How to Secure Agentic AI: Identity Authentication and Authorization Strategies

Agentic AI is evolving from passive tools to highly autonomous agents that can plan and execute complex tasks, but this autonomy introduces new security challenges, especially around identity authentication and authorization.

Recent incidents illustrate the risks: in November 2024 the LangChain AgentSmith vulnerability allowed malicious prompts to steal API keys and execute remote code, and the 2025 MCP Inspector CVE‑2025‑49596 enabled CSRF attacks that compromised local agents.

The article defines essential terminology used in AI Agent identity management, including Agent , Agent identity , Agent identity directory , Access token , JWT , IAM role , and API key . Understanding these concepts is required to design a robust IAM system for agents.

OAuth 2.0 is identified as the core authorization mechanism. Two flows are described in detail:

2‑Legged (2LO) flow : the agent authenticates directly with client credentials, receiving an access_token which it uses to call protected resources. Steps: (1) client sends client_id and client_secret to the token endpoint; (2) server validates and issues an access_token; (3) the agent includes the token in resource requests.

3‑Legged (3LO) flow : a user‑centric flow requiring redirection, user consent, code exchange, and token acquisition ( access_token, refresh_token, id_token). The article includes a diagram of both flows.

The confused deputy problem is highlighted as a critical threat: agents often run with higher privileges than the originating user, enabling privilege‑escalation attacks when a low‑privilege user triggers a high‑privilege agent. Examples include unauthorized S3 access via an AI agent and the MCP protocol’s lack of consistent identity propagation.

Mitigation strategies are presented:

Enforce permission consistency across inbound and outbound requests.

Implement fine‑grained delegated permissions so agents only obtain the minimal rights needed for a specific user request.

Audit and monitor token usage, resource access, and privilege escalation attempts.

Amazon Bedrock offers a managed solution called AgentCore Identity , which provides inbound and outbound authentication, secure token vaults, and unified credential management. The service integrates with Amazon Cognito for user pools, IAM roles for short‑lived credentials, and supports both 2LO and 3LO flows.

Implementation steps are shown with concrete AWS CLI commands and Python SDK snippets:

# Authenticate User
aws cognito-idp initiate-auth \
  --client-id "$CLIENT_ID" \
  --auth-flow USER_PASSWORD_AUTH \
  --auth-parameters USERNAME='testuser',PASSWORD='MyPassword123!' \
  --region "$REGION" > auth.json

The returned JSON contains AccessToken (with scopes such as cognito:groups), RefreshToken, and IdToken. Attempting to invoke the AgentCore runtime without a valid token yields an AccessDeniedException.

response = client.create_role(
    RoleName='agentcore-mcp-server-role',
    AssumeRolePolicyDocument=json.dumps({
        "Version": "2012-10-17",
        "Statement": [{
            "Effect": "Allow",
            "Principal": {"Service": "ec2.amazonaws.com"},
            "Action": "sts:AssumeRole"
        }]
    })
)
client.attach_role_policy(
    RoleName='agentcore-mcp-server-role',
    PolicyArn='arn:aws:iam::aws:policy/AmazonCognitoPowerUser'
)

AgentCore runtime configuration example:

agentcore_runtime.configure(
    entrypoint='mcp_server.fixed.py',
    execution_role_arn='arn:aws:iam::687912291502:role/agentcore-mcp-server-auto-role',
    auto_create_ecrs=True,
    requirements_txt='requirements.txt',
    region='us-east-1',
    authorizer_configuration=auth_config,
    protocol='MCP',
    agent_name='mcp_server_auto'
)

After configuration, launching the runtime is a single call: launch_result = agentcore_runtime.launch() The article concludes that building a secure Agentic AI system requires zero‑trust principles, minimal‑privilege design, staged implementation from basic authentication to full‑stack authorization, and continuous monitoring. Leveraging OAuth 2.0, decentralized identity, and Amazon Bedrock AgentCore Identity enables enterprises to mitigate confused‑deputy attacks and maintain control over AI agents operating on behalf of users.