Keycard: 2026 is the Year of Agents

Joel describes the first major agent security incident he encountered: a SaaS company's agent that would correctly deny requests for other companies' data when asked directly, but would leak competitors' data when users simply asked for 'my data.' This authentication/authorization failure demonstrates the fundamental identity problem with agents that Keycard addresses.

• •Agent correctly blocked explicit requests for competitor data but leaked it through generic queries
• •Highlights the auth-n/auth-z problem unique to agents vs traditional software
• •Demonstrates how agents can synthesize and expose data in ways humans couldn't at scale
• •Shows the sharp edge of agent capabilities - can answer complex questions across large datasets instantly

Ian explains the evolution from level 0 (traditional software) through copilots (level 1-2) to autonomous agents (level 3-5), using the self-driving car framework. The key transition is when humans can 'walk away' from tasks, with agents making micro-decisions within larger processes. Most companies are still struggling to make copilots successful before moving to full autonomy.

• •Level 0-1: Human-driven with AI assistance (copilots, advanced autocomplete)
• •Level 3: Agents execute tasks independently but return for approval on key decisions
• •Level 5: Fully autonomous agents operating within defined bounds (like Waymo)
• •The moment humans are abstracted from core decision-making is when identity/auth problems emerge
• •Many companies struggling with copilot adoption before reaching true agency

Discussion of tool poisoning attacks and the specific risk of agents accessing production databases then making web browser calls with that sensitive data. The problem is hyper-contextual: should a developer's agent access production data? Should it then use a web browser with that data? Traditional perimeter security and IAM models don't address these multi-step, context-dependent scenarios.

• •Agents making multiple tool calls without human oversight create attack vectors
• •Example: agent pulls production customer data, then sends it via web browser query
• •No malicious write/update/delete occurred, but sensitive data was exfiltrated
• •Problem is entirely contextual - same action may be appropriate or dangerous based on task
• •Traditional VPC/IAM perimeter models inadequate for agent workflows

Existing identity protocols solved user federation for SaaS but never addressed federating compute across cloud boundaries. Agents are fundamentally multi-tenant (used by many users), require dynamic runtime access control, and need task-based intent policies rather than static role-based access. The access model becomes a matrix rather than linear permissions.

• •SAML/OAuth solved user federation but not compute federation across networks
• •Agents are inherently multi-tenant - ChatGPT used by Joel, Bob, Sally, etc.
• •Access rights evolve from linear read/write/delete to dynamic matrices
• •Need task-based, intent-driven policy enforced at runtime
• •Rights are hyperephemeral - no two tasks look the same

Keycard's approach involves conditional consent where users grant task-specific access that can be revoked, combined with adaptive policy from downstream resource owners. Similar to self-driving cars, there's always clear ultimate control with ability to take over. Both the agent UI and downstream enforcers (MCP servers, payment systems) implement continuous adaptive systems.

• •Users grant conditional consent for specific tasks, always revocable
• •Agent UI prompts for approval on unusual or high-risk actions
• •Downstream resource owners enforce their own adaptive policies on top of user grants
• •Self-driving car analogy: clear ultimate control, ability to take over anytime
• •Hybrid deterministic/non-deterministic system required for scale

Contrary to typical tech adoption, enterprises will lead agent deployment due to: (1) clear earnings efficiency gains, (2) employees already using tools personally, (3) data/infrastructure already on cloud, and (4) CEO-level mandate preventing security from blocking adoption. This is fundamentally different from cloud adoption where security could delay for years.

• •Direct translation to profitability through headcount freeze + productivity gains
• •Employees transfer personal AI tool knowledge directly to work
• •Enterprise data already on cloud, removing major adoption barrier
• •Top-level business objective - security can't say 'no' like they did with cloud
• •Shadow IT on steroids - adoption happening regardless of security readiness
• •Business defensibility concern: companies must become agentic or face disintermediation

MCP (Model Context Protocol) focused on scaling tool access but created massive security problems - production credentials on local machines, no differentiation between users and agents. A2A (Agent-to-Agent) addresses agent identity and federation but lacks adoption. Both are missing cryptographic agent identity, user control mechanisms, and proper auditing - the bridge Keycard provides.

• •MCP: 'beg for forgiveness' approach, massive tool access but secret sprawl on steroids
• •A2A: 'ask for permission' approach, elegant federation model but limited adoption
• •Neither provides cryptographic agent identity or user access control
• •MCP hitting 'trough of disillusionment' as production security issues emerge
• •Missing: ability to differentiate between user Ian vs Ian's agent accessing resources
• •No auditing or governance capabilities in either standard

Keycard helps customers get agents into production by providing: agent and user identification, access bounding, tool-building SDKs, and complete governance/auditability. The platform is standards-based and vendor-agnostic, positioning as a central pillar in enterprise agent strategies. Enables organizations to safely expose internal tools and data to agents while maintaining control.

• •Identify what agents exist, which users can access them, and what they can do
• •Provide SDKs for building agent tools (internal workflows and product integrations)
• •Enable organizations to catalog available agents and tools for employees
• •Complete auditability and governance across all agent interactions
• •Standards-based, interoperable with existing protocols (not proprietary)
• •Federated solution not tied to specific vendors or agent platforms