When an Agent Acts on Your Behalf, Who Holds the Keys?

When you prompt an agent to commit code or trigger a workload, who is truly acting? In enterprise environments, ambiguity creates a critical security vulnerability that makes fine-grained authorization and audit impossible. Traditional static API keys simply can’t capture the full context behind an action.

In this session, we will present an architecture that cryptographically binds agent identity with delegated user identity. We will demonstrate how SPIRE’s workload attestation can be extended to create a verifiable agent identity, and how Keycloak, acting as an OAuth 2.0 server, manages delegated user identity while preserving context across long, nested transactions. Finally, we’ll introduce an open-source MCP Gateway that enforces policy and audit controls at a single, trusted point between agents and tools. Attendees will leave with a clear understanding of how to build agentic systems where every action is traceable to both the code that execute it and the user who approved it.