Curity looks to reinvent IAM with runtime authentication for AI agents

AI News


The problem this solves is that traditional IAM tools assume that applications are accessed by a human user or machine identity and managed by a one-time authentication process. But agents expect long sequences of actions performed at incredible speeds, and they don’t work this way. Instead, access is temporary, complex, non-deterministic, and highly unpredictable. If you lock it too much, it won’t work. If you leave them free, they will be followed by weak security.

runtime enforcement

Curity’s approach is to treat agents as a special type of application. Like applications, agents call APIs, MCP servers, etc., and are authenticated using OAuth tokens. Through a feature called token intelligence, Curity extends the role of OAuth tokens to convey information about an agent’s purpose and intent beyond simply granting access. Curity’s scheme allows agents to access resources only based on their purpose.

Instead of using static, pre-granted permissions, agent access is granted on the fly at runtime. For each requested action, a separate token is generated that describes the required access. When an agent starts a new task, it requires a new token that specifies a new set of permissions. If an agent attempts to perform a high-risk action, such as transferring funds, human approval may be required if necessary.



Source link