AI Agents Have an Identity Complex With Jeff Malnick
In this episode of AI Explained, we are joined by Jeff Malnick, VP of Engineering for Developer and AI Products at 1Password. Jeff brings deep expertise in distributed systems, secrets management, and security infrastructure from his work at 1Password and previously HashiCorp, with a focus on making the secure path the default for developers and now AI agents.
He explains why agent identity has suddenly become urgent: AI agents are machine workloads with reasoning capabilities, which breaks the assumption behind traditional OAuth flows where permissions only need to be granted once. He walks through 1Password's framework of three agent identity models (delegated, bounded, and fully autonomous), why the laptop is the hardest environment to secure now that file system access effectively hands an unlocked machine to a reasoning stranger, and why bearer tokens and passwords are the wrong primitive for agents. He also shares how policy decision and enforcement points need to evolve to pull human intent through to just-in-time authorization, why credentials should never enter LLM context, and where federated versus distributed identity is heading over the next three to five years.
[00:00:00]
Introduction & Guest Welcome
[00:00:06] Krishna Gade: Good morning and good afternoon, everyone. Welcome, and thank you for joining us on today's Explain. I'm your host today. I'm the co-founder and CEO of Fiddler AI. Um, we have a very special guest, uh, and that is, uh, Jeff Malnik, uh, VP of Engineering and Developer and AI Products at 1Password. Uh, Jeff actually, uh, served as a VP of engineering in the past at HashiCorp.
[00:00:30] Krishna Gade: His background spans distributed systems, secrets management, security infrastructure, with a focus on making secure path the default one for developers and of course now increasingly for AI agents. Uh, with that, I'd love to welcome Jeff to our podcast.
[00:00:46] Jeff Malnick: Hey, Krishna. Thanks for the introduction. Happy to be here.
[00:00:50] Krishna Gade: Absolutely, Jeff, so I, I guess, uh, you know,
Why Agent Identity Matters Now
[00:00:54] Krishna Gade: there are three big problems that everyone is talking about in the enterprise today, the identity, observability, and security of agents. And especially identity is, uh, such a hot, uh, problem area right now. And, um- Everyone understands human identity, uh, but why does agent identity suddenly matter now?
[00:01:13] Krishna Gade: And what has changed in the last, uh, say twelve months or so?
[00:01:17] Jeff Malnick: Yeah. You know, it's, it's kind of funny that we find ourselves in this position today because it's arguable that the identity systems that we've had for software have been broken for a really long time. It's just that agents have rapidly accelerated a lot of the problems that we previously had but didn't really come to the surface in the same way.
AI Agents as Machine Workloads
[00:01:36] Jeff Malnick: AI agents are pretty interesting. At the end of the day, I think of them as machine workloads, and, you know, the historical way for us to handle machine workloads has been through, um, you know... I don't want to get too deep on the standards and the specs obviously here, but the, um, we, we've used OAuth, uh, since around twenty eleven, twenty thirteen, uh, timeframe to, um, handle delegation flows.
[00:02:00] Jeff Malnick: And through a lot of development and collaboration in the community, we've developed ways to simplify this to the point that a machine workload doesn't even have to carry a secret anymore. You can just trust the issuer of an identity. Um, the workflows though that we've developed around those machine workloads, uh, have really relied on this notion that you only have to delegate once, and the machine workload isn't gonna need new permissions that often.
[00:02:26] Jeff Malnick: Um, but with AI agents, the difference is that they're machine workloads with a reasoning capability, and that reasoning capability allows them to decide at any point in time that they might need access to a different system. Um, the way that we've handled permissioning and privileges has been pretty broken for a long time.
[00:02:46] Jeff Malnick: I read recently, I've, I've read a few different statistics on this actually, and all of them are ninety to ninety-five percent plus permissions granted today are over-privileged. Um, and so if you apply that to a workload that now could need access to anything, right? You don't know in advance necessarily.
[00:03:07] Jeff Malnick: You end up in this situation where you might just have infinite over, over-privileging taking place. So we need to come up with ways that we can apply, um, what are typically reserved for humans, uh, different types of controls. And the reason I say humans is because of this reasoning capabilities that the machine workload has makes it act and behave more like a human.
[00:03:28] Jeff Malnick: A lot of people I hear say, uh, you know, "A agent is non-deterministic, and this is a huge problem." Well,
[00:03:35] Jeff Malnick: my,
[00:03:35] Jeff Malnick: my response to that is humans have been our favorite non-deterministic actor in these systems all along. We've solved for these problems, uh, for the last, you know, twelve, thirteen years now, and this isn't, this isn't a new problem.
[00:03:50] Jeff Malnick: It's just that we need to now apply the lessons and the capabilities that we've reserved for humans to machine workloads in a way that we haven't had an, uh, a need for in the past.
[00:04:00] Krishna Gade: Interesting. So it seems like in the past, a certain sense of predefined- Uh, authentication or authorization has worked for humans, although humans themselves were unpredictable.
[00:04:11] Krishna Gade: But now agents, uh, make it much more non-deterministic, and in some cases you may have to permission the agent to access a certain system and, and that's, that's a very dynamic behavior, right? Yeah. So where does this i- agent identity sit in this context at this point, you know? Is it at the IAM level or security level or something entirely new?
[00:04:32] Jeff Malnick: You know,
Where Agent Identity Sits in the Stack
[00:04:33] Jeff Malnick: that's a great question, and I've heard a few people actually bring this up to me recently. They're not really sure how agent identity should get built into the application they have. What's really interesting about identity is that you can't... If you think about how software is built, by and large, I don't think that it's a controversial statement to say that software is built for some kind of actor to inter- interact with.
[00:05:00] Jeff Malnick: Could be a machine actor, it could be a human actor. Today, it could be an agent actor. So all software has to have this core primitive of an identity model, right? And if you're familiar with the, um, with, you know, the tenants of domain-driven design, for example, if you're sitting down and trying to relate different resources and applications, domain model, its data model, how those things relate and what happens when you do different things to different resources in an application, it inevitably comes back to a user resource of some sort doing something- acting on something in the system. So really when I hear that question, I sort of think, well, it touches everything. The agent is an actor, just like a human actor or any other principal inside of this domain model. And so therefore, there's really nothing that it doesn't touch, which is why it's so critical, right?
[00:05:51] Jeff Malnick: Like, you wouldn't design an application today, um, for a human user, uh, any differently than you would necessarily an AI user. You still have to have those core security tenants in mind. You still have to be thinking about how it's gonna be in- interacting with the resources there. Um, it's just that instead of it operating through a web browser or through a different type of client, you're gonna have these more headless workflows, and that's why you see things in the industry today,
[00:06:18] Jeff Malnick: like,
[00:06:19] Jeff Malnick: you know, the Headless 360 initiative from Salesforce and other companies today producing more headless workflows for these AI agents.
[00:06:27] Krishna Gade: Interesting.
1Password's Approach to Agent Security
[00:06:28] Krishna Gade: And, and how does 1Password think about agent identity? You know, how does that extend your model of secrets, walls, and access control?
[00:06:36] Jeff Malnick: Yeah. So for us, um, you know, 1Password historically, I think a lot of people think of us as a human password manager. That's, you know, Yeah By design, we were a human password manager for a very, very long time.
[00:06:48] Jeff Malnick: Um- What we're doing today and what we've spent the last, uh, you know, specifically the last, I'd say, 24 months or so developing is a way for the 1Password product to better integrate through these headless workflows for machine workloads. Um, and so we've got a lot of exciting capabilities that we're gonna be launching later this year.
[00:07:08] Jeff Malnick: But for us, we had to really rethink how our application is handled by these different agent actors, specifically machine actors, but also, you know, like I mentioned earlier, there are machine actors that can now reason. And so the way that we implement policy, um, how we handle, you know, things like, you know, step-up authorization, things like that, these are actually unsolved problems for the entire industry.
[00:07:34] Jeff Malnick: It's not just us that's trying to innovate here. It's everybody in the industry right now. Um, so we're in good company, but we're also in a position where we have to rapidly innovate internally if we're gonna be able to actually provide the capabilities to AI agents in a way that isn't gonna be a high friction workflow.
[00:07:52] Jeff Malnick: And at 1Password, I think we, you know, we do pride ourselves heavily on the fact that we have simplified some very complex security workflows, arguably for the hardest principle to simplify security workflows for, which is the human actor, right? This is an actor with, uh, opinions about he-- how things should get done.
[00:08:09] Jeff Malnick: Um, it's not as easy as, you know, connecting a couple of machine protocols and being done with it. Uh, you have to think critically about how that human is going to actually, uh, operate within the system. And, um, so for us, you know, luckily we've developed our product to be built into a lot of the places where that work is already getting done today.
[00:08:29] Jeff Malnick: For human actors, historically, this has been the web browser. Um, for the human actor that happens to write software for a living, the developer, that's the IDE, it's the terminal. Um, not a lot of people know this, but we have a very robust set of developer tools, uh, different hooks with pretty much every IDE out there on the planet, shell extensions for the terminal, and a whole lot more.
[00:08:51] Jeff Malnick: You can, you can check that out at developer.1password.com.
[00:08:55] Krishna Gade: Got it. So now, like let's take a concrete example, right? So now as I... You know, as agents, let's say I'm trying to use Cloud Code and it's spinning out multiple sub-agents, and they're making different tool calls and, and model calls. Uh, where would identity sit here?
[00:09:10] Krishna Gade: You know, uh, like now, like it's people are moving away from IDEs to sort of these autonomous, uh, uh, sort of agents, right? You know, like, you know, coding agents are building these applications, uh, based on skills and the goals that you set for them. And, and how does the identity shift here? Where, where is it present, and how are you permissioning these agents?
Local vs. Remote Agent Identity Models
[00:09:29] Jeff Malnick: Yeah, that's a great question, and I think this is really confusing for a lot of people, and I see this in discussions with, um, you know, our customers, our partners internally within our R&D organization. At 1Password, we
[00:09:42] Jeff Malnick: like
[00:09:42] Jeff Malnick: to bucket these, uh, different agents into agent identity models. There's been a couple of, uh, there's been a couple lines of thought in the industry around this.
[00:09:54] Jeff Malnick: Um, the, uh, there's a, a really great company, uh, called BetterAuth. If you haven't heard of them, you should check them out. They're really... They, they're doing some really great stuff in this space right now. Um, they have a, uh, a protocol called Agent Auth Protocol, and it's designed to essentially work with, um, what they consider a delegated and a fully autonomous agent.
[00:10:16] Jeff Malnick: Um, the, the way that we like to think about this is very similar to that, except we extend it a little bit. Um- 1Password, historically, we work within these local environments, right? And you mentioned Claude Code. So that could be an agent running on behalf of Claude Cowork, an agent running on behalf of, uh, Claude Code.
[00:10:35] Jeff Malnick: Um, it could be an agent running in your shell, uh, so it has access to your file system. These are all examples of local agent workflows. Um, and I think the, you know, the three models that we sort of came up with is, yeah, there's a delegated case, and there's a fully autonomous case. Um, but there's actually a middle ground that we consider more of a bounded case, where the agent's working on behalf of an application.
[00:10:58] Krishna Gade: That could
[00:10:58] Jeff Malnick: be another AI agent. It could be- a GitHub action. It could be any number of, you know, other pieces of software that the agent's working on behalf of. So we sort of have these three different models. And we ended up with six variants of those models because each of those three models could be running locally or remote.
[00:11:16] Krishna Gade: Right.
[00:11:16] Jeff Malnick: And depending on whether they're running locally or remote, how you apply an identifier to them, i.e., get them an identity in the first place, and then have them be auth- authenticated and authorized to do something in a system, changes slightly. And so, you know, internally with- within 1Password, those are kinda the three models and six general variants that we work on.
[00:11:39] Jeff Malnick: Right now, we're very focused on the local case. And the reason I gave all this, you know, uh, preface to, to that question is that the, the concept of an identity is really taking a set of attributes and saying, "Based on these attributes, we believe that this process is this thing."
[00:12:00] Jeff Malnick: Right? And so even a human actor in a system, you physically yourself as a human isn't usually the thing that's being identified.
[00:12:07] Jeff Malnick: It's usually a client that you're working through.
[00:12:10] Jeff Malnick: And so the AI agent itself needs to have a way to be attested. This process needs to be attested, and it needs to be enrolled in a system somewhere. And for workloads, going back to my point earlier that AI agents are simply, big air quotes, they're simply workloads that reason, uh- Historically, we've solved this problem with workloads by running the, the workloads in an environment that we can easily attest.
[00:12:39] Jeff Malnick: And that is to say Kubernetes, EC2, these com- these compute environments where it's very, you know, with a high degree of
[00:12:47] Jeff Malnick: certainty,
[00:12:48] Jeff Malnick: we can say the thing running here in this AWS account, in this VPC that has this security group attached to it, is safe to apply this policy to. And therefore, we're gonna hand that thing an identifier and some secret material that it can then go use- to exchange for an authentication with a- Yeah ... with a different system. Um- And this is
[00:13:09] Krishna Gade: ephemeral? This is like, you know, an, for a, for a certain amount of time or... Because agents kind of change, right? Yeah.
[00:13:15] Jeff Malnick: Yeah, exactly. So work- the, what I'm describing right now is something called workload identity federation.
[00:13:21] Jeff Malnick: Um, in the process of using a, a, a protocol called token exchange- to say a workload is running in this, in this, uh, in this compute environment that's controlled. I can attest that controlled compute environment because there are certain things about where that workload is tr- running that I can trust.
[00:13:37] Jeff Malnick: And so workloads that spin up in there, I can automatically enroll in my identity system. I can automatically grant that thing an identifier. And I will trust the secret material that it brings to my system.
[00:13:49] Krishna Gade: I will
[00:13:50] Jeff Malnick: exchange that for an access token in my system. So in the case of something running on Kubernetes, for example, it may present a Kubernetes, uh, service account token to your system and you will say, "Yep, I'm gonna trust this."
[00:14:01] Jeff Malnick: Because I trust that issuer and I trust the attestation that took place in that controlled environment. So all those workloads are ephemeral, right? Like Kubernetes pods, they go up and down all day long, and you can go through this process all day long.
Securing Endpoints & Laptop Workloads
[00:14:13] Jeff Malnick: The real challenge, the really hard part, is when those workloads are running on your laptop.
[00:14:18] Jeff Malnick: Yeah. Which is something that you see quite a bit of today. I think that this is gonna be one of the overarching challenges that we're gonna have to go and solve as an industry. It's very, very hard to say whether or not your laptop's lying And we have a lot of, you know, historically the laptop's never been technically a safe place.
[00:14:37] Jeff Malnick: If you talk to a CISO or CIO out there, they'll say, "The laptop and these endpoints is my bane of my existence," right? Like, "Please, everybody, just use a hosted VM up in EC2 and make my life easier." We don't live in that world, right? So we've had these laptops all along. Um, the saving grace was that you weren't walking out onto the street, well, not everybody at least, but by and large 99% of people aren't walking out onto the street and handing their unlocked laptop over to a perfect stranger on the street.
[00:15:06] Jeff Malnick: But that's exactly what you end up doing when you decide to give an AI agent access to your file system. When you do that, you basically have said, "You can just read anything on my file system." And how many people are watching this podcast right now, how many people have actually looked in your downloads folder recently- and removed all of the secret material in your downloads folder.
[00:15:29] Jeff Malnick: 'Cause I can guarantee that there's at least somebody on this call that has some recovery codes buried in their downloads folder that they downloaded the last time they set up MFA for a service. Everybody's done that. And I had a really interesting, um, situation occur at work where one of my colleagues gave AI access to...
[00:15:46] Jeff Malnick: They wanted it to send email on their behalf. It couldn't do it because it couldn't get the MFA code, but it just found the MF- the recovery codes in the downloads folder. It went through the recovery codes process and sent it anyway. So- Wow ... this is a, like, you know, you extend that, not to just recovery codes in your downloads folder, but to the environment files that you have on your machine.
[00:16:08] Jeff Malnick: That's all clear text. A lot of times bearer tokens are just stuffed into those environments files in clear text. It... dot files, like AWS configuration. There's so many clear text secrets on your laptop today, and the only reason that wasn't a problem is because, for the most part, you are physically gated from accessing the laptop.
[00:16:28] Jeff Malnick: You know, there weren't other things that could reason, that could go through that laptop, and now there are. And so that's a really, that's a tough situation to go and secure. The reason it's tough is because it's not controlled. You can't attest a process very easily on that laptop- and grant it an identifier and then apply a policy to it in the same way that you can in a controlled environment up in the cloud.
[00:16:49] Krishna Gade: Hmm. So what's the fix here? Do you do with an endpoint application that is doing all the posture management of these dynamic agents that are running on my laptop?
[00:16:58] Jeff Malnick: Yeah. So we've actually come up with some novel approaches to this at 1Password. We recently, uh, submitted a patent filing for some work around this, actually.
[00:17:07] Jeff Malnick: Um, the, the way that we are solving it is through a process of OS-level attestation using kernel audits, um, and the fact that we can rely on the code signing infrastructure around a specific binary. So that's... This isn't, um, I don't want to call this novel in the sense that nobody's done this before. I think you can go all the way back to f- the, the folks at McAfee have been doing this for a long time.
[00:17:28] Jeff Malnick: Uh, fingerprinting software does a, does a similar thing. But the, um, the novel approach is that we are using it to create a chain of trust. So we can say that specif- we can apply an identifier to a process running on your machine- and we can link that ident- that identified process to a specific master process, and we can apply a policy that that agent, that process, which would happen to be an AI agent, can then use to access other systems.
[00:17:55] Jeff Malnick: Um, and so really it's a way for us to, you know, attest, uh, processes running on that machi- that machine and give it that initial secure introduction where we can apply an identifier for
[00:18:07] Krishna Gade: it. Awesome. That's So it was actually, you know, this is an real world problem I just heard this week, you know, from a customer conversation, right?
[00:18:13] Krishna Gade: This customer is trying to build, um- Hmm ... a f- you know, autonomous agentic system in a b- you know, the big financial services company And these agents will go and call different API endpoints that they have, you know, databases and internal APIs, and they want to do dynamic access control, right? Like they wanna be able to like provide access where it is needed, shut down access where it's not needed.
[00:18:36] Krishna Gade: How do you do that? Like, you know, like how do you, how do you make sure that like, okay, I have a customer support agent, it should not call HR, uh, you know, API. So I have like a sales agent and it, and it maybe should not call my financial information or whatever that is.
[00:18:51] Krishna Gade: know, you...
[00:18:52] Krishna Gade: how do you pr- how do you deal with this, um, dynamic access controls?
Dynamic Access Control & Token Management
[00:18:56] Jeff Malnick: Yeah, that's a great question. Um, the first... I, I'm gonna start this off with what not to do. Um, don't hand an AI agent a bearer token. A bearer token, you've probably seen this before, the authorization bearer header in an HTTP header before. Um, bearer tokens are what they say they are. They are anything that bears that token can get access to that service.
[00:19:17] Jeff Malnick: And they typically don't carry a ton of identity information. Um, they don't carry any, uh, proof of possession. They're not cryptographically tied to, uh, you know, a, a, some sort of provenance. And so they're really challenging, right? And we see this quite a bit, 'cause how many people have had bearer tokens as the way that you would access, you know, in the past, GitHub, uh, Atlassian, Salesforce, you know, every single piece of software that needed to have machine to machine interface, the historical way we solved this was with bearer tokens.
[00:19:47] Jeff Malnick: Um, the reason MCP chose OAuth as the protocol is because you don't have to rely on bearer tokens. You can rely on an access token, um, instead. There are protocols that build on top of that, OIDC, that allows you to also produce an identity token, um, and actually ground the carrier of that access token in a, in a, in a concrete identity.
[00:20:08] Jeff Malnick: Um, the solution here is, is not necessarily... It's not as easy as how you get the bearer token to the agent, as much as it is about the industry coming together and saying, "You know what? For a really long time now, these systems have been pretty broken." There's still a lot of applications out there, heavy enterprise applications, that don't have great scoping at the domain level, right?
[00:20:31] Jeff Malnick: Right. Um, I think, uh, not- It's just
[00:20:33] Krishna Gade: security by anonymity at this point, you know. Now agents are breaking it, yeah.
[00:20:37] Jeff Malnick: Exactly, right. And I, I think that, you know, I don't wanna pick on any specific companies out there, but we've all had this experience as software engineers or, you know... I will pick on one. I think it was, uh, you know, maybe five, six years ago, Tesla had, you know, an API to their- Uh, system, and you'd hand that over to...
[00:20:54] Jeff Malnick: They didn't want people handing that out as, like, an extension of their system. They didn't want people building on top of it early on. And, um, that token, if you got access to it, not only allowed you to charge the vehicle, but it also allowed you to turn the vehicle on and auto park it and do all this other stuff.
[00:21:09] Jeff Malnick: I- they've added scoping since, but that's just, like, one more- you know, example of, like, a lot of times it's very hard to back the scoping mechanism into an application that wasn't built with that in the first place. And so I think the first step is, as an industry- let's start building applications with that scoping mechanism as the default way that we're building.
[00:21:27] Jeff Malnick: Let's think about the domain model there and how we actually wanna, you know, uh, compartmentalize the application in a reasonable way that those scopes can then be added later. Interesting. Um, but I think in terms of what we have today and your original question around how you prevent that AI agent from accessing too much or revoking access after it's been granted, um, we need to have systems in place that can take advantage of those scoping mechanisms first and foremost.
[00:21:55] Jeff Malnick: Um, we don't want to... You know, in some cases you might be able to trust an agent, and when I say you can trust an agent, I mean the harness around the agent.
[00:22:04] Krishna Gade: Right.
[00:22:04] Jeff Malnick: I would never trust the LLM context that the agent's using as a feedback loop, right? You never wanna have data enter into that. AI agents are always architected with this kind of harness in mind, right?
[00:22:15] Jeff Malnick: That's right. And the LLM feedback loop is one piece of that harness. If you can trust that the harness for that agent was built securely and isn't
[00:22:22] Jeff Malnick: gonna
[00:22:23] Jeff Malnick: pass a credential back into context, okay, maybe it's okay to hand it over, you know, hand over a OAuth access token for it to go independently do something.
[00:22:32] Jeff Malnick: But I think for any reasonably sized organization, you don't necessarily wanna take that risk. You don't wanna trust that everybody's going to build an agent with perfect security in mind. And so the best way for us to handle that is usually through some kind of proxy or gateway mechanism.
[00:22:46] Krishna Gade: It
[00:22:47] Jeff Malnick: can then inject and handle that OAuth token exchange and then inject the token on behalf of the agent.
[00:22:52] Jeff Malnick: Um, ideally, you know, for local workloads that, you know, that proxy should be local, so you don't have to rely on, you know, su- super sophisticated networking to, to make sure it lands in the right place. Um, but at a minimum, you know, is a, is a gateway to these other applications.
[00:23:08] Krishna Gade: Yeah, interesting. And there's a related audience question as well.
[00:23:11] Krishna Gade: So it seems like e- when you are developing such agents, um, there's a notion of evaluations, right? So, okay, you know, could you evaluate these agents to, like, for example, respect privacy limits and boundaries, like, even before you launch those agent, and then ensure... Uh, like, how do you do that? Like, any, uh, any idea?
[00:23:28] Krishna Gade: I mean, this is relevant for us because we work on observability and evaluation, so be curious to listen to your thoughts as well.
[00:23:34] Jeff Malnick: Yeah, I mean, I'm gonna take a, a, a best, a best guess at this, uh, 'cause I do have some thoughts. We have actually done some work in the space of benchmarking agents based on their ability to Um, we have this thing you can go and Google.
[00:23:46] Jeff Malnick: I don't have the website right off the top of my mind, but if you Google 1Password Scam, S-C-A-M, Benchmark, um, you'll see some of the work that my colleague Jason Miller has done in this space. Um, there are ways to outfit agents, like to evaluate them and benchmark them against their ability to, quote-unquote, "be scammed."
[00:24:03] Jeff Malnick: Uh, in other words, like, will this agent be susceptible to a phishing attack was one thing that we were really curious about, and then we built a set of skills that that agent could use to, uh, minimize its ability to get scammed. Um, we were able to benchmark it back on that skill set and show the improvement in the scoring there.
[00:24:21] Jeff Malnick: Um, so there are some ways for us to do that, though I wouldn't wanna... At this point in time, I don't think the model development... Personally, I just don't believe that the model development is there just yet, that we can rely on- Yeah ... the model to have a guardrail built in. Um, you're also relying on the skill being applied, and that there hasn't been prompt injection after the skill has been applied, which- Mm
[00:24:39] Jeff Malnick: that's also a big open question. Mm. Um, I think that these models, you know, at the end of the day, the, the reason they're so challenging is that you have to secure that content, uh, or the context stream through and through. Like, we have to have some notion of end-to-end encrypted context, basically, where it's not gonna get tampered with from the point that a skill was applied to the point that it's actually getting processed or something to that effect.
[00:25:03] Jeff Malnick: Um, so we're not quite there yet, but, um, Krishna, I don't know, what, what are your thoughts on that?
[00:25:07] Krishna Gade: Yeah, I think, you know, you mentioned, like, a few things, right? Yeah. You... There are things that people are doing outside of the model in the harness layer where you can set up, like, tests and evals to ensure, you know, this is calling the right APIs, right?
[00:25:20] Krishna Gade: And, and that's... And the minimum, you know, tests that you can do. And then also the gateway approach that we mentioned, that's also becoming a, a popular mechanism to deal with this thing, you know, uh, at runtime yeah, but it's definitely not a fully solved problem, and people are learning Yeah. Awesome. So I guess
CISO Risks, Prompt Injection & Evaluations
[00:25:39] Krishna Gade: let's, uh, you know, maybe step back a little bit and talk about, uh, some of the, like, leadership concerns here. You know, why should, like, CIOs and CISOs be concerned about agent identity today? What's equivalent to, like, say, a credential leakage or account takeover in an agent world?
[00:25:55] Krishna Gade: You know, any examples that you may have heard from your customers or prospects or general conversations, that would be great.
[00:26:02] Jeff Malnick: Yeah, I mean, okay, so account takeover, it's prompt injection, right? Right? I think that... And the thing with prompt injection, the reason it's such a prolific problem is because it could just be anywhere, right?
[00:26:12] Jeff Malnick: Mm. I think that there's... You know, you wanna... We are in this position right now where we are, um... You know, I see a lot of CISO organizations and CIO organizations, um, really getting marginalized around their core use case that they have for the business, right? They're there to secure the business and make sure that- You know, the reputation and that their integrity is, uh, from a data and usage standpoint, is strong.
[00:26:37] Jeff Malnick: And with AI agents, you basically have introduced this, uh, vector that at any point in time, in any use case, whatever it reads could then change the way it behaves. Um, so a great example of this could be, you know, your security team, right? The CISO security team wants to use AI to make their SIEM more usable, right?
[00:27:00] Jeff Malnick: Yeah. I think every security team out there has this experience where they're dealing with dozens, if not hundreds, of log streams, and they're trying to put the... put it into a system where they can make the best use of that and kind of get the signal-to-noise ratio right. What better use case for AI, right?
[00:27:16] Jeff Malnick: Yeah. Like, that is such a great use case for AI. Um, but the SIEM's purpose is to alert you to poor behavior. Um, now with that SIEM use case, all I have to do is make a few, uh, you know, uh, I would say novelly crafted Jira tickets that end up in the SIEM that tell it to ignore certain information to process that in a different way.
[00:27:37] Krishna Gade: Yeah. And
[00:27:37] Jeff Malnick: now you've, uh, basically done an account takeover to your SIEM, right? And you're basically... Anybody can create that Jira ticket at your business probably, and that SIEM's just gonna adjust that log. Or it could be a bad actor that's, um, you know, decided to, uh, emit log lines that you happen to be ingesting into the stream and, or into the SIEM.
[00:27:58] Jeff Malnick: And it's basically redirecting how the SIEM is gonna operate, uh, based on those log lines. Um, those are really hard problems to go and solve, right? But that's a... You basically have backdoored your SIEM, and you've opened up the SIEM to, uh, basically behave differently. And anybody at the company that can emit data that enters into that SIEM can now control how the SIEM behaves- Yeah
[00:28:23] Jeff Malnick: if you haven't crafted the SIEM in a, a novel, in a, in a way that protects against that. And by the way, it's, I think it would be very hard to protect against something like that. Yeah. Uh, it's not to say it's not a problem we can't solve, but it's a very, very challenging problem to solve. And if you extrapolate that same problem to pretty much any other use case where an AI agent is going to be processing data, uh, helping you solve the signal-to-noise ratio for your business, which is the value added at the end of the day- Yeah
[00:28:49] Jeff Malnick: um, you can see immediately how tough of a situation this is, especially for those CIOs and CISOs out there who are being told, "We need to adopt this at all costs. We're gonna worry about security as a, a separate concern here." Um, and we end up in situations like, you know, there's been... I don't need to highlight any of the well-known, you know, uh, security incidents that the industry's had over the last,
[00:29:10] Jeff Malnick: I'd say
[00:29:10] Jeff Malnick: six months have been pretty interesting.
[00:29:13] Krishna Gade: And so this is, this could just be internal prompt injection attacks that could be, uh, malicious or just completely benign, you know, like the people trying different things out and interesting.
[00:29:24] Jeff Malnick: Yeah. I was talking about malicious actors, but you could definitely have somebody that was being benign and just, you know, did some...
[00:29:31] Jeff Malnick: You know, wrote something in a weird way in a, in a ticket in the SIEM process that, you know, a way that wasn't
[00:29:36] Krishna Gade: Got it. And what's like, uh, what is this notion of agent passwords, you know, and, you know, like, are they fundamentally broken? Um, you know, like how are like... Uh, any, like any sort of insights that you can share
[00:29:51] Jeff Malnick: Yeah. Well, I think like when you say agent passwords, you're talking about just like sharing credentials with agents or- Right.
[00:29:56] Krishna Gade: Yeah.
[00:29:56] Jeff Malnick: Yeah. So I think that I'll go back to the comment I made about bearer tokens earlier. Um, a password is a bearer token, right? At the end of the day. You don't wanna hand anything that...
[00:30:06] Jeff Malnick: You know, a password is the worst kind of bearer token because it doesn't even have any real... You know, it doesn't carry, um, a lot about the identity for it, right? You can, you know, if you pair the password with the user, with the right username, et cetera, you get some notion of identity. Um, but it's, uh, you know, it's not like you're dealing with like a assigned identity claim or anything like that.
[00:30:28] Jeff Malnick: I think that the, um, the, the case, the, the way that I like to think about agents and how to provide them with credentials is first and foremost, like try not to provide the agent with a credential. Where you can, protect it with a proxy, um, that can do that credential injection on the agent's behalf.
[00:30:46] Jeff Malnick: Um, the credential that you do- uh, inject on the agent's behalf to a s- different system should be an access token at minimum. It shouldn't live for more than 60 seconds. Replication's a very, very challenging, uh, you know, problem to go solve. We haven't solved it yet in the industry today.
[00:31:04] Jeff Malnick: There's some good solutions out there, but they require a lot more, uh, scaffolding of the identity system and more integration points. Those integration points translate to more operational overhead for your IT administrators and other folks who have to actually operationalize these systems. And so they're typically not actually, uh, stood up.
[00:31:23] Jeff Malnick: So most systems that run today lack a, like a, you know, I can immediately revoke this access to this user. Um, the way that you solve for that is by making sure that the tokens that you're emitting don't last for very long. So if you do need to remove access, that token can't be reused on the next call- or it's just gonna expire and the, the amount of damage that can be done is, is minimized by the, the time it has access to the system.
[00:31:50] Krishna Gade: Got it. And so like if in that sort of assignment flow, let's say, you know, your agent, uh, is trying to access certain APIs, and will that assignment happen at the gateway layer?
[00:32:00] Krishna Gade: Like, where it'll look at like the context that you're trying to do, and it'll say, "Okay, now I'm gonna grant you this token for this much time," and you go and access this API? Like, how does that process work?
[00:32:10] Jeff Malnick: Yeah, so what you're describing there is, um, policy enforcement versus policy decision.
[00:32:15] Krishna Gade: Right.
[00:32:15] Jeff Malnick: And, um, those two things can happen at different points in, in a given flow.
[00:32:20] Jeff Malnick: Sometimes they may be at the same application that you're talking to, uh, but other times they might be different. So I'll give you an example. The, um, a policy decision point is where you're actually provided an access token, but when you go use that access token in an upstream system-
[00:32:35] Jeff Malnick: um, in the case of, let's say you're, uh, being granted an access token from an authorization server.
[00:32:42] Jeff Malnick: Well, the authorization server isn't actually in, um... It's deciding, uh, what scopes you're gonna have access to. But the enforcement of those scopes take place on the resource server when you actually go- Right ... use the access token. Um, and so this is what I'm describing as, as very, uh, narrowly scoped- Yeah
[00:33:01] Jeff Malnick: to an OAuth flow- Right ... uh, which is very relevant for agents because of MCP. Um, but the, the, the point that I'm trying to make there is that the systems that provide the policy decision, the policy enforcement can be two separate systems. They can actually- be pretty far apart in some of these more federated use cases.
[00:33:20] Jeff Malnick: Yeah. Um, and so, you know, there's, there's advantages and there's disadvantages there. Um, the advantage of that type of system is that you don't have to... The resource server that's responsible for protecting and enforcing that policy decision, um, doesn't necessarily have to have all the complex, uh, machinery that allows you to do a more, I would say, like nuanced policy decision at the end of the day.
[00:33:47] Jeff Malnick: Uh, like a policy decision, uh, for AI agents, I'm sure everybody here has heard the word intent used almost to the point of it being bankrupt now. Um, but what people are trying to, I think, communicate when they talk about intent is that you have a human that is trying to do something with an AI agent.
[00:34:07] Jeff Malnick: Yeah. And you need to pull the human's intent through that whole system to the policy decision point. So when the policy decision is made, right, you can actually just in time evaluate what the intention is and whether in, you know, map that to a, maybe a statically defined policy that says, "Here are the guardrails against-" Yeah
[00:34:28] Jeff Malnick: what this agent has access to." I think the, the best example of this could be a human, a, uh, a rev- a revenue operations person that's using an AI agent to go assess, uh, you know, tables in Snowflake, right? Yep. And those tables, uh, that human engineer wants to provide that, that agent with access to certain tables that they have access to.
[00:34:51] Jeff Malnick: Right. So they provide a, they've done a delegated OAuth flow through authorization code flow. They've got an access token they're using. Um, the- Today, that access token's generated once, and we kind of forget about it.
[00:35:03] Krishna Gade: Right.
[00:35:04] Jeff Malnick: But what we need to be building is a system that allows that agent to decide, you know what?
[00:35:09] Jeff Malnick: You gave me access to this table. That's the table I needed at that point in time. But 30 seconds later, I actually need access to this other table- Yeah ... um, maybe in another database. Right. Um, and so that is... You know, at that point needs to go back to the policy decision point. That policy decision point needs to pull through the human's intent.
[00:35:28] Jeff Malnick: Okay, they're doing revenue operations. The new table looks like it's, uh, net dollar retention information, and that seems like it's the correct way for me to do this.
[00:35:37] Krishna Gade: And they're not asking for CEO salary or whatnot, so I won't expose that information. Yeah.
[00:35:41] Jeff Malnick: Exactly. And the guardrails I have in place actually allows me to give this agent access to this database anyways.
[00:35:47] Jeff Malnick: I just didn't do it the first time because we wanted to provide it with least privilege access. It didn't request at that time. But this time it is, so I'm gonna grant it a new access token that gives it access to that database Um, that real-time dynamic policy decision, um, is, is what's really missing from the industry today.
[00:36:06] Jeff Malnick: Yeah. Um- And this access
[00:36:07] Krishna Gade: token then has to be respected by the
[00:36:09] Krishna Gade: enforcer, right?
[00:36:09] Krishna Gade: Right. So that state management, i-is that sort of what like the identity provider would manage essentially that, like across all the gate... Like say the gateway is doing the policy decisioning. Yeah. And it's using some context and guardrails to say, "Okay, I'm gonna allow you this request."
[00:36:25] Krishna Gade: And do you see like a gateway kind of talking to the identity management to sort of a- provide access tokens and kind of- I see the- ... keeping it?
[00:36:32] Jeff Malnick: I see the, the policy decision being a policy, like a separate policy system-
[00:36:39] Krishna Gade: Okay ...
[00:36:39] Jeff Malnick: um, that's doing all the hard work of taking all these inbound signals and ma- you know, basically saying, "Okay, here's the human intent.
[00:36:47] Jeff Malnick: Here's what the agent's asking me for, and here's the guardrails." Right. Basically, the deterministic, the floor and the ceiling of what that agent can access. And the policy decision's whole point is to provide an access token that gives it least privilege for the action the agent wants to take based on the human's intent and what the policy document says, which is just really the, the upper and lower bounds of what it ever could access, right?
[00:37:10] Jeff Malnick: It's like a spectrum of everything- Right ... it could possibly
[00:37:13] Krishna Gade: Got it. Got it. Interesting. Very interesting. So, so I guess, uh, you know, from your recent thinking and upcoming work, right, what identity models are actually pro- proving valuable? You know, delegation, scope tokens. We talked about just about ephemeral identities.
[00:37:28] Krishna Gade: What's actually working in production? You know, what needs more work?
[00:37:31] Jeff Malnick: Yeah. So I think, you know, we've been using ephemeral identities in production for a decade, over a decade, right? You look at SPIFFE and some of the recent work that, um, you know, the IETF community is doing around WHMSI. Um, we've been, we've been handling ephemeral machine workloads and providing them identifiers and authorizing them, and authen- au- authenticating and authorizing them to different systems for a long time now.
[00:37:55] Jeff Malnick: Um, the real trick with AI agents is that we need to provide a more dynamic just-in-time process for pretty much that, what, what I would consider like a, a reauthorization for different situations. Um, those protocols are actually emerging. Um, and I've, I've started to see some of them become implemented in different, in different ways.
[00:38:14] Jeff Malnick: I mentioned BetterAuth earlier on. Their Agent Auth protocol is a good example. I believe they actually specify one of those emerging s- standards called CIBA, uh, Client-Initiated Background Authentication. Um, so there's ways for, you know, the community is now, uh, you know, pulling a lot of this stuff together, and I've seen a massive acceleration in the standards and, and approaches.
[00:38:35] Jeff Malnick: Um, transaction tokens is another great example of, of some of the work that's, that's out there today that I'm starting to see gain a lot more traction. Um, but I think, you know, over time, I think in the next 24 months are just gonna be really exciting. We'll have to lock down, uh, we will lock down as an industry, uh, you know, ways of working with AI agents that, you know, we should always be thinking about identity for all the great reasons I already described earlier in this call.
[00:39:00] Jeff Malnick: I might be a little bit biased because I'm a complete identity nerd. Um, but at the end of the day, you know, if you're not developing an application with the actors in mind that are accessing it, you're probably not building the application for the right thing. Um, so I think, uh, we should always be thinking about that stuff, and my hope and dream is that, you know, 24, 36 months from now, we're gonna be on a very different, uh, plane in terms of how we go and secure these
[00:39:25] Krishna Gade: Interesting. And, and what are some of the big problems, you know, that, that you're trying to solve within 1Password's point of view, like within identity management?
[00:39:33] Krishna Gade: Like
[00:39:34] Krishna Gade: what's, what's coming up next in the next six to 12 months?
[00:39:37] Jeff Malnick: Yeah. So I can't... You know, I obviously can't, um, show my cards away here. But, uh, I will say that we are...
[00:39:45] Jeff Malnick: You know, I mentioned the provisional patent that we, you know, submitted, uh, not too long ago, a few weeks back. Um, we have a, a few other pieces of work that we've, um, we've been innovating around, coming up with, you know, the novel approaches that just don't exist today. Um, we're really excited about that work.
[00:40:00] Jeff Malnick: We're excited about building that into the products that we have, and we're excited to, um... You know, our focus has been to build security into the places where work gets done, right? Like that is why 1Password today secures over 1.4 billion credentials across millions of users and hundreds of thousands of B2B customers.
[00:40:18] Jeff Malnick: Um, that for us is, you know, achieving that level of success and adoption in any industry is, is not easy to come by Um, and we've done it by drastically, I would say radically simplifying the workloads for, or the, the workflows for secure- for going through as any given security workflow. And at the end of the day, like we wanna, we wanna carry that same mantle forward in terms of how we provide security for agent workloads too.
[00:40:47] Krishna Gade: Uh, let's take an audience question that's, uh, also 1Password specific here. Um, at the beginning, you mentioned we have been dealing with non-deterministic users the entire time, and argue that humans are more predictable. You can tell an agent not to do something, and it's more likely to ignore it than a human because a human has a fear of losing their job.
[00:41:05] Krishna Gade: And however I get your point, I even had my agent ignore or jump over its harness lately. How is 1Password addressing the fact that agents ignore constraints?
[00:41:15] Jeff Malnick: Yeah. I think that that's a great point. Um, I thought long and hard about some of the, um, I would say, psychological implications of agents that you just pointed out there.
[00:41:26] Jeff Malnick: I think that that's like a really fascinating, uh, part of this machinery that we've, uh, you know, found ourselves interacting with. Um, 1Password has... We've actually, we've got a blog post I can share after this that outlines our tenets of securing AI. One of those tenets is that the credentials never enter into LLM context.
[00:41:49] Jeff Malnick: Maybe somewhere down the road we'll be in a place where we can trust context. Maybe. But we're not there yet, and I- I don't see the light at the end of the tunnel yet either. So I think we're pretty far away from being able to say that context is secure. There's ways for us to, to secure what ends up in the context, but, um, you know, we don't wanna provide footguns to any of our users at the end of the day.
[00:42:12] Jeff Malnick: And I think that the best way to solve that for, from our standpoint, is to never let the credential enter into the context in the first place. The examples of this that we have, if you look through some of the integrations that we've done with partners like, uh, you know, browser-based, browser-based Kernel, other headless browsers and non-headless browsers, we've, we've done great.
[00:42:32] Jeff Malnick: We're doing a really wonderful partnership with Perplexity and Comet. Um, all of that work is leveraging our autofill capabilities and a new API that we've added to our browser extension called our Hints API, that allows an AI agent to sort of gently ask us for just enough information without us revealing any confidential information in whole.
[00:42:54] Jeff Malnick: And so we can kind of make decisions based on the, you know, the request that it's asking for. But we never actually emit any real confidential information that ever lands in context. We rely on an out-of-band process of auto-filling in the, the web form. Um, and through obfuscation in that auto-fill process, we can actually completely pull- You know, and make sure that any agent, even a browser agent like, uh, the Claude Browser Extension, doesn't actually see any of the security information that's entering into those fields.
[00:43:24] Jeff Malnick: That's just one example, but I think the, my comment earlier about us, you know, leveraging gateways for more of these machine, uh, to machine use cases, um, that's just another example.
[00:43:36] Krishna Gade: Interesting. And do you differentiate, uh, identity from like, say... And I think you mentioned this a little bit, but maybe a little bit more on this, uh, from like agents that are running locally to agents running on remote, like cloud instances and also like closed agents, right?
[00:43:51] Krishna Gade: Like, you know, things that are like SaaS agents that, you know, customers, you know, uh, try, you know. Like do you have different implications of identity across these three types of agents?
[00:44:01] Jeff Malnick: Yeah. It's really, what changes there is, um, typically the process of secure introduction. Um, so what you're actually attesting in those environments changes.
[00:44:11] Jeff Malnick: Locally, you're, you might be attesting a process tree. And the provenance of one single process that spawned the agent in the first place- uh, ideally grounded in some kind of codes and some kind of binary signing process. Um, in the remote case, uh, workload identity federation, the process of token exchange is really valuable there.
[00:44:30] Jeff Malnick: That's a kind of t- tried and true thing that we've been leaning on for a long time now as an industry for workloads. Um, and I think that, you know, in terms of like closed agents or SaaS managed agents, we can also rely on workload identity federation. I know the folks at Anthropic just had a great launch, uh, about a week and a half ago.
[00:44:48] Jeff Malnick: They launched, uh, managed agents, but maybe, you know, in case you missed it, they also launched Workload Identity Federation. Um, so you can now build a trust relationship with Anthropic as an issuer and automatically apply a policy to a managed agent in Anthropic and, um, you know, allow that to be...
[00:45:06] Jeff Malnick: allow that agent to run more autonomously while also securing what it can get access
[00:45:11] Krishna Gade: Interesting. That's very interesting. Cool. So I guess, um, looking ahead, you know, where is agent identity going over the next three to five years? Does every enterprise end up running its own identity layer for agents?
[00:45:23] Krishna Gade: You know, what's your point of view?
[00:45:25] Jeff Malnick: Um, you know, I think the enter- the, the companies that can afford to make the investment in that sort of build versus buy decision and go the build route, they'll go the build route because I mentioned identity is core to an application, and at some point there might be, you know, with a significant enough investment in that identity infrastructure, you can streamline how that identity, you know,
[00:45:50] Jeff Malnick: the,
[00:45:50] Jeff Malnick: the least friction way possible for that identity to navigate an application, um, whether it's a human, a machine, or an AI And so I think that you'll see, you know, you see that today, right? Like there are companies out there that are... make billions of dollars in revenue, and they're fine building a 50-person team to manage a very complex identity- stack for their business. And that makes sense because of their size. I think for the commercial SMB segments, that build versus buy decision is much more complex, and they're gonna be, you know, relying on the same tried and true ways that we've gone and secured these sorts of identity workflows in the past.
[00:46:29] Krishna Gade: That's wonderful. So, uh,
Rapid Fire Round & Closing Thoughts
[00:46:30] Krishna Gade: we are entering the final, and my favorite, uh, uh, rapid fire round. Uh, so we'll, you know, shoot, uh, sort of a quick question, you know, uh, one-word answer, you know, uh, or, or, or a short answer if you can. Um, okay, so let's start. Uh, API keys, dead or evolving? Evolving. Okay.
[00:46:50] Krishna Gade: Long-lived credentials or short-lived tokens?
[00:46:53] Jeff Malnick: Short-lived tokens.
[00:46:55] Krishna Gade: Okay. Identity enforced at the gateway or runtime, or I guess in this case, like runtime being probably resource? Uh-
[00:47:01] Jeff Malnick: Gateway. Oh, okay. Cool. For the time being. But there might be... There's emerging specs there- ... that might make it a little bit less tenuous.
[00:47:11] Krishna Gade: And prompt injection, is it an identity problem or a model problem?
[00:47:15] Jeff Malnick: I'd say it's both. Um, and we're probably gonna solve it from both angles.
[00:47:20] Krishna Gade: Human in the loop, required or optional?
[00:47:22] Jeff Malnick: Optional.
[00:47:24] Krishna Gade: That's interesting. Uh, centralized IAM or distributed identity for agents?
[00:47:29] Jeff Malnick: That one's tough for me 'cause I've got a, a bone to pick with federated identity infrastructure.
[00:47:34] Jeff Malnick: Um, I'm like a huge distributed identifier nerd and verifiable credential nerd. So, um, I wanna say that the future's distributed just from that standpoint. Um, and I do honestly believe it is, uh- 'cause federated infrastructure can only get you so far. Look at DNS. So, um, but near term, we need to be relying on the standards that we have, and we need to be, you know, building, uh, systems that can be rapidly adopted.
[00:48:00] Jeff Malnick: And so for that reason, I mean, I go with the, the current federated
[00:48:04] Krishna Gade: Awesome. And what's the most underrated risk in agent security now?
[00:48:08] Jeff Malnick: Um, I would say, you know, the first thing comes to mind is prompt injection. I know we talked about it a lot today, but I think that not a lot of people realize the numbers of ways that you can really get bit by that.
[00:48:21] Jeff Malnick: So just gonna surface that again.
[00:48:24] Krishna Gade: Any example that comes to your mind, like any recent example that you heard that was pretty bad?
[00:48:29] Jeff Malnick: Um, you know, I think the... I think there's too many examples- Yeah ... to start naming right now. But, um, I think the thing is, is j- just how simple it could be. You know, you could, um, you, you can attach a, you know, an LLM to pretty much any data source, and it can start behaving differently based on the content it's ingesting.
[00:48:47] Jeff Malnick: And that's, um, that's just very different from, I think, systems that we've built
[00:48:52] Krishna Gade: One thing agent builders are getting completely wrong right now.
[00:48:56] Jeff Malnick: Um, they're not actually thinking about the identity problem, I don't think. I think that, um- Hmm ... and this is where I think we really need to lean into the senior bench of engineers out in the industry today.
[00:49:08] Jeff Malnick: Um, everybody says that junior engineers, uh, are gonna die off and AI's
[00:49:13] Jeff Malnick: gonna
[00:49:13] Jeff Malnick: take all our jobs and all this stuff. But at the end of the day, we have to be building a, an AI system that understands, you know, the, the software that we're building for the outcomes that we want. And identity's core to that problem, and the best engineers out there are the ones that really understand those identity problems and how they can map them for really great application software outcomes.
[00:49:35] Jeff Malnick: Um, and so yeah, you know, don't make identity an afterthought for what you're building.
[00:49:40] Krishna Gade: Awesome. And I guess you probably answered this previously, but one company doing this well besides you?
[00:49:45] Jeff Malnick: Yeah, I mentioned them earlier. I think the folks over at Better Off are doing some really cool stuff. Um, and definitely check them out.
[00:49:52] Krishna Gade: Awesome. And finally, uh, in three years, the biggest risk, compromised human or compromised agent?
[00:49:58] Jeff Malnick: Um, I'd say compromised agents because agents are... They're gonna have more connection points, and they're gonna be able to act more rapidly than the human actor can. But, um, you know, I think for near term that, uh, that risk is gonna actually evolve out of a human being pawned before the agent's actually pawned probably.
[00:50:20] Krishna Gade: Awesome. Uh, this is a very engaging session, Jeff. Uh, thank you so much. I learned a ton during this conversation. Uh, you know, thanks for being on our webinar, uh, this time. And, uh, and this is basically where we, uh, come to the end of the podcast. Uh, thanks everyone for joining. Um, Jeff, if you have any parting thoughts, you know, we can close at this point.
[00:50:40] Jeff Malnick: I think it's been great. Thanks for having me. Really excited to be here and nerd out for a little bit. Thanks, Krishna.
[00:50:45] Krishna Gade: Awesome. Thank you so much. Thanks, everybody. We'll come back next month with another great guest and on another great topic. Until then, see you soon.
[00:50:54] Jeff Malnick: Cheers.
