The Future of Agent Identity Is Already Here: Tobin South at ERC

This post is part of our ERC 2025 Recap series. You can read our recap post here.

At Enterprise Ready Conference 2025, WorkOS's Tobin South delivered a compelling talk on one of the most pressing questions in enterprise AI: how do we handle identity for AI agents?

Tobin joined WorkOS earlier this year after Michael Grinich found his research paper on agent identity and reached out via Twitter DM. Fresh from defending his PhD dissertation at MIT, Tobin brought deep academic research into the practical challenges enterprises face as they deploy AI agents at scale.

The Core Challenge

The fundamental problem Tobin outlined is straightforward: AI agents exist in a fuzzy middle ground that traditional identity infrastructure wasn't designed to handle. Sometimes they act like users. Sometimes they function as service accounts.

Often they operate on behalf of users, but with non-deterministic behavior that makes them fundamentally different from traditional workflows.

This creates three major challenges that enterprises must address.

New Interfaces Demand New Security

The Model Context Protocol (MCP) has emerged as the standard interface for AI agents, supported by major platforms like Cursor, Microsoft Copilot, ChatGPT, and Claude. MCP enables powerful capabilities like putting text directly into an AI agent's context window and controlling agent behavior in ways that go beyond simple API wrapping.

But MCP also introduces security challenges, particularly around dynamic client registration. This feature allows MCP servers to connect to any AI agent, which is excellent for prototyping but problematic for enterprises that need to control which AI applications can access their proprietary data.

Non-Deterministic Behavior Requires New Monitoring

Language models are probabilistic by nature. You never quite know what token comes next, which means you can't predict with certainty what an AI agent will do. Tobin shared examples from his own experience: agents killing random processes while coding, filing incorrect invoices, or taking unexpected actions through browser interfaces.

This unpredictability creates critical needs for tracking and accountability. When an AI agent approves an invoice or merges a pull request, organizations need to know. Code written by AI shows different failure patterns than human-written code.

Invoices processed by agents require additional scrutiny. The entire ecosystem of enterprise software built around managing human users must now account for AI involvement in every workflow.

Scale Magnifies Everything

AI agents operate at machine speed with human-level capabilities. A single organization might deploy thousands of agents across different parts of their tech stack. Each agent needs proper authentication, authorization, and monitoring.

The challenge isn't just handling one agent—it's managing an explosion of agent identities across diverse use cases and platforms.

WorkOS's Agent-Native Approach

Rather than inventing entirely new identity paradigms, WorkOS has taken a different approach: making existing identity infrastructure work seamlessly with AI agents at enterprise scale.

Support for Modern AI Interfaces

WorkOS provides enterprise-grade security for MCP servers, including support for client ID metadata that allows organizations to control which AI applications can connect. The company's AuthKit powers the default authorization stack for Fast MCP 2.0 servers.

For ChatGPT's 700 million users, WorkOS supports the OpenAI Apps SDK, enabling IT admins to provision access to SaaS applications directly inside ChatGPT with SSO and SAML integration. This is particularly valuable as ChatGPT has become the most popular enterprise chat application.

Flexible Identity Models

The reality is that agent identity isn't one thing—it's many things depending on the vendor and use case. Some systems treat AI agents as first-class users that can be hired and onboarded. Others treat them as service accounts. Many implement "on behalf of" flows where agents work on behalf of human users.

WorkOS connects to every major agent identity system, including Microsoft Entra ID for agents, Google's IAM system for agent spaces, and Okta's identity stack. The company leverages SCIM extensions that enable provisioning and deprovisioning of agents through existing protocols.

This "write once, work everywhere" approach means developers don't need to build custom identity solutions for each customer's preferred agent identity model.

Authorization and Monitoring at Scale

Beyond basic authentication, WorkOS provides the authorization and audit logging capabilities enterprises need to deploy agents safely. The company's RBAC and permissions tools work consistently across different agent types and identity models, scaling throughout an organization's entire AI journey without requiring reimplementation.

Audit logs capture AI agent activity with the detail and integration capabilities that enterprise security teams require. This is critical as regulations increasingly mandate specific monitoring schemes for AI agents, and CISOs rightly worry about agents leaking data through inappropriate tool use or sending information to model vendors.

The Practical Path Forward

Tobin's key message was refreshingly pragmatic: we don't need to reinvent identity for the AI age. What enterprises actually need is for their vendors to integrate with their chosen approach to AI identity and governance.

When customers ask about agent identity, the answer isn't a revolutionary new paradigm. It's robust integration with existing identity systems, extended to handle the unique characteristics of AI agents—their non-deterministic behavior, their scale, and their position in that fuzzy middle ground between users and services.

For developers building AI products for enterprise customers, this means the agent identity problem is already solved. The infrastructure exists today to handle authentication, authorization, and monitoring for AI agents at scale, regardless of how your customers choose to model agent identity in their organizations.

The future of agent identity isn't coming—it's already here, built on the foundation of identity systems that have proven themselves in enterprise environments, now extended and scaled for the challenges AI agents bring.

Read our full ERC 2025 Recap here.