The runtime gap The first four articles in this series established a clean issuance model: SPIFFE for workload identity, OAuth SPIFFE Client Authentication for authentication to your authorization server, Token Exchange for delegation, Transaction Tokens for context propagation through the call chain. By the time a request reaches a downstream API, the credential is short-lived, […]
The token your agent is holding is the token an attacker wants An agentic workflow rarely terminates with a single API call. A user asks the agent a question; the agent calls an orchestration service; the orchestration service invokes three tools, each of which calls one or more backend APIs; some of those backends fan
The credential you keep distributing isn’t the credential you should be distributing If your authorization server is OAuth 2.0–based and your workloads are SPIFFE-identified, you have a credential redundancy problem. The workload already holds a SPIFFE Verifiable Identity Document — an X.509-SVID or JWT-SVID or WIT-SVID — issued at runtime, bound to its identity, attested
Why your .env file is the problem Every agentic platform in production today has a credential management story, and most of those stories rhyme. An agent process — whether it’s a LangChain orchestrator, a Bedrock Agent, an MCP-host pattern, or something custom — needs to authenticate to upstream LLM providers, downstream tools, vector stores, and
Agents Are Workloads: Why the Last Decade of Identity Standards Already Solves 95% of Agentic Identity The fork in the road The agentic identity conversation has split into two camps. One camp argues that AI agents are a fundamentally new species of non-human identity (NHI) and require a new stack: agent-specific identifiers, agent-specific consent
Evolving Cybersecurity has become a critical priority for agencies in today’s rapidly changing digital landscape. The traditional “Trust but Verify” approach, rooted in Cold War diplomacy, is increasingly inadequate against sophisticated cyber threats. This model often leads to complacency, as initial trust is seldom re-evaluated, creating vulnerabilities that adversaries can exploit. Limitations of “Trust But
Zero Trust Strikes Back Read More »
Cross-Functional Collaboration for Compliance Success with ATO Advantage Successful compliance in regulated environments isn’t just about automation or adaptive learning. It’s about people working together across functions to ensure every part of the organization is aligned and committed to meeting regulatory standards. Cross-functional collaboration is what brings compliance to life in the development process. With
Cross-Functional Collaboration for Compliance Success Read More »
Strengthening DoD Workload Requirements for NPEs: An Essential Overview Hey folks, let’s dive right into the world of identity and access management (IAM) for the Department of Defense (DoD). Spoiler alert—it’s not just about keeping tabs on humans anymore. We’ve entered an era where non-person entities (NPEs) and workloads hold critical roles in mission operations.
DoD Workload Identity Requirements for NPEs Read More »
In today’s evolving digital landscape, ensuring that your software meets the highest standards of security is critical—especially when working within the federal sector. One of the most significant milestones for software companies looking to serve federal clients is obtaining an Authorization to Operate (ATO). This credential demonstrates that your product complies with rigorous federal security
Achieve FedRAMP with Confidence Read More »
Welcome to Episode 1 of UberEther’s Cyber Defense In-depth Series! Join Justin Richer, CTO of UberEther, as he introduces Federation Bubbles—a groundbreaking approach to identity federation. In this episode, Justin explores how the bubble architecture pattern brings flexibility and security to federated systems, providing granular control over identity and access management in ever-changing environments. Key
Federation Bubbles with Justin Richer, CTO of UberEther Read More »