76% of business leaders expect employees to manage agents within the next 2-3 years, but most lack the security controls to manage what these agents actually do at runtime (MSFT Tech Community, 2025).
Autonomous AI agents are transforming how enterprises operate. They book meetings, provision infrastructure, process refunds, and make purchasing decisions without waiting for human approval. But traditional identity systems only track who created an agent, not what it's allowed to do right now.
In this guide, I'll explain why traditional identity management can't solve modern problems, how agent runtime authorization closes those gaps, and what you need to implement it in your environment.
What is agent runtime authorization?
Agent runtime authorization verifies whether an agent should execute a specific action at the moment it attempts that action. Without it, agents operate with credentials that never expire and continue working even after their creator leaves the company.
Most enterprise identity systems assign an owner when an agent is created and never update that record. When that same agent provisions servers or moves money months later, no live check confirms a human authorized that specific action. Runtime authorization fixes this by intercepting each tool call, requiring a time-bound credential linked to a named human, and demanding explicit approval for high-risk operations before execution proceeds.
Chapter 1: Understanding the AI agent security gap
From chatbots to autonomous agents
AI agents have evolved from simple chatbots to autonomous systems that make decisions without human oversight. Today's agents go far beyond just responding to requests. Now, they can initiate actions based on their own assessment of context and priority:
A procurement agent detects low inventory and orders replacement stock
An infrastructure agent provisions additional servers when it detects capacity constraints
A customer service agent issues refunds or schedules technician visits based on complaint patterns
This autonomy creates both value and risk. The agent acts on behalf of the organization, but the org may not know what the agent is doing until after the action completes.
The point-in-time fallacy
Most enterprises approach AI agent security the same way they approach employee security: establish identity at the beginning, assign permissions, and assume those permissions remain appropriate over time.
This fails for AI agents because agents operate at machine speed, not human speed. Their scope also expands as developers add new tools and capabilities to them, and the humans who created them may leave while the agents keep running.
Ownership at creation does not equal accountability at runtime. An agent created by John in procurement continues to function with their authority, even after John leaves the company. The agent still has credentials, access to procurement systems, and the ability to place orders.
The real-world risks of this include:
Autonomous spending: Agents with access to procurement APIs can order equipment, purchase software licenses, or provision cloud infrastructure without approval. A misconfigured agent or hallucination can result in thousands of dollars in unauthorized spending before anyone notices.
Infrastructure changes: Agents with permissions to modify network configurations, deploy code, or scale resources can cause outages, create security vulnerabilities, or generate unexpected costs faster than human operators can detect and reverse them.
Data access: Agents that retrieve customer records, financial data, or intellectual property may access information beyond what's necessary for their function. Without runtime controls, there's no way to enforce least-privilege access or prevent data exfiltration.
The ghost agent problem
Ghost agents are AI agents that continue operating after the employee who created them leaves the organization. The employee's account gets deactivated, their email gets forwarded, and their laptop gets wiped. But the agent keeps running because it has its own credentials that were never tied to the employee's lifecycle.
According to research by Cloud Security Alliance, only 15% of organizations report that their agents have defined ownership between 76% and 100%. The most common ownership range is between 26–50% (34% of respondents).
Chapter 2: Why traditional identity management fails
What registration-time identity solves
Registration-time identity systems like Microsoft Entra Agent ID, Okta, and ServiceNow establish who created an agent, who owns it, and what lifecycle state it's in. They answer questions like:
Which department does this agent belong to?
Who should be contacted if something goes wrong?
When was this agent last updated?
This information is necessary for governance, but it doesn't control what the agent does.
Knowing that John deployed a new agent, for example, tells you nothing about whether that agent should be allowed to place a $50,000 order right now.
The hardwired credential problem
Most AI agents authenticate to external systems using API keys, service account credentials, or OAuth tokens configured when the agent was created. These credentials are hardwired into the agent's configuration or stored in a secrets manager the agent can access automatically.
Hardwired credentials create three problems:
Long-lived: An API key created six months ago still works today unless someone manually rotates it
Broadly scoped: The credential grants access to everything the service account can do, not just specific actions the agent needs
Not tied to human authorization: The agent can use the credential whenever it wants, regardless of whether a human has approved the action
This means an agent can execute any action within the scope of its credentials at any time, and there's no technical control to stop it.
Comparison: Registration vs. runtime
Registration-time identity establishes the agent's identity when it's created. It records who created the agent, what purpose it serves, who owns it, and enables governance processes like access reviews, lifecycle management, and compliance reporting. The limitation is that it doesn't control what the agent does after it's registered.
Runtime authorization verifies authority for each action at the moment the agent attempts to execute it. It checks whether the action is within policy, whether the human owner still has the necessary permissions, and whether the human has approved this specific action using time-bound, cryptographically signed credentials that expire after a single use or a short time window.
Registration tells you who the agent is, while runtime authorization tells you what the agent is allowed to do right now.
Why you need both
Registration-time identity and runtime authorization are complementary, not competing. You need registration to establish the agent's identity and track ownership, and runtime authorization to enforce control over what the agent actually does.
Think of registration as the DMV that records a vehicle exists and who owns it. Runtime authorization is the ignition interlock that prevents the vehicle from starting unless specific conditions are met at that moment.
Both are necessary; neither is sufficient alone.
—
Chapter 3: The runtime authorization solution
Runtime authorization verifies that an AI agent has authority to execute a specific action at the moment the agent attempts that action. It operates at the network or API layer, intercepting requests from the agent to external systems.
Before the request reaches its destination, the authorization system checks:
Whether the action is within policy
Whether the human owner has approved it
Whether the necessary conditions are met
If the check passes, the request proceeds. If not, the request is blocked.
This approach works regardless of how the agent was built, doesn't require changes to the agent's code, enforces policy consistently across all agents, and creates an audit trail of every authorization decision.
Verifiable credentials explained
Verifiable credentials are cryptographically signed tokens that prove an agent has been authorized to perform a specific action.
Unlike API keys, verifiable credentials are time-bound, scope-bound, and tied to a specific authorization event.
A verifiable credential contains four key properties:
Issuer: Who issued the credential (typically an authorization service)
Subject: The agent authorized to use the credential
Validity period: When the credential expires (often within minutes or hours)
Scope: What actions the credential authorizes (e.g., "place purchase orders under $500")
The credential is cryptographically signed so any system can verify it's authentic. Because credentials are short-lived and scope-limited, even if an attacker obtains one, it's only valid for a narrow set of actions and expires quickly.
The CIBA flow step-by-step
Client-Initiated Backchannel Authentication (CIBA) enables runtime authorization by pushing approval requests to humans when agents attempt high-risk actions.
How it works
The AI agent initiates an action (e.g., placing a purchase order)
The authorization layer intercepts the request and checks policy
If approval is required, it sends a push notification: "Your procurement agent wants to place a $1,200 order for laptop batteries. Approve or deny?"
The human reviews and provides biometric authentication to approve
The authorization layer issues a scoped verifiable credential to the agent
The agent presents the credential and completes the action
The flow takes seconds, enabling autonomous operation for low-risk actions while requiring human approval for high-risk ones.
Credential properties
Verifiable credentials are more secure than traditional API keys because they encode identity, intent, and constraints directly into the credential itself. Unlike static keys that grant broad, persistent access, these credentials carry machine-readable proof of exactly who authorized them, what they're permitted to do, and when they expire.
Four security characteristics enforce this at the credential level:
Time-bound: Expires within minutes or hours, limiting exposure if compromised.
Scope-bound: Authorizes specific actions only. A credential for placing a purchase order can't access customer records.
Cryptographically signed: Any system can verify the credential is authentic and unaltered.
Context-aware: Can include resource details, time of day, network location, or risk score for granular authorization decisions.
Policy enforcement at network layer
Runtime authorization policies are enforced at the network or API gateway layer, applying consistently regardless of how the agent is implemented.
When an agent makes a request, the authorization layer evaluates it against policy and either initiates human approval, issues a credential automatically, or blocks the request. This works with any agent framework, requires no code changes, and generates a complete audit trail.
Chapter 4: Key use cases
Preventing autonomous spending
Autonomous spending is one of the most common risks with AI agents. Without runtime authorization, agents can generate significant expenses without oversight. This is because runtime auth enforces spending thresholds at the policy level.
For example, policy might specify that purchase orders under a certain amount are auto-approved, mid-range purchases require owner approval, and high-value purchases require finance manager approval.
Then when an agent attempts an order, the authorization layer checks the amount against policy. If below the auto-approval threshold, it proceeds. Otherwise, it sends a notification for review. Low-value purchases stay automatic while high-value ones require judgment.
ROI scenario: Consider an enterprise with procurement agents placing hundreds of orders monthly. Even a small error rate where agents place inappropriate orders can result in significant wasted spending. Runtime authorization that prevents even a fraction of these errors can deliver substantial annual savings, not counting time saved investigating and reversing incorrect orders.
Infrastructure provisioning control
Infrastructure agents automate cloud resource provisioning and scaling, but incorrect provisioning can cause outages, security vulnerabilities, or unexpected costs.
Runtime authorization requires approval for high-risk actions. A policy might require approval for production resources while allowing development resources automatically, or enforce approval for provisioning actions above a defined scale threshold.
When an agent attempts a high-risk action, the authorization layer sends a notification: "Your infrastructure agent wants to provision 50 new servers. Approve or deny?"
The engineer then reviews and approves, receiving a scoped credential, which prevents mistakes while maintaining autonomy for routine tasks.
Sensitive data access
AI agents often need sensitive data access. Without runtime authorization, agents typically have broad access that violates least-privilege principles.
Runtime authorization enables just-in-time access. When a customer service agent needs a customer record, the authorization layer checks if that customer has an open support ticket. If yes, it issues a credential for that specific record. If no, it denies the request.
This minimizes exposure and creates an audit trail that directly supports GDPR and HIPAA compliance requirements.
The ghost agent “kill switch”
Ghost agents continue operating after their creator leaves the organization. They have no owner, no monitoring, and no revocation mechanism.
Runtime authorization ties credentials to the owner's employment status. When an employee leaves and their account deactivates, their agents are automatically denied access and flagged as orphaned. Security teams can then reassign or decommission them without manual credential hunting.
Chapter 5: Implementation considerations
Architecture: Where it fits in your stack
Runtime authorization sits between your AI agents and the external systems they interact with, operating as a policy enforcement layer that intercepts MCP requests and evaluates them against policy before any tool executes.
In practice, this means deploying an interception MCP server in front of your existing MCP infrastructure; when an agent attempts an action, the layer checks for a valid verifiable credential and either passes the request through, triggers a step-up authentication flow, or blocks execution entirely.
The agent cannot execute without a time-bound verifiable credential linked to a verified human. Because enforcement happens at the MCP layer rather than inside individual tools or workflows, no modifications to existing tools or APIs are required.
Integration points
Runtime authorization integrates with your existing infrastructure at three key points:
Identity provider: The authorization layer integrates with your identity provider to verify the human owner's identity and permissions before issuing a credential. The integration with Entra Agent ID is additive and complementary: Entra handles agent registration and inventory at creation; 1Kosmos governs every action at runtime, precisely where Entra stops.
Orchestration platform: The authorization layer integrates at the MCP layer, intercepting tool calls before they reach external systems. It is compatible with major agent frameworks including LangChain, Relevance AI, Microsoft Copilot Studio, Databricks, and ServiceNow.
Tool APIs and downstream systems: Because enforcement happens at the MCP interception layer, the tool itself never receives a request without a valid credential. This provides defense in depth regardless of which orchestration framework sits upstream.
Policy configuration: Three-dimensional model
Effective runtime authorization policies evaluate three dimensions simultaneously:
Prompt classification: What is the agent or user asking for? Informational queries carry lower risk; purchases, infrastructure changes, or access to sensitive data trigger step-up authentication or require explicit human approval.
Data source risk: Which system is the agent accessing? Financial systems, HR data, and infrastructure provisioning carry higher risk and require stronger controls than low-sensitivity or public data.
Action scope: What will the agent actually do? Read operations may pass through automatically. Write operations, money movement, and infrastructure changes require human approval before execution proceeds.
By evaluating all three dimensions together, policies balance security with operational efficiency. A procurement agent might auto-approve orders under $400 while halting for human sign-off on anything above that threshold. The policy is enforced at the network layer with no changes to the underlying tool or workflow required.
Compliance benefits
Runtime authorization addresses compliance requirements that are becoming increasingly important as AI governance regulations mature.
GDPR
Runtime authorization supports GDPR's data minimization and purpose limitation principles by ensuring agents only access personal data when explicitly authorized for a specific action. The cryptographic audit trail provides direct evidence of compliance at the point of execution.
SOC 2
Runtime authorization maps to SOC 2 control requirements for access controls, audit trails, and segregation of duties. Requiring human approval for high-risk actions provides auditable evidence that the organization has implemented appropriate controls over automated systems.
NIST AI Risk Management Framework
The NIST AI RMF emphasizes human oversight and control over AI systems as a core governance requirement. Runtime authorization provides the technical mechanism that enforces this oversight for high-risk decisions while allowing automation for lower-risk tasks.
Industry-specific regulations
Financial services, healthcare, and other regulated industries increasingly require documented human oversight of automated decision-making. Runtime authorization provides the enforcement layer and audit trail to satisfy these requirements without rebuilding existing workflows.
Chapter 6: Comparing solutions
Registration solutions
Registration-time identity solutions like Microsoft Entra Agent ID and ServiceNow establish the agent's identity when it's created and track its lifecycle.
These solutions answer questions like:
Who created this agent?
What department does it belong to?
Who owns it?
When was it last updated?
Microsoft Entra Agent ID extends Microsoft's identity platform to include AI agents as first-class identities. Agents are registered in Entra, assigned to owners, and tracked through their lifecycle. Entra provides governance features like access reviews, lifecycle management, and compliance reporting.
ServiceNow offers similar capabilities through its IT Service Management platform. Agents can be registered as configuration items, assigned to owners, and tracked through change management processes.
These solutions are valuable for governance and compliance, but they don't control what agents do at runtime. They establish identity but don't enforce authorization.
Governance solutions
Governance solutions like Okta and CyberArk provide identity and access management capabilities that can be extended to AI agents. These solutions focus on managing credentials, enforcing access policies, and providing audit trails.
Okta provides identity management and single sign-on capabilities that can be used to manage agent identities. Agents can authenticate through Okta, and access policies can be enforced based on the agent's identity and attributes.
CyberArk specializes in privileged access management, which is relevant for agents that need access to sensitive systems or data. CyberArk can manage the credentials agents use and enforce policies around credential usage.
These solutions add meaningful credential management and access policy controls on top of registration, but their authorization decisions are still primarily defined at configuration time rather than evaluated dynamically at the moment of execution.
Runtime authorization solutions
Runtime authorization solutions like 1Kosmos provide dynamic, context-aware authorization at the moment an agent attempts an action.
These solutions use verifiable credentials, CIBA flows, and policy-based decision-making to enforce control over what agents do.
1Kosmos provides runtime authorization specifically designed for AI agents that can integrate with existing identity providers to verify human ownership, uses CIBA to obtain human approval for high-risk actions, issues time-bound and scope-bound verifiable credentials, and enforces policies at the network layer.
The key difference is that runtime authorization solutions make authorization decisions at execution time based on current context, not just at registration time based on static policies.
Evaluation framework
When evaluating solutions for AI agent security, consider these factors:
Identity establishment: Does the solution establish and track agent identities? Can you identify who created each agent and who owns it?
Lifecycle management: Does the solution support the full agent lifecycle from creation through decommissioning? Can you track changes to agents over time?
Runtime control: Does the solution control what agents do at execution time? Can you enforce policies based on current context?
Human oversight: Does the solution enable human approval for high-risk actions? Can you require verification before critical actions execute?
Credential management: Does the solution use time-bound, scope-bound credentials? Or does it rely on long-lived API keys?
Audit trail: Does the solution provide a complete audit trail of agent actions and authorization decisions?
Integration: Does the solution integrate with your existing identity provider, orchestration platform, and tool APIs?
Registration solutions excel at identity establishment and lifecycle management, while governance solutions build on that foundation by adding credential management and audit trails.
Runtime authorization solutions complete the picture with execution-time control and human oversight that static policies can't provide, which is why a complete agent security strategy requires all three layers working together.
Conclusion
Agent runtime authorization fills the security gap most enterprises overlook. Registration-time identity shows who created an agent; runtime authorization controls what it can do now.
Without runtime auth, agents run on static credentials that never expire, grant broad access, and persist after owners leave, which can lead to a cascade of financial, operational, security, and compliance risks. With it, organizations can verify each action at execution time using verifiable credentials, CIBA approval flows, and policy enforcement.
Runtime authorization by 1Kosmos
See how runtime authorization works in practice.
Contact us to learn how 1Kosmos can help you secure your AI agents with verifiable credentials, human-in-the-loop authorization, and policy-based control.
—
FAQs
What is the difference between agent registration and runtime authorization?
Agent registration establishes who created an agent and who owns it when the agent is first deployed. Runtime authorization controls what the agent can do at the moment it attempts each action. Registration is a one-time identity check, while runtime authorization verifies permission for every high-risk operation the agent tries to execute.
How do verifiable credentials differ from API keys?
API keys are long-lived credentials that grant broad access to all actions within a service account's permissions and never expire unless manually rotated. Verifiable credentials are time-bound tokens that expire within minutes or hours, authorize only specific actions, and are cryptographically signed to prevent tampering. This makes them significantly more secure for autonomous agents.
What happens to an agent when its owner leaves the company?
Without runtime authorization, the agent continues operating with the same credentials it had when the owner was employed, creating a ghost agent with no oversight. With runtime authorization, the agent's credentials are automatically revoked when the owner's account is deactivated, immediately blocking all actions until the agent is reassigned to a new owner.
Can runtime authorization work with existing agent frameworks?
Yes. Runtime authorization operates at the network or API gateway layer, intercepting requests before they reach external systems. This means it works with any agent framework including LangChain, AutoGPT, Microsoft Copilot Studio, and custom-built agents without requiring changes to the agent's code or configuration.
Does requiring human approval slow down agent operations?
Only for high-risk actions. Runtime authorization policies can auto-approve low-risk operations like reading public data or generating reports, allowing them to proceed instantly. Human approval is only required for actions that exceed risk thresholds, such as spending money, provisioning infrastructure, or accessing sensitive customer data.
What types of agent actions typically require human approval?
Common high-risk actions include financial transactions above a spending threshold, infrastructure provisioning in production environments, modifications to security configurations, access to personally identifiable information or financial records, and any write operations that could impact business-critical systems. Policies can be customized based on your organization's risk tolerance.
About the author
Huzefa Olia
Co-Founder & Chief Operating Officer
Huzefa is the COO and a co-founder of 1Kosmos with 18+ years in identity and access management and cybersecurity, focused on scaling operations, go-to-market strategy, and enterprise partnerships across global markets.
