matt

Continuous Authorization for Rogue Agents: CAEP, Shared Signals, and Gateway-Enforced Revocation

The runtime gap The first four articles in this series established a clean issuance model: SPIFFE for workload identity, OAuth SPIFFE Client Authentication for authentication to your authorization server, Token Exchange for delegation, Transaction Tokens for context propagation through the call chain. By the time a request reaches a downstream API, the credential is short-lived, […]

Continuous Authorization for Rogue Agents: CAEP, Shared Signals, and Gateway-Enforced Revocation Read More »

Transaction Tokens, Identity Chaining, and Stopping Token Theft in Multi-Workload Call Chains

The token your agent is holding is the token an attacker wants An agentic workflow rarely terminates with a single API call. A user asks the agent a question; the agent calls an orchestration service; the orchestration service invokes three tools, each of which calls one or more backend APIs; some of those backends fan

Transaction Tokens, Identity Chaining, and Stopping Token Theft in Multi-Workload Call Chains Read More »

OAuth Client Authentication Without Secrets: The SPIFFE Client Authentication Profile in Practice

The credential you keep distributing isn’t the credential you should be distributing If your authorization server is OAuth 2.0–based and your workloads are SPIFFE-identified, you have a credential redundancy problem. The workload already holds a SPIFFE Verifiable Identity Document — an X.509-SVID or JWT-SVID or WIT-SVID — issued at runtime, bound to its identity, attested

OAuth Client Authentication Without Secrets: The SPIFFE Client Authentication Profile in Practice Read More »

From Long-Lived API Keys to Short-Lived SVIDs: Implementing SPIFFE Identity for Agentic Systems

Why your .env file is the problem Every agentic platform in production today has a credential management story, and most of those stories rhyme. An agent process — whether it’s a LangChain orchestrator, a Bedrock Agent, an MCP-host pattern, or something custom — needs to authenticate to upstream LLM providers, downstream tools, vector stores, and

From Long-Lived API Keys to Short-Lived SVIDs: Implementing SPIFFE Identity for Agentic Systems Read More »

Agents Are Workloads: Why the Last Decade of Identity Standards Already Solves 95% of Agentic Identity

Agents Are Workloads: Why the Last Decade of Identity Standards Already Solves 95% of Agentic Identity   The fork in the road The agentic identity conversation has split into two camps. One camp argues that AI agents are a fundamentally new species of non-human identity (NHI) and require a new stack: agent-specific identifiers, agent-specific consent

Agents Are Workloads: Why the Last Decade of Identity Standards Already Solves 95% of Agentic Identity Read More »

Icons representing fedramp compliance standards and regulations

FedRAMP Compliance: Guide to FedRAMP Requirements

For modern cloud services supporting U.S. government missions, FedRAMP compliance is non-negotiable. This guide demystifies FedRAMP requirements, the authorization journey, and what federal agencies expect from a cloud service provider seeking an Authorization to Operate (ATO). You’ll learn how the federal risk and authorization management framework aligns with NIST 800-53 controls, what documentation and testing

FedRAMP Compliance: Guide to FedRAMP Requirements Read More »

Lock showing the protection of building a useful FedRAMP SSP

How UberEther Scaled Federal Compliance by 400% with Paramify

At UberEther, we’ve always believed our job doesn’t end at authorization. We’re constantly asking: how do we get our customers there faster, with less friction, and with greater confidence? That question led us to Paramify; and the results have fundamentally changed what we’re able to deliver. By automating FedRAMP and DoD IL5 compliance workflows, we

How UberEther Scaled Federal Compliance by 400% with Paramify Read More »

Interconnected nodes representing data points analyzed with federating identities

FedRAMP High vs. Moderate: The Complete 87-Control Delta

One of the most common questions we hear from agencies and cloud service providers is: “What exactly does it take to go from FedRAMP Moderate to High?” The answer isn’t just “more controls”; it’s a fundamentally different security posture built around one question: what happens if this system fails? UberEther CEO Matt Topper put together

FedRAMP High vs. Moderate: The Complete 87-Control Delta Read More »

Lock showing the protection of building a useful FedRAMP SSP

How to Make a Useful SSP: System Security Plans That Work

If you’ve spent any time in the federal compliance world, you’ve probably seen a System Security Plan (SSP) that runs 400 pages but somehow says almost nothing. It’s filled with boilerplate, copy-pasted control descriptions, and vague references to “policies and procedures” that may or may not exist. It passes a cursory review, gets filed away,

How to Make a Useful SSP: System Security Plans That Work Read More »

Aerial view of a college campus protected by secure IAM measures

2026 State of Identity & Cybersecurity in Higher Education

Colleges and universities have always operated on a foundational paradox: they need to be open for learning and discovery but secure enough to protect deeply sensitive identities and data. In 2026, that paradox has stopped being theoretical and become operationally crippling. Despite strong intentions and compliance frameworks like FERPA, higher ed institutions are now among

2026 State of Identity & Cybersecurity in Higher Education Read More »