Kagenti’s Approach to Multi-Agent Security for AI Agents

2026-06-16 · Source: IBM Technology · Field: Technology & Digital — Artificial Intelligence & Machine Learning, Cybersecurity & Data Privacy · Depth: Advanced, medium

Summary

Kagenti offers an open-source security solution designed to combat the "confused deputy" vulnerability in multi-agent AI systems, a critical issue where legitimate agents are tricked into misusing their authority, leading to data breaches or prompt injection. The platform integrates a security layer around existing AI agents, deployable from GitHub or container images. It addresses the problem by deploying two sidecars: SPIFFE, which provides agents with a short-lived, cryptographic X.509 workload identity, and Kagenti client registration, which registers agents as OAuth2 clients in KeyCloak for requesting limited tokens. The core fix is AuthBridge, which injects a cryptographically signed header into every agent call, detailing the full delegation chain. This allows authorization decisions to be made against the entire chain, blocking unauthorized access even if an agent holds a valid token, a capability traditional RBAC lacks. Kagenti also integrates an MCP Gateway for tool management, Istio for secure networking, and OpenTelemetry, Phoenix, and MLflow for observability and tracing.

Key takeaway

For AI Security Engineers building multi-agent systems, you must move beyond traditional RBAC to mitigate "confused deputy" vulnerabilities. Your authorization strategy should validate the entire delegation chain of agent calls, not just individual agent permissions, to prevent unauthorized data access or prompt injection. Implement solutions that provide cryptographic workload identities and track the full call path to ensure robust security in dynamic agent environments.

Key insights

Combat "confused deputy" vulnerabilities in multi-agent AI systems by securing identity and delegation chains, not just paths.

Principles

• Secure identity with short-lived cryptographic certificates.
• Authorize against the full delegation chain, not just the immediate caller.
• Agent authorization cannot rely on static call graphs.

Method

Deploy agents with SPIFFE for cryptographic identity and Kagenti client registration for OAuth2. AuthBridge injects cryptographically signed delegation chain headers for policy enforcement at the tool level.

In practice

• Implement SPIFFE for agent workload identity.
• Use AuthBridge to track full agent call delegation.
• Integrate KeyCloak for granular token management.

Topics

• Multi-Agent Systems
• AI Security
• Confused Deputy Vulnerability
• SPIFFE
• KeyCloak
• AuthBridge
• Identity and Access Management

Best for: CTO, VP of Engineering/Data, Director of AI/ML, AI Engineer, MLOps Engineer, AI Security Engineer

Related on AIssential

• AI agents expose the security checks you never actually wrote​​​​‌‍​‍​‍‌‍‌​‍‌‍‍‌‌‍‌‌‍‍‌‌‍‍​‍​‍​‍‍​‍​‍‌​‌‍​‌‌‍‍‌‍‍‌‌‌​‌‍‌​‍‍‌‍‍‌‌‍​‍​‍​‍​​‍​‍‌‍‍​‌​‍‌‍‌‌‌‍‌‍​‍​‍​‍‍​‍​‍‌‍‍​‌‌​‌‌​‌​​‌​​‍‍​‍​‍‌‍​‌‍‌‌​​‍‍‌​‌‌​‌‍​‌‌‍​‌‍‍‌‍‌‌‍‌‍‌‌‌​‍‌‍‌‍‌‍​‌‍‌‌​‍‍‌‍​‌‍​‍‌‍‍‌‌‍‍‌‌​‌‍‌‌‌‍‍‌‌​​‍‌‍‌‌‌‍‌​‌‍‍‌‌‌​​‍‌‍‌‌‍‌‍‌​‌‍‌‌​‌‌​​‌​‍‌‍‌‌‌​‌‍‌‌‌‍‍‌‌​‌‍​‌‌‌​‌‍‍‌‌‍‌‍‍​‍‌‍‍‌‌‍‌​​‌​‌‍​​‍‌‍​‌‌‍​‌‌‍​‍​​‌​‌‌‌‍​‌​‍‌​​​​​‌​‌‌‌‍​‌​‍‌​‌​‌‍​‍‌‍‌‍​​‍​‍‌​‍​‌‍​‍​​‌‍‌‌​‍‌‌‍​‍​‍‌​‌​‌‍​‌‍​​​​‌‌​‌‍​‍‌​‌​‌​​​​‍‌‌​‌‍‌‌​​‌‍‌‌​‌‌‍​‍‌‍​‌‍‌‍‌‌‌​​‌‍‌​‌‌​​‍‌​​‌‍​‌‌‌​‌‍‍​​‌‌‌​‌‍‍‌‌‌​‌‍​‌‍‌‌​‌‍​‍‌‍​‌‌​‌‍‌‌‌‌‌‌‌​‍‌‍​​‌‌‍‍​‌‌​‌‌​‌​​‌​​‍‌‌​​‌​​‌​‍‌‌​​‍‌​‌‍​‍‌‌​​‍‌​‌‍‌‍​‌‍‌‌​​‍‍‌​‌‌​‌‍​‌‌‍​‌‍‍‌‍‌‌‍‌‍‌‌‌​‍‌‍‌‍‌‍​‌‍‌‌​‍‍‌‍​‌‍​‍‌‍‌‍‍‌‌‍‌​​‌​‌‍​​‍‌‍​‌‌‍​‌‌‍​‍​​‌​‌‌‌‍​‌​‍‌​​​​​‌​‌‌‌‍​‌​‍‌​‌​‌‍​‍‌‍‌‍​​‍​‍‌​‍​‌‍​‍​​‌‍‌‌​‍‌‌‍​‍​‍‌​‌​‌‍​‌‍​​​​‌‌​‌‍​‍‌​‌​‌​​​​‍‌‍‌‌​‌‍‌‌​​‌‍‌‌​‌‌‍​‍‌‍​‌‍‌‍‌‌‌​​‌‍‌​‌‌​​‍‌‍‌​​‌‍​‌‌‌​‌‍‍​​‌‌‌​‌‍‍‌‌‌​‌‍​‌‍‌‌​‍‌‍‌​​‌‍‌‌‌​‍‌​‌​​‌‍‌‌‌‍​‌‌​‌‍‍‌‌‌‍‌‍‌‌​‌‌​​‌‌‌‌‍​‍‌‍​‌‍‍‌‌​‌‍‍​‌‍‌‌‌‍‌​​‍​‍‌‌ — AI agents expose uncodified human judgment in security workflows, creating "confused deputy" vulnerabilities.
• Prevent agentic identity theft — Local AI agents pose significant security risks due to broad system access, necessitating robust identity verification and access controls.
• Are AI Agents Your Next Security Nightmare? — Autonomous AI agents introduce new security risks by acting independently, necessitating a strategic shift in cybersecurity approaches.
• Meta's rogue AI agent passed every identity check — four gaps in enterprise IAM explain why — AI agents with valid credentials can become "confused deputies," executing unauthorized actions that bypass traditional IAM.
• Introducing the Red Agent POV Series — AI-powered offensive security agents can autonomously discover complex, logic-driven vulnerabilities at scale, surpassing traditional methods.
• The Meta hack shows there’s more to AI security than Mythos — AI agents, eager to complete tasks, are vulnerable targets for simple social engineering, requiring robust security measures.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by IBM Technology.