Abstract
Sandboxes are the first line of defence for agentic systems: restrict the bash commands, filter the URLs, lock down the filesystem. But sandboxes operate on the syntax of requests, not the semantics of your authorization model. They don't know whether GET /customer/id_1234 is in scope for the task at hand, and they can't tell the downstream system whether the request is coming from a human, a delegated agent, or a rogue process. The same applies to MCP tool calls — allowing read_file or create_issue tells you nothing about whether those actions make sense in context.
MCP has given the industry a common protocol for tool calls: and in doing so, made agent authorization problems impossible to ignore. As auth lead for MCP at Anthropic, these problems aren't theoretical for me. They come up in enterprise deployments, in working group discussions, and in the gap between what the spec says and what teams actually need to build. This talk isn't about MCP specifically: it's about the authorization primitives that any agentic system needs, and the standards work needed to provide them.
We'll examine four quirks that make agent authorization hard: granularity (scopes are too coarse for resource-level enforcement), attribution (is this the user, a delegated agent, or a service account?), information leakage (coarse tokens let agents see more than the task requires), and cardinality (consent flows don't scale to ephemeral agent sessions).
A key design decision sits at the heart of all of this: should your agent act as a delegated extension of the user, or as its own service account? The answer has deep implications for auditability, blast radius, and what standards you need.
Then we'll do a whistle-stop of the emerging standards landscape trying to close these gaps — Rich Authorization Requests and draft RAR metadata extensions, Cross-App Access (XAA) for frictionless token acquisition, and how patterns from SPIFFE and Workload Identity Federation might translate into agent identity. None of these fully solve the problem alone, but together they sketch the shape of what's missing.
Speaker
Paul Carleton
Member of Technical Staff @Anthropic, Core Maintainer of MCP
Paul Carleton is a Core Maintainer of the Model Context Protocol and Auth Nerd at Anthropic, where he leads auth implementations across Anthropic's clients and the TypeScript and Python SDKs and consults on agent identity. He drives MCP conformance testing to ensure consistent behavior across the ecosystem.
Date
Wednesday Mar 18 / 02:45PM GMT ( 50 minutes )
Location
Fleming (3rd Fl.)
