Six Uber engineers (Matt Mathew et al.) published an article on the Uber Engineering blog on May 21, 2026, laying out the AI agent identity and access-control architecture deployed in production at Uber for thousands of internal agents. Pivotal thesis: « an agent is best defined as an entity that is authorized to act for or in the place of another », which renders the classic human+workload identity model obsolete.

Two named problems: (1) « Current Identity Model Doesn't Describe Agency » — delegation is the default mode, workflows are compositional, behavior is dynamic; (2) « Original Provenance Isn't Effectively Carried Forward Across Agents to Systems »« Execution context is dropped across agent hops » — creating audit gaps and preventing consistent enforcement of fine-grained access policies.

Single-hop, short-lived tokens. Every JWT minted by the STS is intended for a single hop, with a specific Audience claim and a short time-to-live in the order of minutes.

**Matt Mathew** , uber.com

Architecture as an extension of Uber's Zero Trust Architecture: Agent Registry (agent↔workload source of truth) + AI Agent Mesh (inter-agent data plane) + STS (Security Token Service) (issuance of short scoped JWTs) + MCP Gateway (policy enforcement for tools) + AI Gateway (LLM mediation + redaction via AI Guard) + SPIRE (workload credential provider).

Mechanics: workloads fetch cryptographically signed SPIFFE Verifiable IDs (SVIDs) from SPIRE → the SDK requests a JWT from the STS → the STS verifies authorization against the Agent Registry → a short token (TTL on the order of minutes) is issued for a specific single-hop destination (Audience claim). Canonical doctrine: « Single-hop, short-lived tokens. Every JWT minted by the STS is intended for a single hop, with a specific Audience claim and a short time-to-live in the order of minutes. »

Multi-hop walkthrough: an on-call engineer user1 → Oncall Agent → Investigation Agent → MCP Gateway. The final JWT carries a verifiable actor chain [user1, oncall-agent, investigation-agent] — tool-level access decisions based on the full history of the request.

Standardization: a Standardized A2A (Agent-to-Agent) Client SDK automates STS exchanges and actor-chain propagation — « the secure path is also the easiest path for developers to implement A2A calls ». Phased migration of legacy agents.

Production metrics: « P99 latency for the STS Token Exchange API is consistently below 40 milliseconds », thousands of internal agents onboarded, real-time observability.

Long-term vision — three-layer framework: (1) Identity & Trust Foundation, (2) Dynamic Access Control, (3) Unified Enforcement Plane.

External standards: SPIFFE/SPIRE (CNCF graduated), OAuth 2.0 Token Exchange (RFC 8693), IETF WIMSE working group, draft draft-klrc-aiagent-auth-01, A2A protocol.

Significance: the first reference publication from a non-AI-lab hyperscaler that industrializes agent security at the infrastructure level, bridging the doctrinal gap between skills/harness frameworks (productivity) and enterprise-grade identity questions (governability). Becomes a canonical reference for platform architects, security engineers, and CISOs facing internal agent deployment.