By Alex Olivier Authorization, and specifically authorization for AI agents, emerged as the defining challenge of the year. That shift was visible at Identiverse 2026. One marker of how far the work has come is that the AuthZEN sessions ran as a full masterclass and a main-program talk rather than the side birds-of-a-feather slots such […]
The post AuthZEN at Identiverse 2026: authorization in the agent era first appeared on OpenID Foundation.
By Alex Olivier

Authorization, and specifically authorization for AI agents, emerged as the defining challenge of the year. That shift was visible at Identiverse 2026. One marker of how far the work has come is that the AuthZEN sessions ran as a full masterclass and a main-program talk rather than the side birds-of-a-feather slots such topics occupied a year or two ago.
I co-presented both sessions as AuthZEN co-chair and CPO at Cerbos, alongside my fellow AuthZEN Working Group co-chair, Atul Tulshibagwale (CrowdStrike) and joined by Mark Berg (Axiomatics). The rooms were full, and questions after both sessions concentrated on how to authorize AI agents safely.
The masterclass reinforced the scope discipline at the core of AuthZEN. The standard defines only the interface between a Policy Enforcement Point (PEP) and a Policy Decision Point (PDP); it is not a policy language, and it does not dictate how a PDP sources its information. Its information model is built around Subject, Action, Resource, and Context (SARC), and its contract is deliberately strict: a deny is never a 4xx, and a malformed request is never a decision: false. The material that drew the most engagement was agent authorization, via the AuthZEN profile for Model Context Protocol tool authorization (COAZ). It answers the question OAuth scopes cannot — whether this agent, acting for this user, may call this tool with these arguments — by having a gateway or MCP server consult the PDP before a tool runs.
The second session set AuthZEN in the wider landscape. Authentication is largely solved; authorization is not, and no single specification resolves it alone. The strength is in composition. Three standards fit together: Shared Signals (SSF/CAEP) to bring fresh security context to the decision point, AuthZEN for the fast local PEP/PDP decision, and Transaction Tokens (TraTs, an IETF OAuth Working Group draft) to propagate that decision across the services inside an application.
The room was engaged and practical, focused on how the standard applies to specific systems rather than on whether it matters. The questions that drew the most discussion were the hard, real-world ones: how to handle delegated authorization when an agent acts on a user's behalf, and how approval flows fit in when a decision needs a human-in-the-loop. Several attendees wanted to contribute directly, and a new organization signalled its intent to join the Working Group following the session (more will be shared on this once it finalises). Both of those edges are already on the agenda, with the AuthZEN Access Request and Approval Profile (ARAP) taking on the approval-flow case the room raised.
Agents change the shape of the access-control problem. A non-deterministic system acting on a user's behalf, with implicitly delegated access, is exactly the setup that produces confused-deputy failures, in which one component is tricked into misusing its authority — now at machine speed and scale. The community has spent years standardizing how a principal proves who they are; the agent era makes it urgent to standardize, with the same rigor and interoperability, what that principal is then allowed to do.
This is where the OpenID Foundation's authorization work sits. The AuthZEN Working Group is standardizing the PEP/PDP decision interface and, through the ARAP and COAZ profiles, extending it to approval flows and agent tool authorization. Its interop events and conformance certification program let independent implementations trust one another. That work composes with the Shared Signals Working Group and with Transaction Tokens in the IETF, advancing the Foundation's mission of open, interoperable standards that work across vendors and trust domains rather than being locked to any one of them.
Robust, interoperable authorization standards depend on broad industry collaboration. The conversations at Identiverse 2026 made clear how much that collaboration matters, and how much work remains to do together - across working groups, across vendors, and across the PEP/PDP interface itself. This is how the agent-era access-control problem gets solved.
This post is drawn from two sessions delivered at Identiverse 2026 (Las Vegas, June 15–19) by the OpenID AuthZEN Working Group co-chairs:: the masterclass "Mastering the OpenID Authorization Standard," and "Beyond Authentication: Updates from the Authorization Frontier."
About the author: Alex Olivier is co-chair of the OpenID AuthZEN Working Group, as well as the co-founder and Chief Product Officer at Cerbos, an Authorization Management Platform and implementer of the AuthZEN standard. He specializes in authorization systems, with a recent focus on workload identity and AI security. With over a decade of experience building and scaling authorization systems at Microsoft, Qubit, Zencargo, and multiple startups, Alex has published extensively on securing Model Context Protocol (MCP) servers and AI agents. A frequent speaker at events on authorization, AI, security, and identity, including ISC2 Congress, Identiverse, EIC, KubeCon, and Google Cloud NEXT, he combines standards development with practical implementation experience, focusing on the future of authorization for traditional applications, distributed workloads, and emerging AI systems.
The OpenID Foundation (OIDF) is a global open standards body committed to building trusted identity ecosystems. Our mission is to lead the global community in identity standards that are secure, interoperable, and privacy respecting. Founded in 2007, we are a community of technical experts. The Foundation's OpenID Connect standard is now used by billions of people across millions of applications. More recently, the FAPI security profile - built on OAuth 2.0 - has become the standard of choice for interoperable Open Banking and Open Data implementations, while OpenID for Verifiable Credentials specifications are underpinning a new generation of digital wallets. Today, the OpenID Foundation's standards are the connective tissue that enable people to assert their identity and access their data at scale, the scale of the internet, enabling "networks of networks" to interoperate globally. Individuals, companies, governments and non-profits are encouraged to join or participate. Find out more at openid.net.
| # | Наименование новости | Тональность | Информативность | Дата публикации |
|---|---|---|---|---|
| 1 | Call for Participation: Demonstrate MCP-based AI agent security with open identity standards | 0 | 5 | 14-07-2026 |
| 2 | How we got here: what six decades of identity history tell us about the agent age | 0 | 5 | 15-07-2026 |
| 3 | Cloud Exchange 2026: Ping Identity’s Kelvin Brewer on identity as foundation of secure AI adoption in government | 0 | 5 | 18-06-2026 |
| 4 | Google I/O 2026: Google Enters Its 'Agentic Gemini Era' | 8 | 9 | 19-05-2026 |
| 5 | Cequence Platform 9.0 Brings Agentic AI to API Security and Compliance Workflows | 5 | 7 | 30-06-2026 |
| 6 | AI-Powered Video Outcomes: Agentic AI | 0 | 5 | 30-03-2026 |
| 7 | AI Agents Are Creating a New Enterprise Security Gap | 0 | 5 | 03-07-2026 |
| 8 | Errata to OpenID Identity Assurance Specifications Approved | 0 | 5 | 08-07-2026 |
| 9 | How IAM providers are preparing for agentic AI | 0 | 5 | 29-06-2026 |
| 10 | Public Review Period for Proposed Implementer’s Drafts of Two OpenID Federation Extensions | 0 | 5 | 07-07-2026 |