Why Multi-Agent AI Breaks Traditional Identity and Access Models
Enterprise software stacks were built for humans, not autonomous AI agents operating at machine speed. Conventional identity access management assumes a trusted person holding credentials, progressing through workflows slowly enough for oversight and manual approvals. Multi-agent systems overturn these assumptions. Specialized agents now orchestrate complex tasks in software development, operations, and finance, often chaining actions without a human in the loop. Shared API keys, inherited credentials, and persistent access remain common, but they do little to constrain what an agent can actually do once inside a system. As autonomy increases, so does the risk that a single compromised or misaligned agent can delete data, exfiltrate sensitive information, or bypass governance controls entirely. The result is a structural security gap: traditional IAM can authenticate services, yet it was never designed for fine-grained, agent-to-agent delegation or continuous, high-velocity decision-making across autonomous agent runtimes.
Keycard Brings Scoped Access Control to Multi-Agent Applications
Keycard’s new offering for multi-agent apps tackles this structural problem by treating each AI agent as a first-class identity. Instead of long-lived API keys or credentials stored on disk, agents receive verifiable identity through runtime attestation when they start. Access is delegated on a per-task basis, with no standing privileges or static credentials lingering after work is complete. This scoped access control means an agent only receives the minimal permissions required for a specific job, significantly reducing the blast radius if that agent is compromised or goes off-script. Every action is fully attributable across agents, human users, and connected systems, giving security and audit teams a clear picture of who—or what—did what, and when. Developers can integrate these capabilities via Python and TypeScript SDKs, allowing teams to deploy agents into production without turning every engineer into an identity or security specialist.
Delegated Sessions and Attribution as Foundations for AI Agent Security
Keycard’s session-based model reframes AI agent security around temporary, purpose-bound access. When a user or another agent initiates a task, they delegate a session with carefully scoped permissions to the executing agent. The session carries the context of who requested what, enabling robust attribution as work moves across multiple agents in a workflow. Because there are no persistent credentials, attackers cannot simply reuse tokens or API keys to escalate access. This design also aligns with zero-standing-privilege principles, long advocated in human-centric IAM but rarely enforced in machine-to-machine scenarios. Enterprises gain both granular control and traceability: they can answer questions like which agent modified a particular record or triggered a specific workflow, and under whose authority. In multi-agent systems where responsibilities fan out dynamically, this chain of custody becomes critical for compliance, incident response, and continuous assurance that autonomous behaviors remain within defined guardrails.
OpenShell’s Sandbox Runtime for Autonomous Agent Operations
Where Keycard focuses on identity and delegation, Nvidia-backed OpenShell targets the runtime environment in which autonomous agents execute. OpenShell provides an open source, sandbox-first architecture that isolates each agent—along with its harness and model—inside its own protected environment. A gateway outside the sandbox maintains credentials and session state, handling authentication to external services like ServiceNow, Salesforce, or Workday. The agent never directly holds keys or secrets, and any prompt injection or attempt to run arbitrary commands is contained within its sandbox. Policy enforcement sits below the application layer, using Linux kernel primitives such as seccomp, eBPF, and Landlock. This horizontal control plane ensures agents cannot bypass security checks by hopping between frameworks or tools. By rebasing the stack around an autonomous agent runtime rather than human operators, OpenShell aims to let enterprises increase agent autonomy without exposing their operating systems, networks, or core infrastructure.
Enterprise Momentum for Purpose-Built Multi-Agent Security
Keycard’s expanded platform and Nvidia’s OpenShell project signal an inflection point in how enterprises think about AI agent security. Early adopters like Chime highlight a pragmatic demand: teams want to ship agents into production quickly, without every developer mastering complex identity access management. At the same time, leaders such as Jensen Huang and Bill McDermott backing OpenShell underscores that traditional IAM, designed for human operators, cannot simply be lifted and shifted into agent-native architectures. Instead, organizations are gravitating toward purpose-built solutions that blend scoped access control, delegated sessions, sandboxed autonomous agent runtimes, and end-to-end attribution. Together, these patterns reduce the blast radius of any one agent, transform shared credentials into ephemeral, task-specific permissions, and provide audit-ready visibility across multi-agent systems. As enterprises rebuild business functions around AI, these controls are quickly moving from experimental add-ons to foundational infrastructure.