Blog
Short-form posts on modern IAM: implementation notes, standards, incidents, and practical takeaways.
Agentic Access: Token and Session Security for AI Agents, Workloads, and Non-Human Identities
A practical, enterprise-neutral blueprint for securing tokens and sessions for AI agents, workloads, and other non-human identities (NHIs)—with short-lived tokens, sender constraints, refresh rotation, brokered tool access, and CAEP/SSF-style continuous evaluation.
Token Theft Is the New Password Spray: Hardening OAuth and SaaS Sessions with DPoP, CAEP, and Continuous Signals
Token replay has become one of the fastest paths to 'MFA bypass' in SaaS. This post lays out a practical token security stack: shorter lifetimes, DPoP/mTLS sender constraints, fast revocation, and CAEP-style continuous access evaluation—plus how to apply the same controls to non-human identities and AI agents.
Securing Agentic AI Integrations: OAuth Token Abuse, NHI Governance, and Continuous Session Control (SSF/CAEP)
A practical enterprise playbook to secure agentic AI and automation integrations using OAuth/OIDC hardening, non-human identity governance, and continuous session control with SSF/CAEP.
Securing Autonomous Agents with Non-Human Identity: Token Lifetimes, CAE, and SSF/CAEP in Practice
A practical enterprise blueprint for securing AI agents and automation using non-human identity governance, short-lived tokens, Continuous Access Evaluation (CAE), and SSF/CAEP-style security signaling.
Token Security for AI Agents and Non‑Human Identities (NHI): Practical Patterns for 2026
A practical, enterprise-neutral guide to token lifetimes, audience/scope boundaries, replay resistance, and revocation for AI agents and other non-human identities—plus concrete implementation patterns across common IdPs, clouds, and meshes.
Token Security for Autonomous Agents: Proof-of-Possession, CAEP/SSF, and Non-Human Identity Controls
A practical blueprint for securing AI agents and automation with proof-of-possession tokens (DPoP/mTLS), short-lived credentials, token exchange, and event-driven revocation patterns aligned to CAEP/SSF.
Vibe-Coded Agents, Leaked Tokens, and the Next IAM Problem: Securing Agentic AI with Non-Human Identity
A practical blueprint for securing autonomous AI agents and other non-human identities: workload identity, short-lived tokens, audience restriction, proof-of-possession, and fast revocation (CAEP/SSF mindset).
Vibe-Coded Agents, Leaked Tokens, and the Next IAM Problem: Securing Agentic AI with Non-Human Identity
A practical blueprint for identity, token design, and fast revocation for enterprise AI agents and other non-human identities.
Refresh Tokens for AI Agents: How to Stop Long-Lived Tokens From Becoming Your Next Breach
Why refresh tokens act like Tier-0 credentials for AI agents—and how to reduce breach impact with rotation, sender constraint, brokers, and fast revocation.
AI Agent Identity: Why BodySnatcher and Connected Agents Vulnerabilities Should Change How You Think About Agentic Security
What the BodySnatcher and Connected Agents disclosures teach us about agent identity, lateral movement, and governing non-human identities at scale.
Non-Human Identity for Agentic AI: Token Safety, Real-Time Revocation, and Governance at Scale
A practical blueprint for securing AI agents, workloads, pipelines, and integrations with modern token/session controls, real-time revocation, and NHI governance.
Securing AI Agents in Production: Sender-Constrained Tokens, Token Exchange, and Continuous Access Evaluation
How to harden AI agents with sender-constrained tokens (DPoP/mTLS), OAuth token exchange (OBO), and Continuous Access Evaluation (CAE/CAEP/SSF).
From Token Dispensaries to Agentic Identity: Hardening OAuth and Non‑Human Access with CAEP/SSF
A practical response to the ‘token dispensary’ failure mode: how to harden OAuth/OIDC token handling, protect non-human identities (workloads and AI agents), and use CAEP/SSF for fast, event-driven revocation.
AI Agent Identity: Why 2026 Is the Year of the Over-Privileged Bot
One Identity predicts 2026 will see the first major breach from an over-privileged AI agent. Why traditional IAM fails for agents, real attack patterns, and the control framework enterprises need now.
AI Agent Identity: Why BodySnatcher and Connected Agents Vulnerabilities Should Change How You Think About Agentic Security
Two major vulnerability disclosures—ServiceNow's BodySnatcher and Microsoft's Connected Agents—expose fundamental weaknesses in AI agent authentication. Organizations must implement identity-centric controls that match the speed and autonomy of agents.
Non‑Human Identity & Automation: Securing Workloads, Pipelines, and Tooling at Scale
A practical, enterprise-focused guide to non-human identity risk and modern control patterns: workload identity, short-lived credentials, CI/CD federation with OIDC, secrets management, and governance at scale.
OAuth Tokens Are the New Keys: What the Salesforce/Drift Incident Teaches
Why stolen OAuth tokens bypass MFA, where token theft happens in practice, and the concrete controls that reduce replay and persistence: short lifetimes, rotation, governance, and revocation.