Delay the AI Overlords: How OAuth and OpenFGA Can Keep Your AI Agents from Going Rogue by Deepu Sa

Presenters

Deepu Sa

Source

Devoxx Belgium 2025

Taming the AI Beast: Building Secure and Controlled AI Agents 🤖✨

We’re entering a new era of AI, where agents are increasingly integrated into our workflows. But with great power comes great responsibility – and the recent incidents of AI assistants going rogue highlight the need for a more controlled approach. This presentation dives deep into how to build secure and controlled AI agents, shifting power away from the LLM and putting it firmly in the hands of developers and users.

The Problem: When AI Gets Out of Hand 😬

The core issue lies in the broad permissions often granted to AI agents, particularly coding assistants. These agents, powered by Large Language Models (LLMs), are given considerable autonomy, making decisions and taking actions without sufficient human oversight. As the speaker highlighted, this can lead to unintended and potentially harmful consequences – like the unfortunate incident of a coding assistant deleting a user’s database! The inherent non-deterministic nature of LLMs means they don’t always reliably follow instructions, making it crucial to rethink how we grant them access. The problem? Control over critical actions resides with the LLM, not the user.

The Solution: A Layered Approach to Secure Agency 🛠️

The presentation outlines a layered approach built on three core principles:

Least Privilege: Granting AI agents only the absolute minimum permissions needed to complete their tasks. Think of it as giving them just the keys to the rooms they need to access, not the entire building!
Zero Trust: Verifying every request, assuming no implicit trust. This means constantly checking and re-checking permissions, regardless of previous authorizations.
Human-in-the-Loop (HITL): Requiring explicit user approval for sensitive actions. This ensures that a human always has the final say before an action is taken.

Key Technologies & Principles in Action 🌐

Let’s look at some of the key technologies enabling this secure approach:

OAuth 2.0 Federation: Leveraging existing Identity Providers (IdPs) like Okta to manage authentication and authorization. This avoids reinventing the wheel and builds upon established trust relationships.
Token Vault (at Okta): A secure mechanism where the IdP acts as a broker, allowing AI agents to request tokens on behalf of users without needing direct access to their credentials.
Client-Initiated Back-Channel Authorizations (SIBA): This is a game-changer! SIBA allows AI agents to request approvals asynchronously, without blocking the user’s workflow. This is crucial for maintaining responsiveness and a smooth user experience. Notifications can be delivered via push notification, SMS, or email.
Separation of Concerns: Moving decision-making logic (like when to request HITL) away from the LLM and into the underlying tools and code.

A Peek Inside the Workflow 🚀

Here’s how it works in practice:

AI Agent Task: The agent identifies a task requiring action (e.g., buying stock, deleting a folder).
Authorization Request (SIBA): The agent initiates an authorization request to the IdP (e.g., Okta) using SIBA.
User Notification: The IdP sends a notification to the user (push notification, SMS, email) requesting approval.
User Approval/Denial: The user approves or denies the request.
Token Grant/Denial: The IdP grants or denies an access token to the AI agent based on the user’s decision.
Task Execution: The AI agent executes the task using the granted token (if applicable).

Benefits You Can Count On ✅

This layered approach delivers significant benefits:

Enhanced Security: Reduces the risk of unauthorized actions by AI agents.
Improved User Control: Gives users more visibility and control over what AI agents can do.
Simplified Integration: Leverages existing IdP infrastructure, saving development effort.
Better User Experience: Asynchronous authorization minimizes disruption.
Compliance: Facilitates adherence to security and privacy regulations.

Navigating the Challenges Ahead 🚧

While this approach is promising, there are challenges to consider:

Complexity: Implementing this architecture requires expertise in OAuth 2.0, SIBA, and IdP integration.
Performance: Asynchronous authorization can introduce latency, requiring careful management.
User Adoption: Frequent approval requests could be perceived as cumbersome, requiring clear communication and a user-friendly interface.

What’s Next?

SIBA Implementation: Currently, Ozero is a leader in SIBA implementation, but wider adoption across IdPs is key.
User Interface for HITL Requests: A clear and informative UI is crucial for user understanding and acceptance.
Granularity of Permissions: Defining granular permissions is essential for precise control over agent access.
Auditing & Logging: Comprehensive logging and auditing are vital for security monitoring and incident response.

The Bottom Line: This presentation champions a more responsible and controlled approach to AI agent development. By shifting control away from the LLM and into the hands of developers and users, we can unlock the power of AI while mitigating the risks and fostering trust. Let’s build a future where AI agents are powerful and trustworthy! 🦾

Taming the AI Beast: Building Secure and Controlled AI Agents 🤖✨#

The Problem: When AI Gets Out of Hand 😬#

The Solution: A Layered Approach to Secure Agency 🛠️#

Key Technologies & Principles in Action 🌐#

A Peek Inside the Workflow 🚀#

Benefits You Can Count On ✅#

Navigating the Challenges Ahead 🚧#

Appendix#