Actors perform work on systems. This has been so since the arrival of the transistor and even long before. Until recently, actors have been mostly humans who possess identities stored in identity providers (IdP) and who operate within bounds set by access controls that reference said identities. While other bounds exist, the starting point for nearly every security policy is either an individual or a group or a role. Internet-of-things (IoT) devices occasionally stymie otherwise well-designed identity management strategies, but appear not to cause much issue because many devices can possess digital certificates and obtain an identity in a standard IdP.
Now come AI agents, wonderful little piles of software that promise to revolutionize life on Earth. While much has been, and will be, written about whether agents are truly autonomous, complete tasks fully end-to-end, or work as well in production as in demos with curated inputs, our goal here today is a narrower one: To ensure that agents (which are also actors that perform work on systems) operate within the same sorts of identity-based bounds that constrain humans and devices.
It’s illuminating to compare some differences between humans and agents:
| Humans | Agents |
|---|---|
| Publicly named at birth | Are nameless outside their own codebases |
| Typically act in predictable, sometimes surprising, ways | Sometimes act in completely unexpected ways regardless of instructions |
| Are slow (“human speed”) | Are fast (“machine speed”) |
| Scale limitedly | Scale massively |
| Make mistakes | Make mistakes at machine speed |
| Are responsible for their actions | Possess no legal or moral responsibility |
These illustrate why the business use of AI agents demands adding both an identity and access layer and a policy layer around all activities that agents take.
The identity and access policy layer
You already have an identity layer for human and device actors: Your IdP plus your identity and access management (IAM) tools work in concert to provide static long-lived credentials that reflect the static and long-lived nature of their referents. Let’s denote this as user IAM. Agents, of course, are neither static nor long-lived. Agents require a form of workload IAM that accommodates the distinct characteristics of agents: just-in-time, ephemeral credentials that become the basis for dynamic access policies.
Aembit’s IAM for Workloads shifts authentication away from what a workload knows (static secrets) to who a workload is, cryptographically verified by its environment and context. Examples include where it’s running, the platform that issued its identity, its IaaS instance metadata, and more. When a workload is verified, Aembit triggers a credential provider to generate a credential that it injects into the workload’s memory during runtime. Workloads themselves don’t need to implement any credential logic and don’t need to maintain secrets (which, sadly, don’t like to remain that way). Learn more in Aembit’s documentation.
Agents, though, require more. When a human actor instructs an agent actor to perform some work on a system, that system needs to verify two identities: the human’s and the agent’s. And this should not be done separately. Evaluating only the user requires treating all agents equally; evaluating only the agent (workload) can’t distinguish its various users. Aembit’s IAM for Agentic AI creates a blended identity that combines both: “Is this specific user, using this specific agent, authorized to access this specific resource right now?”
Agents rely on model context protocol (MCP) to interact with resources. Aembit adds essential capabilities into these interactions:
- The MCP Authorization Server implements the OAuth 2.1 functionality defined in the MCP specification, eliminating the need to implement it in every one of your agents. Use this to achieve fine-grained access control and to dynamically register MCP clients.
- The MCP Identity Gateway proxies traffic between agents and MCP servers and issues a short-lived access credential that represents the entitlements of the blended identity. Use this to enforce access policies between agents and MCP servers and to enforce per-user credential isolation.
Aembit allows you to add identities to agents, manage these identities in the specific ways that are unique to agents, and combine these identities with the humans who invoke them. A vital and necessary start. But managing and controlling agents requires more.
The data policy layer
It’s important to realize that MCP lacks a native data policy layer: It can’t offer visibility, enforcement, or governance of data flows. This lack is especially serious because not every aspect of MCP remains under your control. Fortunately, Netskope’s AI security products add this policy layer. It consists of three components.
- Several of the thousands of publicly-available MCP servers probably will tempt your company because they can offer value when you connect them to enterprise data and permit them to perform autonomous operations. The Agentic Broker enables you to incorporate public MCP servers safely.
- The trend now, especially for regulated industries, is not to send AI traffic to public servers but instead build applications and models that keep sensitive data contained within the enterprise. The AI Gateway extends Netskope’s existing security capabilities directly into privately hosted AI environments. It intercepts traffic between applications, agents, and LLMs which can then be governed by the usual slate of Netskope controls.
- Agents are notorious for finding ways to skirt their rules and attackers are highly motivated to weaponize them for various nefarious purposes. AI Guardrails constrain agent behavior by thwarting multi-turn threats like prompt injection and jailbreaking attacks.
The policy layer provides these crucial capabilities:
- Identify MCP servers and clients in use within your company constantly in real time, including attributes such as name, ID, URL, version, host, data source, and protocol.
- Apply risk scoring to public MCP servers, to help you quickly assess and prioritize which AI tools, agents, or integrations pose the greatest security and compliance risks.
- Manage access using granular, context-based policy controls (including a default block option for public MCP traffic) and real-time prevention of data leaks.
- Detect and monitor non-human traffic between and across MCP servers, clients, functions, hosts, data sources, and development tools.
- Log MCP events, including sessions, initializations, function requests and responses, and deployments.
- Determine, classify, and control the movement of sensitive data, such as intellectual property and passwords.
- Gauge the intent of agent activity and restrict their behavior within programmed bounds, including moderating content for acceptable behavior and managing the spread of intellectual property for defense against legal liability.
As with other kinds of layered controls, these products are effective because they get inline and observe the agent traffic between MCP clients and servers. They apply your policies to your traffic to ensure your data goes and stays where it should, not where it shouldn’t, and neutralize threats along the way.
Combining identity and access policy with data policy
Here’s how a secure AI agent interaction flows from end to end:
- Deploy the Netskope One AI Gateway. Install a gateway from an ESXi VM, an AWS AMI, or a GCP image. Configure it with policies that create guardrails, filter prompts, and enable DLP rules.
- Deploy Aembit Edge. Install an Edge alongside the AI agent. Configure it with the agent’s client identity, verification parameters, and conditional access policies.
- Inject credentials at runtime. When the agent initiates an MCP conversation, Aembit Edge dynamically injects two credentials: one to authenticate access to the Netskope One AI Gateway, and one for the agent to access the downstream LLM through the same Gateway.
By authenticating both interactions (agent to AI Gateway and AI Gateway to LLM) Aembit removes the need for deployers to create, store, or share access tokens. Netskope inspects all content in transit and logs every interaction for compliance. Using Aembit’s injected header, Netskope matches and applies fine-grained identity-based policies based on the agent’s identity. Both platforms provide complementary logging, auditing, and compliance capabilities for defense in depth.
Get started today
Netskope and Aembit offer a complete set of capabilities required for incorporating agentic AI into your zero trust strategy so that your company can strike the right balance between staying secure and accelerating innovation. Contact your Netskope representative today for a demo, then get started on identifying, managing, and controlling all your agents.
