Channel: IBM Technology
Kagenti’s Approach to Multi-Agent Security for AI Agents
The Signal
Multi-agent systems face a high risk of 'confused deputy' exploits, where an orchestrator inadvertently passes too much authority to subagents. This video argues that static, topology-based authorization fails because agents decide their own paths, proposing instead a model where identity and delegation travel with every request.
The Case
- Kagenti — an open-source infrastructure and security layer for agentic systems — aims to solve token leakage by securing the entire 'delegation chain' rather than just the individual agent.
- In a documented hospital billing example, an orchestrator passing a bearer token can leave unauthorized downstream agents with full access to patient records if authorization is tied only to the token.
- The stack uses SPIFFE identity for short-lived, workload-bound X.509 certificates and Keycloak to manage limited OAuth2 client tokens for specific tools.
- Authbridge acts as a critical security middleware that injects a cryptographically signed header into every call, recording the full delegation path so tools can verify if every actor in the chain is authorized.
- Deployment-time protections include InvoidProxy to validate tokens before agent code execution begins, plus an MCP gateway that centralizes routing, rate-limiting, and token validation for every tool.
- Istio ambient mode provides mutual authentication and encryption across the network without requiring additional per-pod sidecar configuration.
The 1 Minute Signal Take
The architectural design is a logically sound response to the dynamic nature of multi-agent delegation, though the speaker's claim that this provides total security remains an assertion rather than a field-tested guarantee. Watch this for the concrete breakdown of the security stack, but disregard the promotional framing that treats these architectural choices as a self-evident, universal fix.
Time saved:
Tags
Channel: IBM Technology