The 'Confused Deputy' Problem in Agentic AI

In multi-agent systems, agents often pass access tokens through a chain of sub-agents to perform tasks. A 'confused deputy' vulnerability occurs when a sub-agent (e.g., Agent D) receives an access token intended for a parent agent (Agent A) and uses that authority to access resources it is not authorized to touch (like patient records).

Traditional Role-Based Access Control (RBAC) fails here because it relies on static call graphs—knowing exactly which service calls which. Because agentic AI is dynamic and decides its own path, you cannot pre-define the topology for authorization. Attempting to secure the path is ineffective; instead, you must secure the identity.

Implementing Identity-Based Security with Kagenti

Kagenti solves this by shifting security to the infrastructure layer using a sidecar pattern that remains agnostic to the agent framework. The architecture relies on three core components:

  • Cryptographic Workload Identity (SPIFFE): Every agent is assigned a short-lived X.509 certificate via SPIFFE (Secure Production Identity Framework for Everyone). This replaces static API keys, ensuring the agent proves its identity like a secure server rather than relying on a shared secret.
  • Delegation Chains (AuthBridge): When an agent makes a call, the AuthBridge component injects a cryptographically signed header. This header contains the full delegation chain—identifying the caller, the parent, and the original user.
  • Policy-Based Tool Access: A gateway (MCP gateway) sits in front of tools. When a request arrives, the gateway inspects the full delegation chain. If the chain shows an agent is attempting to access a resource outside its permission scope, the request is blocked, even if the agent possesses a valid bearer token.

Infrastructure and Observability

By utilizing open-source infrastructure, Kagenti automates the complexity of secure agent communication:

  • Networking: Istio (in ambient mode) handles mutual TLS (mTLS) between agents and tools, ensuring encrypted, authenticated communication without manual configuration.
  • Observability: Because the system operates over standard HTTP, it integrates with OpenTelemetry. This allows developers to track a single request ID across the entire agent chain, providing visibility into exactly who authorized a specific action.
  • Developer Experience: The platform handles the heavy lifting—fetching/rotating SPIFFE identities, registering OAuth2 clients in KeyCloak, and deploying Envoy proxies—so the agent code itself remains untouched.