{"id":5022,"date":"2026-03-24T17:59:40","date_gmt":"2026-03-24T21:59:40","guid":{"rendered":"https:\/\/www.indigoconsulting.ca\/?p=5022"},"modified":"2026-04-19T12:34:30","modified_gmt":"2026-04-19T16:34:30","slug":"agentic-ai-security","status":"publish","type":"post","link":"https:\/\/www.indigoconsulting.ca\/fr\/blog\/agentic-ai-security\/","title":{"rendered":"S\u00e9curit\u00e9 des IA agentives : un cadre de risque pratique pour l\u2019entreprise"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-post\" data-elementor-id=\"5022\" class=\"elementor elementor-5022\" data-elementor-post-type=\"post\">\n\t\t\t\t<div class=\"elementor-element elementor-element-d0116af e-flex e-con-boxed e-con e-parent\" data-id=\"d0116af\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t<div class=\"elementor-element elementor-element-fba6479 e-con-full e-flex e-con e-child\" data-id=\"fba6479\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t<div class=\"elementor-element elementor-element-aad242a e-con-full e-flex e-con e-child\" data-id=\"aad242a\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t<div class=\"elementor-element elementor-element-7a63e04 elementor-widget elementor-widget-text-editor\" data-id=\"7a63e04\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><a href=\"https:\/\/www.indigoconsulting.ca\/\"><strong>Home<\/strong><\/a><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-7572614 elementor-view-default elementor-widget elementor-widget-icon\" data-id=\"7572614\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"icon.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-icon-wrapper\">\n\t\t\t<div class=\"elementor-icon\">\n\t\t\t<i aria-hidden=\"true\" class=\"fas fa-chevron-right\"><\/i>\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-9c101ce elementor-widget elementor-widget-text-editor\" data-id=\"9c101ce\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><a href=\"https:\/\/www.indigoconsulting.ca\/solutions\/resources\/\">Resources<\/a><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-c6939bf elementor-view-default elementor-widget elementor-widget-icon\" data-id=\"c6939bf\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"icon.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-icon-wrapper\">\n\t\t\t<div class=\"elementor-icon\">\n\t\t\t<i aria-hidden=\"true\" class=\"fas fa-chevron-right\"><\/i>\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-9ac3880 elementor-widget elementor-widget-text-editor\" data-id=\"9ac3880\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Agentic AI Security<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-da2572f elementor-widget elementor-widget-heading\" data-id=\"da2572f\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">A Practitioner's Risk Framework for the Enterprise<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-51c39e0 elementor-widget elementor-widget-text-editor\" data-id=\"51c39e0\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><span style=\"font-weight: 400;\">Mar 24th, 2026<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-e5d6368 elementor-author-box--layout-image-left elementor-author-box--image-valign-top elementor-widget elementor-widget-author-box\" data-id=\"e5d6368\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"author-box.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-author-box\">\n\t\t\t\t\t\t\t<a href=\"https:\/\/www.linkedin.com\/in\/nseigneur\/\" target=\"_blank\" class=\"elementor-author-box__avatar\">\n\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/www.indigoconsulting.ca\/wp-content\/uploads\/2026\/03\/Nicolas-Seigneur-240x300.png\" alt=\"Picture of Nicolas Seigneur\" loading=\"lazy\">\n\t\t\t\t<\/a>\n\t\t\t\n\t\t\t<div class=\"elementor-author-box__text\">\n\t\t\t\t\t\t\t\t\t<a href=\"https:\/\/www.linkedin.com\/in\/nseigneur\/\" target=\"_blank\">\n\t\t\t\t\t\t<span class=\"elementor-author-box__name\">\n\t\t\t\t\t\t\tNicolas Seigneur\t\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/a>\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-author-box__bio\">\n\t\t\t\t\t\t<p>Chief Technology Officer<\/p>\n\t\t\t\t\t<\/div>\n\t\t\t\t\n\t\t\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-0679d75 elementor-widget elementor-widget-image\" data-id=\"0679d75\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img fetchpriority=\"high\" decoding=\"async\" width=\"1200\" height=\"800\" src=\"https:\/\/www.indigoconsulting.ca\/wp-content\/uploads\/2026\/03\/Agentic-AI-Security.jpg\" class=\"attachment-full size-full wp-image-5026\" alt=\"Agentic AI security\" srcset=\"https:\/\/www.indigoconsulting.ca\/wp-content\/uploads\/2026\/03\/Agentic-AI-Security.jpg 1200w, https:\/\/www.indigoconsulting.ca\/wp-content\/uploads\/2026\/03\/Agentic-AI-Security-300x200.jpg 300w, https:\/\/www.indigoconsulting.ca\/wp-content\/uploads\/2026\/03\/Agentic-AI-Security-1024x683.jpg 1024w, https:\/\/www.indigoconsulting.ca\/wp-content\/uploads\/2026\/03\/Agentic-AI-Security-768x512.jpg 768w\" sizes=\"(max-width: 1200px) 100vw, 1200px\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-4133e8c e-con-full e-flex e-con e-child\" data-id=\"4133e8c\" data-element_type=\"container\" data-e-type=\"container\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\">\n\t\t\t\t<div class=\"elementor-element elementor-element-f0dc394 elementor-widget elementor-widget-text-editor\" data-id=\"f0dc394\" data-element_type=\"widget\" data-e-type=\"widget\" id=\"thedeath\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h3><b>Key Takeaways<\/b><\/h3>\n<ul>\n<li><span style=\"font-weight: 400;\">Traditional service accounts and API keys are insufficient for AI agents; use cryptographically verifiable workload identities such as SPIFFE\/SPIRE.<\/span><\/li>\n<li><span style=\"font-weight: 400;\">OAuth 2.1 On-Behalf-Of (OBO) flows are the correct delegation model, never allowing agents to impersonate users directly.<\/span><\/li>\n<li><span style=\"font-weight: 400;\">Secure MCP deployments by decoupling the Policy Decision Point from the Policy Enforcement Point, and disabling open Dynamic Client Registration.<\/span><\/li>\n<li><span style=\"font-weight: 400;\">Align governance with ISO\/IEC 42001 and enforce real-time guardrails including PII masking and Human-in-the-Loop (HITL) via CIBA.<\/span><\/li>\n<li><span style=\"font-weight: 400;\">Recursive delegation chains require scope attenuation via OAuth 2.0 Token Exchange or Macaroon-style capability tokens.<\/span><\/li>\n<\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-d891ec5 e-flex e-con-boxed e-con e-parent\" data-id=\"d891ec5\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t<div class=\"elementor-element elementor-element-e7196ee e-con-full elementor-hidden-tablet elementor-hidden-mobile e-flex e-con e-child\" data-id=\"e7196ee\" data-element_type=\"container\" data-e-type=\"container\" data-settings=\"{&quot;sticky&quot;:&quot;top&quot;,&quot;sticky_offset&quot;:100,&quot;sticky_effects_offset&quot;:100,&quot;sticky_anchor_link_offset&quot;:100,&quot;sticky_parent&quot;:&quot;yes&quot;,&quot;sticky_on&quot;:[&quot;desktop&quot;,&quot;tablet&quot;,&quot;mobile&quot;]}\">\n\t\t\t\t<div class=\"elementor-element elementor-element-f9629d7 elementor-widget elementor-widget-text-editor\" data-id=\"f9629d7\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h6><a href=\"#whytrad\">Why Traditional IAM Breaks Under Agentic AI<\/a><\/h6>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-a3d24d5 elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"a3d24d5\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-e36a782 elementor-widget elementor-widget-text-editor\" data-id=\"e36a782\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h6><a href=\"#MachineIdentity\">Machine Identity: Beyond Service Accounts<\/a><\/h6>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-4e453f5 elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"4e453f5\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-af68e39 elementor-widget elementor-widget-text-editor\" data-id=\"af68e39\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h6><a href=\"#Architecture\">Architecture: Securing the Model Context Protocol<\/a><\/h6>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-e162b8e elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"e162b8e\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-67f3ddc elementor-widget elementor-widget-text-editor\" data-id=\"67f3ddc\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h6><a href=\"#Governance\">Governance and AI Guardrails<\/a><\/h6>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-85ff943 elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"85ff943\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-4d4a2b4 elementor-widget elementor-widget-text-editor\" data-id=\"4d4a2b4\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h6><a href=\"#Recursive\">Recursive Delegation at Scale<\/a><\/h6>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-1a3052a elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"1a3052a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-847b503 elementor-widget elementor-widget-text-editor\" data-id=\"847b503\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h6><a href=\"#Implementation\">Implementation Checklist<\/a><\/h6>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-5d12889 elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"5d12889\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-b4880dc elementor-widget elementor-widget-text-editor\" data-id=\"b4880dc\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h6><a href=\"#FAQ\">FAQ<\/a><\/h6>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-6ac9666 elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"6ac9666\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-8ebc1c2 elementor-widget elementor-widget-text-editor\" data-id=\"8ebc1c2\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h6><a href=\"#conclusion\">Conclusion<\/a><\/h6>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-e0dcead elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"e0dcead\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-aafb53d elementor-widget elementor-widget-text-editor\" data-id=\"aafb53d\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h6><a href=\"https:\/\/www.indigoconsulting.ca\/contact\/\" target=\"_blank\" rel=\"noopener\">Contact Us<\/a><\/h6>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-a02a06b e-con-full e-flex e-con e-child\" data-id=\"a02a06b\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t<div class=\"elementor-element elementor-element-dbe1fc0 elementor-widget elementor-widget-text-editor\" data-id=\"dbe1fc0\" data-element_type=\"widget\" data-e-type=\"widget\" id=\"theday\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><span style=\"font-weight: 400;\">This guide is for enterprise security architects, IAM engineers, and CISOs who are deploying or evaluating agentic AI systems and need a structured, standards-aligned risk framework \u2014 not a vendor pitch.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span><\/p><p><span style=\"font-weight: 400;\">The rapid rise of agentic AI is forcing a structural phase shift in how enterprises govern access, identity, and authorization. Unlike traditional software that executes deterministic logic against structured inputs, AI agents exhibit flexible, goal-directed behavior \u2014 autonomously invoking APIs, querying data stores, spawning sub-agents, and persisting state across sessions.<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-6095caf e-con-full e-flex e-con e-child\" data-id=\"6095caf\" data-element_type=\"container\" data-e-type=\"container\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\">\n\t\t\t\t<div class=\"elementor-element elementor-element-e36903b elementor-widget elementor-widget-text-editor\" data-id=\"e36903b\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><span style=\"font-weight: 400;\">According to <\/span><a href=\"https:\/\/www.gartner.com\/en\/documents\/5505695\"><span style=\"font-weight: 400;\">Hype Cycle for Artificial Intelligence, 2024<\/span><\/a><span style=\"font-weight: 400;\">, more than 15% of day-to-day work decisions will be made autonomously by AI agents by 2028. Existing Identity and Access Management (IAM) architectures were not designed for this operating model, and the gap is exploitable. <\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-e4f94ee e-con-full e-flex e-con e-child\" data-id=\"e4f94ee\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t<div class=\"elementor-element elementor-element-e5f55d7 elementor-widget elementor-widget-text-editor\" data-id=\"e5f55d7\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><span style=\"font-weight: 400;\">The framework below spans four pillars: machine identity, connectivity architecture, operational governance, and recursive delegation<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-1d4f500 elementor-widget elementor-widget-text-editor\" data-id=\"1d4f500\" data-element_type=\"widget\" data-e-type=\"widget\" id=\"whytrad\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h2><span style=\"font-weight: 400;\">Why Traditional IAM Breaks Under Agentic AI<\/span><\/h2><p><span style=\"font-weight: 400;\">Classic IAM assumes a human at one end of every access chain. Service accounts and API keys were designed as static, long-lived credentials for predictable, bounded workloads. AI agents violate every one of those assumptions.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span><\/p><p><span style=\"font-weight: 400;\">An agent acts on behalf of a human principal but executes at machine speed \u2014 potentially invoking hundreds of API calls in a single session. A compromised service account tied to a human user creates a blast radius proportional to that user&#8217;s permissions, multiplied by the agent&#8217;s execution velocity. IBM&#8217;s 2024 Cost of a Data Breach Report found that credentials were the most common initial attack vector, responsible for 16% of breaches at an average cost of $4.81 million per incident. In an agentic context, a single stolen credential can trigger cascading downstream actions before any human detects the anomaly.<\/span><\/p><p><span style=\"font-weight: 400;\">The problem is structural, not operational. Patching service account hygiene is insufficient; the identity model itself must evolve. \u00a0 <\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-de57f94 elementor-widget elementor-widget-text-editor\" data-id=\"de57f94\" data-element_type=\"widget\" data-e-type=\"widget\" id=\"MachineIdentity\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h2><span style=\"font-weight: 400;\">Machine Identity: Beyond Service Accounts<\/span><\/h2>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-58af67a elementor-widget elementor-widget-text-editor\" data-id=\"58af67a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h5><b>Verifiable Workload Identities with SPIFFE\/SPIRE<\/b><\/h5><p><span style=\"font-weight: 400;\">Agents require identities that encode what they are, not just who issued the credential. The https:\/\/spiffe.io\/ standard, a graduated CNCF project, provides cryptographically verifiable workload identities via short-lived X.509 SVIDs (SPIFFE Verifiable Identity Documents). Critically, a SPIFFE identity can be enriched with metadata: the underlying model name, version, capability scope, and the human principal on whose behalf the agent is operating. This metadata enables policy engines to make fine-grained authorization decisions that static API keys cannot support. Other standards and technologies can provide similar capabilities; both Cloud Vendors and IAM vendors offer Workload Identities that may be suitable for your needs, SPIFFE is mentioned because it can be deployed everywhere and provide a clean reference implementation.<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-f609a27 elementor-widget elementor-widget-text-editor\" data-id=\"f609a27\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h5><b>From Impersonation to Delegation via OAuth 2.1<\/b><\/h5><p><span style=\"font-weight: 400;\">The most dangerous anti-pattern in agentic deployments is user impersonation: giving an agent a cloned user token and allowing it to act as that user. This destroys the audit trail; log records that will show the human user taking actions the human never performed.<\/span><\/p><p><span style=\"font-weight: 400;\">The correct pattern is On-Behalf-Of (OBO) delegation, standardized in<\/span><a href=\"https:\/\/oauth.net\/2.1\/\"><span style=\"font-weight: 400;\"> https:\/\/oauth.net\/2.1\/<\/span><\/a><span style=\"font-weight: 400;\"> (which consolidates RFC 6749, RFC 6750, and the Security BCP). An OBO flow issues a derived access token that carries two identifiers: the originating human principal and the specific agent instance. Every downstream system sees both actors in every request, preserving a complete, non-repudiable audit trail.<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-c453581 elementor-widget elementor-widget-text-editor\" data-id=\"c453581\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h5><b>Automated Lifecycle Management via SCIM<\/b><\/h5><p><span style=\"font-weight: 400;\">In enterprises with hundreds of deployed agents, manual credential rotation is not operationally viable. Organizations should extend https:\/\/www.rfc-editor.org\/rfc\/rfc7644 to provision and de-provision agent identities alongside human identities.\u00a0<\/span><\/p><p><span style=\"font-weight: 400;\">This provides two critical capabilities:<\/span><span style=\"font-weight: 400;\">\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0<\/span><\/p><ol><li><span style=\"font-weight: 400;\"> Automated provisioning: New agent deployments receive scoped credentials without human intervention.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span><\/li><li><span style=\"font-weight: 400;\"> Instant kill switch: A single SCIM DELETE operation immediately de-provisions a compromised agent and purges its delegated access across all integrated systems; equivalent to disabling a user account in seconds rather than hours.<\/span><\/li><\/ol><p><span style=\"font-weight: 400;\">Once again, Identity Security vendors offer Agent Lifecycle to achieve the same results, leveraging open protocols like SCIM makes implementation faster and more flexible.<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-d1b6b83 elementor-widget elementor-widget-text-editor\" data-id=\"d1b6b83\" data-element_type=\"widget\" data-e-type=\"widget\" id=\"Architecture\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h2><span style=\"font-weight: 400;\">Architecture: Securing the Model Context Protocol<\/span><\/h2><p><span style=\"font-weight: 400;\">The <\/span><a href=\"https:\/\/modelcontextprotocol.io\/\"><span style=\"font-weight: 400;\">MCP Protocol<\/span><\/a><span style=\"font-weight: 400;\">, introduced by Anthropic in late 2024, is rapidly becoming the standard interface for connecting AI models to external tools and data sources. Analogous to USB-C for hardware, MCP provides a uniform protocol layer; which also means a uniform attack surface if misconfigured.\u00a0 <\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-cac7367 elementor-widget elementor-widget-image\" data-id=\"cac7367\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" width=\"800\" height=\"313\" src=\"https:\/\/www.indigoconsulting.ca\/wp-content\/uploads\/2026\/03\/mcp-simple-diagram.png-2-1024x400.avif\" class=\"attachment-large size-large wp-image-5024\" alt=\"\" srcset=\"https:\/\/www.indigoconsulting.ca\/wp-content\/uploads\/2026\/03\/mcp-simple-diagram.png-2-1024x400.avif 1024w, https:\/\/www.indigoconsulting.ca\/wp-content\/uploads\/2026\/03\/mcp-simple-diagram.png-2-300x117.avif 300w, https:\/\/www.indigoconsulting.ca\/wp-content\/uploads\/2026\/03\/mcp-simple-diagram.png-2-768x300.avif 768w, https:\/\/www.indigoconsulting.ca\/wp-content\/uploads\/2026\/03\/mcp-simple-diagram.png-2-1536x600.avif 1536w, https:\/\/www.indigoconsulting.ca\/wp-content\/uploads\/2026\/03\/mcp-simple-diagram.png-2-2048x800.avif 2048w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-d45ad59 elementor-widget elementor-widget-text-editor\" data-id=\"d45ad59\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h5><b>Decouple the PDP from the PEP<\/b><\/h5><p><span style=\"font-weight: 400;\">The most common architectural mistake is embedding authorization logic directly inside the MCP server. This creates brittle, duplicated policy logic that is difficult to audit and impossible to enforce consistently across multiple servers.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span><\/p><p><span style=\"font-weight: 400;\">The correct architecture decouples the Policy Decision Point (PDP) which evaluates access rules \u2014 from the Policy Enforcement Point (PEP) \u2014 which intercepts requests. An API gateway, a security middleware layer or the MCP Server itself acts as the PEP, intercepting every agent request. The PEP calls out to a centralized PDP for an authorization decision. This pattern is consistent with <\/span><a href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-207\/final\"><span style=\"font-weight: 400;\">Zero Trust Architecture principles<\/span><\/a><span style=\"font-weight: 400;\">.<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-c80ccbe elementor-widget elementor-widget-text-editor\" data-id=\"c80ccbe\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h5><b>Eliminate Token Passthrough<\/b><span style=\"font-weight: 400;\"> \u00a0 <\/span><\/h5><p><span style=\"font-weight: 400;\">A critical and underappreciated vulnerability is Token Passthrough: an MCP server receives a user&#8217;s access token and forwards it unmodified to a downstream API. This creates a Confused Deputy vulnerability \u2014 the downstream API cannot distinguish whether the request originates from the user directly or from an agent acting on their behalf.\u00a0<\/span><\/p><p><span style=\"font-weight: 400;\">MCP servers must never forward a client-issued token; they must either use a token explicitly scoped to the server&#8217;s own service identity, or initiate a distinct OBO exchange to obtain a narrowly scoped derived token<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-077bc59 elementor-widget elementor-widget-text-editor\" data-id=\"077bc59\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h5><b>Disable Open Dynamic Client Registration<\/b><\/h5><p><a href=\"https:\/\/www.rfc-editor.org\/rfc\/rfc7591\"><span style=\"font-weight: 400;\">Oauth Dynamic Client Registration<\/span><\/a><span style=\"font-weight: 400;\"> allows clients to register themselves programmatically. In consumer contexts this is useful; in enterprise environments it is dangerous. Open DCR creates unapproved &#8220;anonymous clients&#8221;; agents or integrations that bypass the organization&#8217;s review and approval process, creating ungoverned shadow IT with full OAuth credentials.<\/span><\/p><p><span style=\"font-weight: 400;\">Enterprise deployments must disable open DCR and adopt Enterprise Managed Authorization: administrators pre-configure and approve all trusted agent connections within the Identity Provider before any agent may request tokens.\u00a0<\/span><\/p><p><span style=\"font-weight: 400;\">Alternatively, to minimize operation overhead, clients may leverage \u201cSoftware Statements\u201d anchored to a Workload identity solution such as SPIFFE to create a trust between the IDP and the Workload Identity Solution.<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-6d7b507 elementor-widget elementor-widget-text-editor\" data-id=\"6d7b507\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h5><strong>Secure Local MCP Connection<\/strong><span style=\"font-weight: 400;\"><strong>s\u00a0<\/strong> <\/span><\/h5><p><span style=\"font-weight: 400;\">Local MCP servers run as operating system processes under the host user&#8217;s security context, meaning they inherit full filesystem and network access of the logged-in user.\u00a0<\/span><\/p><p><span style=\"font-weight: 400;\">Developers must prefer STDIO or Unix domain sockets for local IPC over TCP\/IP network sockets; the latter expose the server to all processes on the local network segment, including other containers and virtual machines. For production deployments, local MCP servers should run inside isolated execution environments (e.g., containers with restricted seccomp profiles).<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-35bb6a2 elementor-widget elementor-widget-text-editor\" data-id=\"35bb6a2\" data-element_type=\"widget\" data-e-type=\"widget\" id=\"Governance\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h2><span style=\"font-weight: 400;\">Governance and AI Guardrails<\/span><\/h2>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-38f70c8 elementor-widget elementor-widget-text-editor\" data-id=\"38f70c8\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h5><b>Aligning with ISO\/IEC 42001<\/b><\/h5><p><a href=\"https:\/\/www.iso.org\/standard\/81230.html\"><span style=\"font-weight: 400;\">ISO\/IEC 42001<\/span><\/a><span style=\"font-weight: 400;\">, published in November 2023, is the first international management system standard specifically for AI. It requires organizations to establish documented processes for assessing the impact of AI systems on individuals, groups, and broader society; throughout the entire lifecycle, from design through decommissioning.\u00a0<\/span><\/p><p><span style=\"font-weight: 400;\">Practitioners should map their agentic AI risk assessments directly to ISO\/IEC 42001 Clause 6 (Planning) and Clause 8 (Operation) requirements, ensuring that fairness, transparency, safety, and security are formally evaluated and recorded before any agent is deployed to production.<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-4995a6a elementor-widget elementor-widget-text-editor\" data-id=\"4995a6a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h5><b>Real-Time Guardrails at the PEP<\/b><\/h5><p><span style=\"font-weight: 400;\">Governance cannot be purely procedural; it must be enforced programmatically at runtime.\u00a0<\/span><\/p><p><span style=\"font-weight: 400;\">The Policy Enforcement Point described in Section 3 is the correct location for real-time guardrails:\u00a0 <\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-4a68af1 pp-info-list-icon-left pp-info-list-icon-vertical-middle elementor-widget elementor-widget-pp-info-list\" data-id=\"4a68af1\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"pp-info-list.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"pp-info-list-container pp-list-container pp-info-list-connector\">\n\t\t\t<ul class=\"pp-list-items\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<li class=\"pp-info-list-item\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"pp-info-list-item-inner\">\n\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"pp-infolist-icon-wrapper\">\n\t\t\t\t\t\t\t\t\t\t<span class=\"pp-info-list-icon pp-icon \">\n\t\t\t\t\t\t\t<i aria-hidden=\"true\" class=\"fas fa-dot-circle\"><\/i>\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"pp-infolist-content-wrapper\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"pp-info-list-title\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tPII masking\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"pp-info-list-description\">\n\t\t\t\t\t\t\t\t\t\t\t\tIntercept and redact personally identifiable information before it is forwarded to any LLM invocation, preventing inadvertent model training on sensitive data.   \t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<li class=\"pp-info-list-item\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"pp-info-list-item-inner\">\n\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"pp-infolist-icon-wrapper\">\n\t\t\t\t\t\t\t\t\t\t<span class=\"pp-info-list-icon pp-icon \">\n\t\t\t\t\t\t\t<i aria-hidden=\"true\" class=\"fas fa-dot-circle\"><\/i>\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"pp-infolist-content-wrapper\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"pp-info-list-title\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tRate and budget limits\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"pp-info-list-description\">\n\t\t\t\t\t\t\t\t\t\t\t\tEnforce per-agent API rate limits and token budgets to contain costs and detect anomalous usage patterns.\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<li class=\"pp-info-list-item\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"pp-info-list-item-inner\">\n\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"pp-infolist-icon-wrapper\">\n\t\t\t\t\t\t\t\t\t\t<span class=\"pp-info-list-icon pp-icon \">\n\t\t\t\t\t\t\t<i aria-hidden=\"true\" class=\"fas fa-dot-circle\"><\/i>\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"pp-infolist-content-wrapper\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"pp-info-list-title\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tOutput filtering\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"pp-info-list-description\">\n\t\t\t\t\t\t\t\t\t\t\t\tScreen agent responses for sensitive data exfiltration before results are returned to the requesting user or downstream system.\n\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/ul>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-024ad06 elementor-widget elementor-widget-text-editor\" data-id=\"024ad06\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><span style=\"font-weight: 400;\">Alternatively, the guardrails can be implemented when invoking the LLMs, as it may be acceptable for PII to reach the MCP server, but not the AI Models. <\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-3f729d3 elementor-widget elementor-widget-text-editor\" data-id=\"3f729d3\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h5><b>Human-in-the-Loop via CIBA<\/b><\/h5><p><span style=\"font-weight: 400;\">For high-risk or irreversible actions (wire transfers, bulk data deletions, external communications) autonomous agent execution must be interrupted for human approval.\u00a0<\/span><\/p><p><a href=\"https:\/\/openid.net\/specs\/openid-client-initiated-backchannel-authentication-core-1_0.html\"><span style=\"font-weight: 400;\">CIBA<\/span><\/a><span style=\"font-weight: 400;\"> provides a standardized mechanism: the agent submits a backchannel authentication request to the authorization server, which pushes an out-of-band approval prompt to the user&#8217;s registered trusted device (mobile push notification, SMS, authenticator app).<\/span><\/p><p><span style=\"font-weight: 400;\">The agent&#8217;s action is blocked until an explicit approval signal is received. MCP&#8217;s &#8220;URL mode&#8221; elicitation mechanism offers a complementary in-band pattern for interactive approvals within the agent session itself.<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-ea7a39d elementor-widget elementor-widget-text-editor\" data-id=\"ea7a39d\" data-element_type=\"widget\" data-e-type=\"widget\" id=\"Recursive\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h2><span style=\"font-weight: 400;\">Recursive Delegation at Scale<\/span><\/h2>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-f50b36e elementor-widget elementor-widget-text-editor\" data-id=\"f50b36e\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h5><b>The Sub-Agent Orchestration Problem<\/b><\/h5><p><span style=\"font-weight: 400;\">Production agentic systems rarely consist of a single agent. A planning agent will decompose a complex task and delegate sub-tasks to specialized agents \u2014 a research agent, a writing agent, a data retrieval agent \u2014 each of which may in turn spawn further sub-agents. This creates a recursive delegation chain where authority flows downstream through multiple hops.<\/span><span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span><\/p><p><span style=\"font-weight: 400;\">The security risk is privilege escalation through delegation: if each sub-agent inherits the full permissions of its parent, a vulnerability anywhere in the chain can yield the orchestrator&#8217;s maximum permissions.<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-f835d1b elementor-widget elementor-widget-text-editor\" data-id=\"f835d1b\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h5><b>Scope Attenuation via Token Exchange<\/b><\/h5><p><span style=\"font-weight: 400;\">The solution is<\/span><b> scope attenuation<\/b><span style=\"font-weight: 400;\">: each delegation hop must reduce, never expand, the permission scope. https:\/\/www.rfc-editor.org\/rfc\/rfc8693 provides the mechanism \u2014 a parent agent requests a derived token scoped to exactly the permissions the sub-agent requires for its specific sub-task, and no more.\u00a0<\/span><\/p><p><span style=\"font-weight: 400;\">The authorization server enforces the constraint that derived tokens cannot exceed the scope of the presenting token. No sub-agent can elevate its own authority.<\/span><\/p><p><span style=\"font-weight: 400;\">For offline or asynchronous scenarios where the authorization server is not reachable at delegation time, <\/span><a href=\"https:\/\/www.ndss-symposium.org\/wp-content\/uploads\/2017\/09\/04_3_1.pdf\"><span style=\"font-weight: 400;\">Macaroon-style<\/span><\/a><span style=\"font-weight: 400;\"> capability tokens offer an alternative: bearer tokens with embedded, unforgeable attenuation caveats that can be added locally without a network round-trip, while remaining cryptographically verifiable by any relying party.\u00a0 \u00a0 \u00a0 <\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-fa8adde elementor-widget elementor-widget-text-editor\" data-id=\"fa8adde\" data-element_type=\"widget\" data-e-type=\"widget\" id=\"Implementation\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h2>Implementation Checklist<\/h2>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-6225a46 elementor-widget elementor-widget-text-editor\" data-id=\"6225a46\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h5><b>Machine Identity<\/b><span style=\"font-weight: 400;\">\u00a0 \u00a0<\/span><\/h5>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-9abfc12 pp-info-list-icon-left pp-info-list-icon-vertical-middle elementor-widget elementor-widget-pp-info-list\" data-id=\"9abfc12\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"pp-info-list.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"pp-info-list-container pp-list-container pp-info-list-connector\">\n\t\t\t<ul class=\"pp-list-items\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<li class=\"pp-info-list-item\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"pp-info-list-item-inner\">\n\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"pp-infolist-icon-wrapper\">\n\t\t\t\t\t\t\t\t\t\t<span class=\"pp-info-list-icon pp-icon \">\n\t\t\t\t\t\t\t<i aria-hidden=\"true\" class=\"fas fa-dot-circle\"><\/i>\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"pp-infolist-content-wrapper\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"pp-info-list-description\">\n\t\t\t\t\t\t\t\t\t\t\t\tDeploy SPIFFE\/SPIRE or equivalent for workload identity; enrich SVIDs with model metadata    \t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<li class=\"pp-info-list-item\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"pp-info-list-item-inner\">\n\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"pp-infolist-icon-wrapper\">\n\t\t\t\t\t\t\t\t\t\t<span class=\"pp-info-list-icon pp-icon \">\n\t\t\t\t\t\t\t<i aria-hidden=\"true\" class=\"fas fa-dot-circle\"><\/i>\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"pp-infolist-content-wrapper\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"pp-info-list-description\">\n\t\t\t\t\t\t\t\t\t\t\t\t Replace user-impersonation patterns with OAuth 2.1 OBO flows  \t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<li class=\"pp-info-list-item\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"pp-info-list-item-inner\">\n\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"pp-infolist-icon-wrapper\">\n\t\t\t\t\t\t\t\t\t\t<span class=\"pp-info-list-icon pp-icon \">\n\t\t\t\t\t\t\t<i aria-hidden=\"true\" class=\"fas fa-dot-circle\"><\/i>\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"pp-infolist-content-wrapper\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"pp-info-list-description\">\n\t\t\t\t\t\t\t\t\t\t\t\tExtend SCIM to cover agent identity lifecycle (provision, rotate, deprovision)\n\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<li class=\"pp-info-list-item\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"pp-info-list-item-inner\">\n\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"pp-infolist-icon-wrapper\">\n\t\t\t\t\t\t\t\t\t\t<span class=\"pp-info-list-icon pp-icon \">\n\t\t\t\t\t\t\t<i aria-hidden=\"true\" class=\"fas fa-dot-circle\"><\/i>\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"pp-infolist-content-wrapper\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"pp-info-list-description\">\n\t\t\t\t\t\t\t\t\t\t\t\t Document kill-switch procedure: SCIM DELETE \u2192 access revocation SLA < 60 seconds\n\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/ul>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-c479a67 elementor-widget elementor-widget-text-editor\" data-id=\"c479a67\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h5><b>MCP Architecture<\/b><\/h5>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-bb79a2c pp-info-list-icon-left pp-info-list-icon-vertical-middle elementor-widget elementor-widget-pp-info-list\" data-id=\"bb79a2c\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"pp-info-list.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"pp-info-list-container pp-list-container pp-info-list-connector\">\n\t\t\t<ul class=\"pp-list-items\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<li class=\"pp-info-list-item\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"pp-info-list-item-inner\">\n\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"pp-infolist-icon-wrapper\">\n\t\t\t\t\t\t\t\t\t\t<span class=\"pp-info-list-icon pp-icon \">\n\t\t\t\t\t\t\t<i aria-hidden=\"true\" class=\"fas fa-dot-circle\"><\/i>\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"pp-infolist-content-wrapper\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"pp-info-list-description\">\n\t\t\t\t\t\t\t\t\t\t\t\t Place an API gateway\/PEP in front of all MCP server endpoints or have MCP Server act as PEP  \t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<li class=\"pp-info-list-item\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"pp-info-list-item-inner\">\n\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"pp-infolist-icon-wrapper\">\n\t\t\t\t\t\t\t\t\t\t<span class=\"pp-info-list-icon pp-icon \">\n\t\t\t\t\t\t\t<i aria-hidden=\"true\" class=\"fas fa-dot-circle\"><\/i>\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"pp-infolist-content-wrapper\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"pp-info-list-description\">\n\t\t\t\t\t\t\t\t\t\t\t\tCentralize policy in OPA or equivalent PDP; remove inline authorization from MCP servers \t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<li class=\"pp-info-list-item\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"pp-info-list-item-inner\">\n\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"pp-infolist-icon-wrapper\">\n\t\t\t\t\t\t\t\t\t\t<span class=\"pp-info-list-icon pp-icon \">\n\t\t\t\t\t\t\t<i aria-hidden=\"true\" class=\"fas fa-dot-circle\"><\/i>\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"pp-infolist-content-wrapper\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"pp-info-list-description\">\n\t\t\t\t\t\t\t\t\t\t\t\tAudit all MCP servers for Token Passthrough \u2014 eliminate any direct client token forwarding\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<li class=\"pp-info-list-item\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"pp-info-list-item-inner\">\n\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"pp-infolist-icon-wrapper\">\n\t\t\t\t\t\t\t\t\t\t<span class=\"pp-info-list-icon pp-icon \">\n\t\t\t\t\t\t\t<i aria-hidden=\"true\" class=\"fas fa-dot-circle\"><\/i>\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"pp-infolist-content-wrapper\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"pp-info-list-description\">\n\t\t\t\t\t\t\t\t\t\t\t\tDisable open DCR in all OAuth Authorization Servers; switch to pre-registered clients \t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<li class=\"pp-info-list-item\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"pp-info-list-item-inner\">\n\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"pp-infolist-icon-wrapper\">\n\t\t\t\t\t\t\t\t\t\t<span class=\"pp-info-list-icon pp-icon \">\n\t\t\t\t\t\t\t<i aria-hidden=\"true\" class=\"fas fa-dot-circle\"><\/i>\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"pp-infolist-content-wrapper\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"pp-info-list-description\">\n\t\t\t\t\t\t\t\t\t\t\t\tRestrict local MCP servers to STDIO\/Unix sockets; containerize with minimal privileges\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/ul>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-f6fcd13 elementor-widget elementor-widget-text-editor\" data-id=\"f6fcd13\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h5><b>Governance<\/b><\/h5>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-b7dea98 pp-info-list-icon-left pp-info-list-icon-vertical-middle elementor-widget elementor-widget-pp-info-list\" data-id=\"b7dea98\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"pp-info-list.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"pp-info-list-container pp-list-container pp-info-list-connector\">\n\t\t\t<ul class=\"pp-list-items\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<li class=\"pp-info-list-item\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"pp-info-list-item-inner\">\n\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"pp-infolist-icon-wrapper\">\n\t\t\t\t\t\t\t\t\t\t<span class=\"pp-info-list-icon pp-icon \">\n\t\t\t\t\t\t\t<i aria-hidden=\"true\" class=\"fas fa-dot-circle\"><\/i>\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"pp-infolist-content-wrapper\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"pp-info-list-description\">\n\t\t\t\t\t\t\t\t\t\t\t\tComplete ISO\/IEC 42001 Clause 6\/8 impact assessment for each agent deployment \t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<li class=\"pp-info-list-item\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"pp-info-list-item-inner\">\n\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"pp-infolist-icon-wrapper\">\n\t\t\t\t\t\t\t\t\t\t<span class=\"pp-info-list-icon pp-icon \">\n\t\t\t\t\t\t\t<i aria-hidden=\"true\" class=\"fas fa-dot-circle\"><\/i>\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"pp-infolist-content-wrapper\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"pp-info-list-description\">\n\t\t\t\t\t\t\t\t\t\t\t\tImplement PII masking at the PEP before any LLM invocation                                                                                                                                                                                                                                                                                                                              \n\n\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<li class=\"pp-info-list-item\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"pp-info-list-item-inner\">\n\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"pp-infolist-icon-wrapper\">\n\t\t\t\t\t\t\t\t\t\t<span class=\"pp-info-list-icon pp-icon \">\n\t\t\t\t\t\t\t<i aria-hidden=\"true\" class=\"fas fa-dot-circle\"><\/i>\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"pp-infolist-content-wrapper\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"pp-info-list-description\">\n\t\t\t\t\t\t\t\t\t\t\t\tDefine per-agent rate limits, token budgets, and alert thresholds\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<li class=\"pp-info-list-item\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"pp-info-list-item-inner\">\n\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"pp-infolist-icon-wrapper\">\n\t\t\t\t\t\t\t\t\t\t<span class=\"pp-info-list-icon pp-icon \">\n\t\t\t\t\t\t\t<i aria-hidden=\"true\" class=\"fas fa-dot-circle\"><\/i>\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"pp-infolist-content-wrapper\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"pp-info-list-description\">\n\t\t\t\t\t\t\t\t\t\t\t\tConfigure CIBA or MCP elicitation for all irreversible agent actions        \t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<li class=\"pp-info-list-item\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"pp-info-list-item-inner\">\n\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"pp-infolist-icon-wrapper\">\n\t\t\t\t\t\t\t\t\t\t<span class=\"pp-info-list-icon pp-icon \">\n\t\t\t\t\t\t\t<i aria-hidden=\"true\" class=\"fas fa-dot-circle\"><\/i>\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"pp-infolist-content-wrapper\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"pp-info-list-description\">\n\t\t\t\t\t\t\t\t\t\t\t\t                                                                                                                                                                                                                                                                                                           Schedule quarterly agent identity and permission audits \t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/ul>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-d7f0024 elementor-widget elementor-widget-text-editor\" data-id=\"d7f0024\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h5><b>Delegation<\/b><\/h5>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-9ca136c pp-info-list-icon-left pp-info-list-icon-vertical-middle elementor-widget elementor-widget-pp-info-list\" data-id=\"9ca136c\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"pp-info-list.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"pp-info-list-container pp-list-container pp-info-list-connector\">\n\t\t\t<ul class=\"pp-list-items\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<li class=\"pp-info-list-item\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"pp-info-list-item-inner\">\n\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"pp-infolist-icon-wrapper\">\n\t\t\t\t\t\t\t\t\t\t<span class=\"pp-info-list-icon pp-icon \">\n\t\t\t\t\t\t\t<i aria-hidden=\"true\" class=\"fas fa-dot-circle\"><\/i>\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"pp-infolist-content-wrapper\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"pp-info-list-description\">\n\t\t\t\t\t\t\t\t\t\t\t\tAdopt RFC 8693 Token Exchange for all sub-agent delegation chains \t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<li class=\"pp-info-list-item\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"pp-info-list-item-inner\">\n\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"pp-infolist-icon-wrapper\">\n\t\t\t\t\t\t\t\t\t\t<span class=\"pp-info-list-icon pp-icon \">\n\t\t\t\t\t\t\t<i aria-hidden=\"true\" class=\"fas fa-dot-circle\"><\/i>\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"pp-infolist-content-wrapper\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"pp-info-list-description\">\n\t\t\t\t\t\t\t\t\t\t\t\t                                                                                                                                                                                                                                                                                                           Enforce scope attenuation: derived token scope \u2286 parent token scope (enforced at AS)    \t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<li class=\"pp-info-list-item\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"pp-info-list-item-inner\">\n\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"pp-infolist-icon-wrapper\">\n\t\t\t\t\t\t\t\t\t\t<span class=\"pp-info-list-icon pp-icon \">\n\t\t\t\t\t\t\t<i aria-hidden=\"true\" class=\"fas fa-dot-circle\"><\/i>\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"pp-infolist-content-wrapper\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"pp-info-list-description\">\n\t\t\t\t\t\t\t\t\t\t\t\t                                                                                                                                                                                                                                                                                            Evaluate Macaroon-based capability tokens for offline or edge delegation scenarios   \n                                                                                                                                                                                                                                                                                                                      \t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/ul>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-a8124b4 elementor-widget elementor-widget-text-editor\" data-id=\"a8124b4\" data-element_type=\"widget\" data-e-type=\"widget\" id=\"FAQ\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h2><span style=\"font-weight: 400;\">FAQs<\/span><\/h2><p><span style=\"font-weight: 400;\">The framework provided above addresses the structural and architectural changes required for agentic AI security. To provide quick clarity on common concerns and best-practice rationales, the following section answers frequently asked questions from practitioners in the field.<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-2dbe09b elementor-widget elementor-widget-n-accordion\" data-id=\"2dbe09b\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;default_state&quot;:&quot;expanded&quot;,&quot;max_items_expended&quot;:&quot;one&quot;,&quot;n_accordion_animation_duration&quot;:{&quot;unit&quot;:&quot;ms&quot;,&quot;size&quot;:400,&quot;sizes&quot;:[]}}\" data-widget_type=\"nested-accordion.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"e-n-accordion\" aria-label=\"Accordion. Open links with Enter or Space, close with Escape, and navigate with Arrow Keys\">\n\t\t\t\t\t\t<details id=\"e-n-accordion-item-4790\" class=\"e-n-accordion-item\" open>\n\t\t\t\t<summary class=\"e-n-accordion-item-title\" data-accordion-index=\"1\" tabindex=\"0\" aria-expanded=\"true\" aria-controls=\"e-n-accordion-item-4790\" >\n\t\t\t\t\t<span class='e-n-accordion-item-title-header'><div class=\"e-n-accordion-item-title-text\"> What is the difference between agentic AI security and traditional IAM?   <\/div><\/span>\n\t\t\t\t\t\t\t<span class='e-n-accordion-item-title-icon'>\n\t\t\t<span class='e-opened' ><i aria-hidden=\"true\" class=\"fas fa-minus\"><\/i><\/span>\n\t\t\t<span class='e-closed'><i aria-hidden=\"true\" class=\"fas fa-plus\"><\/i><\/span>\n\t\t<\/span>\n\n\t\t\t\t\t\t<\/summary>\n\t\t\t\t<div role=\"region\" aria-labelledby=\"e-n-accordion-item-4790\" class=\"elementor-element elementor-element-07059e3 e-con-full e-flex e-con e-child\" data-id=\"07059e3\" data-element_type=\"container\" data-e-type=\"container\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\">\n\t\t<div role=\"region\" aria-labelledby=\"e-n-accordion-item-4790\" class=\"elementor-element elementor-element-6efcb03 e-con-full e-flex e-con e-child\" data-id=\"6efcb03\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t<div class=\"elementor-element elementor-element-05891dd elementor-widget elementor-widget-text-editor\" data-id=\"05891dd\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><span style=\"font-weight: 400;\">Answer: Traditional IAM governs human users and static service accounts with predictable, bounded access patterns. Agentic AI security extends IAM to non-deterministic, goal-directed machine actors that can invoke thousands of API calls per session, spawn sub-agents, and act across multiple trust boundaries simultaneously; requiring verifiable workload identities, delegation chains, and real-time behavioral guardrails that classical IAM tooling does not provide.<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/details>\n\t\t\t\t\t\t<details id=\"e-n-accordion-item-4791\" class=\"e-n-accordion-item\" >\n\t\t\t\t<summary class=\"e-n-accordion-item-title\" data-accordion-index=\"2\" tabindex=\"-1\" aria-expanded=\"false\" aria-controls=\"e-n-accordion-item-4791\" >\n\t\t\t\t\t<span class='e-n-accordion-item-title-header'><div class=\"e-n-accordion-item-title-text\"> Why can't AI agents simply use existing service accounts?    <\/div><\/span>\n\t\t\t\t\t\t\t<span class='e-n-accordion-item-title-icon'>\n\t\t\t<span class='e-opened' ><i aria-hidden=\"true\" class=\"fas fa-minus\"><\/i><\/span>\n\t\t\t<span class='e-closed'><i aria-hidden=\"true\" class=\"fas fa-plus\"><\/i><\/span>\n\t\t<\/span>\n\n\t\t\t\t\t\t<\/summary>\n\t\t\t\t<div role=\"region\" aria-labelledby=\"e-n-accordion-item-4791\" class=\"elementor-element elementor-element-2ad324b e-con-full e-flex e-con e-child\" data-id=\"2ad324b\" data-element_type=\"container\" data-e-type=\"container\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\">\n\t\t<div role=\"region\" aria-labelledby=\"e-n-accordion-item-4791\" class=\"elementor-element elementor-element-e93e56d e-con-full e-flex e-con e-child\" data-id=\"e93e56d\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t<div class=\"elementor-element elementor-element-1d1ded6 elementor-widget elementor-widget-text-editor\" data-id=\"1d1ded6\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><span style=\"font-weight: 400;\">Answer: Service accounts use static, long-lived credentials that cannot encode the agent&#8217;s model version, capability scope, or the human principal being represented. This eliminates auditability \u2014 you cannot tell from an access log which human authorized the agent action, which model version executed it, or whether the scope was appropriate for the task. Static credentials also cannot be attenuated across delegation chains, creating privilege escalation risks.<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/details>\n\t\t\t\t\t\t<details id=\"e-n-accordion-item-4792\" class=\"e-n-accordion-item\" >\n\t\t\t\t<summary class=\"e-n-accordion-item-title\" data-accordion-index=\"3\" tabindex=\"-1\" aria-expanded=\"false\" aria-controls=\"e-n-accordion-item-4792\" >\n\t\t\t\t\t<span class='e-n-accordion-item-title-header'><div class=\"e-n-accordion-item-title-text\"> What is Token Passthrough and why is it dangerous?  <\/div><\/span>\n\t\t\t\t\t\t\t<span class='e-n-accordion-item-title-icon'>\n\t\t\t<span class='e-opened' ><i aria-hidden=\"true\" class=\"fas fa-minus\"><\/i><\/span>\n\t\t\t<span class='e-closed'><i aria-hidden=\"true\" class=\"fas fa-plus\"><\/i><\/span>\n\t\t<\/span>\n\n\t\t\t\t\t\t<\/summary>\n\t\t\t\t<div role=\"region\" aria-labelledby=\"e-n-accordion-item-4792\" class=\"elementor-element elementor-element-7c9a511 e-con-full e-flex e-con e-child\" data-id=\"7c9a511\" data-element_type=\"container\" data-e-type=\"container\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\">\n\t\t<div role=\"region\" aria-labelledby=\"e-n-accordion-item-4792\" class=\"elementor-element elementor-element-4dc0908 e-con-full e-flex e-con e-child\" data-id=\"4dc0908\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t<div class=\"elementor-element elementor-element-615a3ec elementor-widget elementor-widget-text-editor\" data-id=\"615a3ec\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Answer:Token Passthrough occurs when an MCP server receives a user&#8217;s access token and forwards it unmodified to a downstream API. The downstream API sees the user&#8217;s full identity and permissions, creating a Confused Deputy vulnerability where the agent can act with the user&#8217;s maximum authority rather than a narrowly scoped delegated authority. Downstream systems also lose visibility into which agent intermediary was involved in the request.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/details>\n\t\t\t\t\t\t<details id=\"e-n-accordion-item-4793\" class=\"e-n-accordion-item\" >\n\t\t\t\t<summary class=\"e-n-accordion-item-title\" data-accordion-index=\"4\" tabindex=\"-1\" aria-expanded=\"false\" aria-controls=\"e-n-accordion-item-4793\" >\n\t\t\t\t\t<span class='e-n-accordion-item-title-header'><div class=\"e-n-accordion-item-title-text\"> How does CIBA enable Human-in-the-Loop for AI agents?  <\/div><\/span>\n\t\t\t\t\t\t\t<span class='e-n-accordion-item-title-icon'>\n\t\t\t<span class='e-opened' ><i aria-hidden=\"true\" class=\"fas fa-minus\"><\/i><\/span>\n\t\t\t<span class='e-closed'><i aria-hidden=\"true\" class=\"fas fa-plus\"><\/i><\/span>\n\t\t<\/span>\n\n\t\t\t\t\t\t<\/summary>\n\t\t\t\t<div role=\"region\" aria-labelledby=\"e-n-accordion-item-4793\" class=\"elementor-element elementor-element-71aa150 e-con-full e-flex e-con e-child\" data-id=\"71aa150\" data-element_type=\"container\" data-e-type=\"container\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\">\n\t\t<div role=\"region\" aria-labelledby=\"e-n-accordion-item-4793\" class=\"elementor-element elementor-element-3470dd9 e-con-full e-flex e-con e-child\" data-id=\"3470dd9\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t<div class=\"elementor-element elementor-element-43a7380 elementor-widget elementor-widget-text-editor\" data-id=\"43a7380\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><span style=\"font-weight: 400;\">Answer: CIBA (Client Initiated Backchannel Authentication) allows an agent to trigger an out-of-band authentication or approval request to the user&#8217;s trusted device \u2014 a mobile push notification, for example \u2014 without interrupting the user&#8217;s current browser or application session. The agent&#8217;s action is blocked until the user explicitly approves or denies it via their trusted device, ensuring irreversible actions receive human confirmation before execution. \u00a0 <\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/details>\n\t\t\t\t\t\t<details id=\"e-n-accordion-item-4794\" class=\"e-n-accordion-item\" >\n\t\t\t\t<summary class=\"e-n-accordion-item-title\" data-accordion-index=\"5\" tabindex=\"-1\" aria-expanded=\"false\" aria-controls=\"e-n-accordion-item-4794\" >\n\t\t\t\t\t<span class='e-n-accordion-item-title-header'><div class=\"e-n-accordion-item-title-text\"> Is OAuth 2.1 production-ready for enterprise deployment?  <\/div><\/span>\n\t\t\t\t\t\t\t<span class='e-n-accordion-item-title-icon'>\n\t\t\t<span class='e-opened' ><i aria-hidden=\"true\" class=\"fas fa-minus\"><\/i><\/span>\n\t\t\t<span class='e-closed'><i aria-hidden=\"true\" class=\"fas fa-plus\"><\/i><\/span>\n\t\t<\/span>\n\n\t\t\t\t\t\t<\/summary>\n\t\t\t\t<div role=\"region\" aria-labelledby=\"e-n-accordion-item-4794\" class=\"elementor-element elementor-element-8d49764 e-con-full e-flex e-con e-child\" data-id=\"8d49764\" data-element_type=\"container\" data-e-type=\"container\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\">\n\t\t<div role=\"region\" aria-labelledby=\"e-n-accordion-item-4794\" class=\"elementor-element elementor-element-0764848 e-con-full e-flex e-con e-child\" data-id=\"0764848\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t<div class=\"elementor-element elementor-element-a34ec5f elementor-widget elementor-widget-text-editor\" data-id=\"a34ec5f\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><span style=\"font-weight: 400;\">Answer: OAuth 2.1 consolidates the security best current practices from RFC 6749, RFC 6750, RFC 7636 (PKCE), and the OAuth Security BCP (RFC 9700). It is not a new protocol but a rationalization of existing standards. Major IdPs including Microsoft Entra ID, Okta, PingOne and Auth0 have implemented its key requirements. Enterprises can adopt OAuth 2.1 patterns incrementally alongside existing OAuth 2.0 deployments. \u00a0 <\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/details>\n\t\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-9f5576c elementor-widget elementor-widget-text-editor\" data-id=\"9f5576c\" data-element_type=\"widget\" data-e-type=\"widget\" id=\"conclusion\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h3><span style=\"font-weight: 400;\">Conclusion: Extend, Don&#8217;t Replace<\/span><\/h3><p><span style=\"font-weight: 400;\">The shift to agentic AI does not require discarding a decade of enterprise IAM investment. The same Identity Providers, OAuth authorization servers, SCIM directories, and policy engines that govern human access today are the right foundation \u2014 extended with workload identity standards (SPIFFE\/SPIRE or similar), delegation protocols (OAuth 2.1 OBO, RFC 8693 Token Exchange), MCP-aware policy enforcement, and ISO\/IEC 42001 governance processes.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span><\/p><p><span style=\"font-weight: 400;\">Organizations that treat agentic AI security as a greenfield problem will build fragmented, unmaintainable controls. Those that extend their existing IAM infrastructure with the four pillars above will reach production-ready, compliant agentic deployments faster and with a defensible audit trail.<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-532f4c9 e-con-full e-flex e-con e-child\" data-id=\"532f4c9\" data-element_type=\"container\" data-e-type=\"container\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\">\n\t\t\t\t<div class=\"elementor-element elementor-element-070b0b8 elementor-widget elementor-widget-text-editor\" data-id=\"070b0b8\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h5><strong>Suggested next steps<\/strong><\/h5><h5>Use the checklist in Section 6 to assess your current posture. For each gap, map the remediation to your existing IAM toolchain before evaluating new vendors.<\/h5>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-16cdc52 e-con-full e-flex e-con e-child\" data-id=\"16cdc52\" data-element_type=\"container\" data-e-type=\"container\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\">\n\t\t<div class=\"elementor-element elementor-element-dff5201 e-con-full e-flex e-con e-child\" data-id=\"dff5201\" data-element_type=\"container\" data-e-type=\"container\" id=\"contactus\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\">\n\t\t<div class=\"elementor-element elementor-element-3b1247e e-con-full e-flex e-con e-child\" data-id=\"3b1247e\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t<div class=\"elementor-element elementor-element-6c9ba15 elementor-widget elementor-widget-heading\" data-id=\"6c9ba15\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Indigo Consulting <br>\nBridging the gap between business strategy and Identity security. Global experts in CIAM, IGA, and Agentic Governance.<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-041856d elementor-align-center elementor-invisible elementor-widget elementor-widget-button\" data-id=\"041856d\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;_animation&quot;:&quot;fadeIn&quot;,&quot;_animation_delay&quot;:200}\" data-widget_type=\"button.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-button-wrapper\">\n\t\t\t\t\t<a class=\"elementor-button elementor-button-link elementor-size-sm\" href=\"https:\/\/www.indigoconsulting.ca\/fr\/agentic-ai-readiness-assessment\/\">\n\t\t\t\t\t\t<span class=\"elementor-button-content-wrapper\">\n\t\t\t\t\t\t\t\t\t<span class=\"elementor-button-text\">Start Agentic Readiness Assessment<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/a>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>This guide is for enterprise security architects, IAM engineers, and CISOs who are deploying or evaluating agentic AI systems and need a structured, standards-aligned risk framework \u2014 not a vendor pitch.                                                                                                                                                                               <\/p>","protected":false},"author":22,"featured_media":5026,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"content-type":"","footnotes":""},"categories":[117],"tags":[142],"class_list":["post-5022","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","tag-nhd"],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v25.8 (Yoast SEO v27.6) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Agentic AI Security: A Practitioner&#039;s Risk Framework for the Enterprise\u200b - Indigo Consulting<\/title>\n<meta name=\"description\" content=\"Agentic AI Security: A Practitioner&#039;s Risk Framework for the Enterprise. A practical guide to managing and mitigating AI risks at scale\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.indigoconsulting.ca\/fr\/blog\/agentic-ai-security\/\" \/>\n<meta property=\"og:locale\" content=\"fr_CA\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Agentic AI Security: A Practitioner&#039;s Risk Framework for the Enterprise\u200b\" \/>\n<meta property=\"og:description\" content=\"Agentic AI Security: A Practitioner&#039;s Risk Framework for the Enterprise. A practical guide to managing and mitigating AI risks at scale.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.indigoconsulting.ca\/fr\/blog\/agentic-ai-security\/\" \/>\n<meta property=\"og:site_name\" content=\"Indigo Consulting\" \/>\n<meta property=\"article:published_time\" content=\"2026-03-24T21:59:40+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-04-19T16:34:30+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.indigoconsulting.ca\/wp-content\/uploads\/2026\/03\/Agentic-AI-Security.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"800\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Osagie Evans\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Osagie Evans\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"13 minutes\" \/>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Agentic AI Security: A Practitioner's Risk Framework for the Enterprise\u200b - Indigo Consulting","description":"Agentic AI Security: A Practitioner's Risk Framework for the Enterprise. A practical guide to managing and mitigating AI risks at scale","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.indigoconsulting.ca\/fr\/blog\/agentic-ai-security\/","og_locale":"fr_CA","og_type":"article","og_title":"Agentic AI Security: A Practitioner's Risk Framework for the Enterprise\u200b","og_description":"Agentic AI Security: A Practitioner's Risk Framework for the Enterprise. A practical guide to managing and mitigating AI risks at scale.","og_url":"https:\/\/www.indigoconsulting.ca\/fr\/blog\/agentic-ai-security\/","og_site_name":"Indigo Consulting","article_published_time":"2026-03-24T21:59:40+00:00","article_modified_time":"2026-04-19T16:34:30+00:00","og_image":[{"width":1200,"height":800,"url":"https:\/\/www.indigoconsulting.ca\/wp-content\/uploads\/2026\/03\/Agentic-AI-Security.jpg","type":"image\/jpeg"}],"author":"Osagie Evans","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Osagie Evans","Est. reading time":"13 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.indigoconsulting.ca\/blog\/agentic-ai-security\/#article","isPartOf":{"@id":"https:\/\/www.indigoconsulting.ca\/blog\/agentic-ai-security\/"},"author":{"name":"Osagie Evans","@id":"https:\/\/www.indigoconsulting.ca\/#\/schema\/person\/55264c1ffe7bf768db7ebf8b8edfcf3e"},"headline":"Agentic AI Security: A Practitioner&#8217;s Risk Framework for the Enterprise\u200b","datePublished":"2026-03-24T21:59:40+00:00","dateModified":"2026-04-19T16:34:30+00:00","mainEntityOfPage":{"@id":"https:\/\/www.indigoconsulting.ca\/blog\/agentic-ai-security\/"},"wordCount":2806,"publisher":{"@id":"https:\/\/www.indigoconsulting.ca\/#organization"},"image":{"@id":"https:\/\/www.indigoconsulting.ca\/blog\/agentic-ai-security\/#primaryimage"},"thumbnailUrl":"https:\/\/www.indigoconsulting.ca\/wp-content\/uploads\/2026\/03\/Agentic-AI-Security.jpg","keywords":["nhd"],"articleSection":["Blog"],"inLanguage":"fr-CA"},{"@type":"WebPage","@id":"https:\/\/www.indigoconsulting.ca\/blog\/agentic-ai-security\/","url":"https:\/\/www.indigoconsulting.ca\/blog\/agentic-ai-security\/","name":"Agentic AI Security: A Practitioner's Risk Framework for the Enterprise\u200b - Indigo Consulting","isPartOf":{"@id":"https:\/\/www.indigoconsulting.ca\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.indigoconsulting.ca\/blog\/agentic-ai-security\/#primaryimage"},"image":{"@id":"https:\/\/www.indigoconsulting.ca\/blog\/agentic-ai-security\/#primaryimage"},"thumbnailUrl":"https:\/\/www.indigoconsulting.ca\/wp-content\/uploads\/2026\/03\/Agentic-AI-Security.jpg","datePublished":"2026-03-24T21:59:40+00:00","dateModified":"2026-04-19T16:34:30+00:00","description":"Agentic AI Security: A Practitioner's Risk Framework for the Enterprise. A practical guide to managing and mitigating AI risks at scale","breadcrumb":{"@id":"https:\/\/www.indigoconsulting.ca\/blog\/agentic-ai-security\/#breadcrumb"},"inLanguage":"fr-CA","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.indigoconsulting.ca\/blog\/agentic-ai-security\/"]}]},{"@type":"ImageObject","inLanguage":"fr-CA","@id":"https:\/\/www.indigoconsulting.ca\/blog\/agentic-ai-security\/#primaryimage","url":"https:\/\/www.indigoconsulting.ca\/wp-content\/uploads\/2026\/03\/Agentic-AI-Security.jpg","contentUrl":"https:\/\/www.indigoconsulting.ca\/wp-content\/uploads\/2026\/03\/Agentic-AI-Security.jpg","width":1200,"height":800,"caption":"cybersecurity concept Global network security technology, business people protect personal information. Encryption with a padlock icon on the virtual interface. Agentic AI security"},{"@type":"BreadcrumbList","@id":"https:\/\/www.indigoconsulting.ca\/blog\/agentic-ai-security\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.indigoconsulting.ca\/"},{"@type":"ListItem","position":2,"name":"Agentic AI Security: A Practitioner&#8217;s Risk Framework for the Enterprise\u200b"}]},{"@type":"WebSite","@id":"https:\/\/www.indigoconsulting.ca\/#website","url":"https:\/\/www.indigoconsulting.ca\/","name":"Indigo Consulting","description":"A Leading IAM, Compliance, &amp; IT Consultant","publisher":{"@id":"https:\/\/www.indigoconsulting.ca\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.indigoconsulting.ca\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"fr-CA"},{"@type":"Organization","@id":"https:\/\/www.indigoconsulting.ca\/#organization","name":"Indigo Consulting","url":"https:\/\/www.indigoconsulting.ca\/","logo":{"@type":"ImageObject","inLanguage":"fr-CA","@id":"https:\/\/www.indigoconsulting.ca\/#\/schema\/logo\/image\/","url":"https:\/\/www.indigoconsulting.ca\/wp-content\/uploads\/2020\/03\/logo_indigo.png","contentUrl":"https:\/\/www.indigoconsulting.ca\/wp-content\/uploads\/2020\/03\/logo_indigo.png","width":363,"height":109,"caption":"Indigo Consulting"},"image":{"@id":"https:\/\/www.indigoconsulting.ca\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.linkedin.com\/company\/indigo-technologies-canada-inc.\/"]},{"@type":"Person","@id":"https:\/\/www.indigoconsulting.ca\/#\/schema\/person\/55264c1ffe7bf768db7ebf8b8edfcf3e","name":"Osagie Evans","image":{"@type":"ImageObject","inLanguage":"fr-CA","@id":"https:\/\/secure.gravatar.com\/avatar\/176a35a0f7d3a60ef36eb8434ac3c12d19c374aa2f5370a0eda5b94eaeca5792?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/176a35a0f7d3a60ef36eb8434ac3c12d19c374aa2f5370a0eda5b94eaeca5792?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/176a35a0f7d3a60ef36eb8434ac3c12d19c374aa2f5370a0eda5b94eaeca5792?s=96&d=mm&r=g","caption":"Osagie Evans"},"url":"https:\/\/www.indigoconsulting.ca\/fr\/author\/eosagieindigoconsulting-ca\/"}]}},"_links":{"self":[{"href":"https:\/\/www.indigoconsulting.ca\/fr\/wp-json\/wp\/v2\/posts\/5022","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.indigoconsulting.ca\/fr\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.indigoconsulting.ca\/fr\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.indigoconsulting.ca\/fr\/wp-json\/wp\/v2\/users\/22"}],"replies":[{"embeddable":true,"href":"https:\/\/www.indigoconsulting.ca\/fr\/wp-json\/wp\/v2\/comments?post=5022"}],"version-history":[{"count":0,"href":"https:\/\/www.indigoconsulting.ca\/fr\/wp-json\/wp\/v2\/posts\/5022\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.indigoconsulting.ca\/fr\/wp-json\/wp\/v2\/media\/5026"}],"wp:attachment":[{"href":"https:\/\/www.indigoconsulting.ca\/fr\/wp-json\/wp\/v2\/media?parent=5022"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.indigoconsulting.ca\/fr\/wp-json\/wp\/v2\/categories?post=5022"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.indigoconsulting.ca\/fr\/wp-json\/wp\/v2\/tags?post=5022"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}