Sora and Gemini to like make stupid videos, you know, I'm. I'm cool. Yeah, I like you. It's neither good nor bad, but it will get more capable. Those Sora videos might become increasingly unhinged, but they'll be credible. Definition of quality. Yeah, if you have not checked out the Sora app from Open AI, it is definitely very, very weird.

If you would have sent it out, don't. Straight away it is 100% AI slop and if you're into that, it's great. If you're not, you're going to be like, what the heck? Is this? So Tobin, you've been super generous with your time.

I want to take us out on a lighter note. And so I have a couple options. I was going to kind of ask you about Australia and you know, something about Adelaide maybe like the people who generally don't know about, but I want to go more the coffee route. This is what Jim was alluding to earlier on of, you know, providing value. I personally do not drink coffee. I love the aroma, can't stand the flavour.

And I will try coffee maybe like once every year, a couple years and it's just a quick check in. Yep, still don't like it. So my caffeine of choice is generally a cola of some sort. But I want to ask you because as I was doing some, you know, cyber stalking of you to like get some background, you know, before the interview, you mentioned somewhere that you're

kind of like a coffee guy. And so I want to know in all your travels around the world, what is or where is or who is, has the best coffee that you've ever had. I have such a strong affinity for coffee. I think my PhD is was fully powered by coffee. I continue in order to get my job done, consume inordinate amounts of caffeine. I've I've a a strong belief that as well the derivative matters, you've got to keep drinking just a little bit more every day, which doesn't work at the macro

scale of 1's life. But being Australian and growing up in one of the coffee havens of the world, I'm always in search of good coffee and always disappointed. San Francisco, where I live, has many great cafes. I can't, I can't knock them, but it's it's unreliable. When you travel to Europe they make coffee but it's not the same as the flat whites I care about back home.

And when you fly back in to Australia, usually via Sydney, because there is no direct flight to my hometown, you land in Sydney Airport and you're immediately faced with five different cafes in the terminal, each of which has award-winning coffee. And so Australia will always have the best cafe culture in in my heart. But if you are in San Francisco, Third Wheel Coffee is my local cafe and there's a 5050 chance you might see me there at 8:00

AM every single morning. So there's there's my offer to folks. All right, so go to Australia, go to Sydney for the Opera House and stay for the coffee in the airport. They're like, that's a Jim, I know you're a coffee person. You seem like you're itching, you know, to get into the conversation. I don't think that's just the caffeine or you're just excited, but what is your favorite coffee? Maybe a little bit of both, because I do drink coffee

throughout the day. I'm more prepared to say what I don't like. You know, me chef. I mean, is that any surprise at all? So I. Mean, I already bashed on the poor Apple girl from the commercial, so go ahead, you know, bash coffee, that's fine too. Yeah, I don't like flavored coffee. Like if you say oh, like this is a caramel coffee or something like that, I'm like, no, that is horrible.

It's ruined. I think the weird thing is like I've spent my whole life drinking different coffees, African coffee or different, different places around the world trying to find like, OK, what is my favorite roast of coffee or favorite beans? Favorite roast, The order to come back to in my old age is the good old Arabica bean, 100%

Arabica coffee. And whether you make it into an espresso or you make it into a drip coffee, I just really think there's a reason that became the most popular bean in the world. That's because it's the best. It's got like the right, it's a medium flavor. And I think that's me, like I, I tried both extremes and I ended up back where I started as a teenager drinking, you know, arabica, Colombian coffee. So I'll go with Colombian coffee for 200 please. All right, coffee crossed by Tobin.

Your thoughts? I actually, I, I, I think if I ain't broke, don't fix it. It's a great coffee. It's so good to the point where I lived with a machine learning engineer who had quit caffeine entirely and yet still imported really high quality arabica beans just to make decaf coffee on what must have been 5 or so $1000 of espresso machine equipment for no caffeine at all. Which is a little insane, but it's tasty.

It works. OK, so Jim, you, you mentioned the bean, but like where is the best coffee? Like what's the best coffee ever had? Give me a location. So I don't know, like I don't have like that one experience. I'd say my house like I keep coming I'm. Coming to this. Yeah, I keep coming here and having coffee all the time. Actually, I don't have my really good espresso machine anymore. I've got like a Nespresso machine, which, you know, people probably out there like grumbling.

I know. It's like it's a little bit of weak sauce, except convenience is very important when you have a job where you're like, you've got calls like stacked up back-to-back and it's like, oh, this call ended 3 minutes early, I have time to go make myself a coffee. So yeah, that's what I have. But I I tend toward more local places than the big chains. And some big chains are really good, but a lot of times they're very disappointing.

So there's a couple local places around me here in Sturgis, SD You know, you don't think of it as the coffee capital of the world, and it's not. You know, I could tell you I've had Turkish coffee, I've had coffee in all over Europe. They've all been wonderful. Nothing stood out to me is like, oh, that's the best place to go for coffee. But. Yeah, there's a lot of them.

OK, so send your angry emails to Jim on LinkedIn. Defend your coffee, people. That's the challenge right there. You've everyone's got to have a hill to die and I think it's a great, it's a great hill. That's, you know, look, we all have opinions. It's like change my mind. The opinions can change, change the facts. I'll think about it. There's nothing wrong with that. Maybe someday I'll like coffee, but for now, it's still just the aroma.

And, you know, that's it for me. So all right, let's go ahead and leave it there for this week. Tobin, thank you so much for spending some time with us. I hope you'll come back, especially if things kind of develop in this agentic AII AM world and like what should be you'll be thinking about as I go along. And I hope to see you at an identity conference coming up, maybe a Gartner Identiverse or EIC or something along those lines. But thank you so much for being with us.

I will have in our show notes a link to the paper that is out there as well as your LinkedIn profile so people can either defend or attack coffee preferences or whatever it may be. Please be polite. Please to yeah. And yeah, we'll go ahead and leave it there for this week. So you can find us on the web, IDC, podcast.com, like and subscribe, hit the YouTube channel. We recently crossed over 1000 subscribers on our YouTube channel. So thank you for that. Again, you know, we don't do any

advertising. It's all word of mouth and so we appreciate everyone supporting us. So with that, we'll go ahead and leave for this week. Thanks everyone for watching and or listening and we'll talk with you all in the next one. You've been listening to Identity at the Center. We hope you've enjoyed the show. Make sure to like, rate and review, and we'll be back soon. But in the meantime, hit the website at identity@thecenter.com. See you next time on Identity at the Center.