Saltar al contenido

root / tags / audit-trail

#audit trail

2 fiches

Arquitectura y Construcción Traducción verificada automáticamente

Solving the Identity Crisis for AI Agents

Engineering article published on **Uber**'s blog by six engineers (Matt Mathew, Prasad Borole, Meng Huang, Sergey Burykin, Gaurav Goel, Bayard Walsh) on **May 21, 2026**, laying out the **AI agent identity and access-control doctrine** deployed in production at Uber for several thousand internal agents. **Pivotal thesis**: existing identity models (human + workload) do not describe **agency** — *« an agent is best defined as an entity that is authorized to act for or in the place of another »* — and lose **provenance** across the hops of an agentic workflow. **Two operational problems identified**: (1) ***« Current Identity Model Doesn't Describe Agency »*** — delegation is the default mode, workflows are compositional (agents calling agents calling tools), behavior is dynamic (plans evolve based on intermediate results); (2) ***« Original Provenance Isn't Effectively Carried Forward Across Agents to Systems »*** — *« Execution context (originating user, intermediate agents) is dropped across agent hops. »* **Proposed architecture** as an extension of Uber's Zero Trust Architecture: **Agent Registry** (source of truth for agent↔workload mappings) + **AI Agent Mesh** (inter-agent data plane) + **STS (Security Token Service)** (issuance of short scoped JWTs) + **MCP Gateway** (policy enforcement point for tool invocation) + **AI Gateway** (mediation of external LLM calls with guardrails) + **SPIRE** (workload credential provider). **Cryptographic mechanics**: workloads fetch cryptographically signed **SVIDs (SPIFFE Verifiable IDs)** from SPIRE → the SDK requests a JWT from the STS via the workload identity → the STS verifies the agent's authorization against the Agent Registry → a short token (TTL on the order of minutes) is issued for a **specific single-hop destination** (targeted `Audience` claim). **Pivotal doctrine**: ***« Single-hop, short-lived tokens. Every JWT minted by the STS is intended for a single hop, with a specific Audience claim and a short time-to-live in the order of minutes. »*** **Actor-chain preservation**: multi-hop example with on-call engineer `user1` → Oncall Agent (Workload-1) → Investigation Agent (Workload-2) → MCP Gateway; the final JWT carries a verifiable **actor chain `[user1, oncall-agent, investigation-agent]`**, enabling tool-level access decisions based on the **full request history**. **Standardization**: a **Standardized A2A (Agent-to-Agent) Client** that automates STS exchanges and actor-chain propagation — *« the secure path is also the easiest path for developers to implement A2A calls »* — phased migration of legacy agents. **Production metrics**: ***« P99 latency for the STS Token Exchange API is consistently below 40 milliseconds »***, thousands of internal agents onboarded, a real-time observability dashboard tracing multi-agent sessions. **Long-term vision — three-layer framework**: (1) Identity & Trust Foundation (verifiable agent identity + delegation chains), (2) Dynamic Access Control (context-based permissions + human-in-the-loop), (3) Unified Enforcement Plane (centralized, observable policy). **Standards alignment**: the IETF **WIMSE** working group + draft `draft-klrc-aiagent-auth-01` *AI Agent Authentication and Authorization*, conceptually grounded in **OAuth 2.0 Token Exchange (RFC 8693)** and **SPIFFE/SPIRE** (CNCF graduated). The first reference publication from a non-AI-lab hyperscaler (logistics/mobility) that industrializes agent security at the infrastructure level, bridging the doctrinal gap between skills/harness frameworks (Vincent, Lattice, PROJ-AI) and enterprise-grade identity questions.

#Uber Engineering#AI agent identity#agent identity crisis

**Matt Mathew** (Sr Staff Engineer) · **Prasad Borole** (Staff Software Engineer) · **Meng Huang** (Engineering Manager) · **Sergey Burykin** (Sr Software Engineer) · **Gaurav Goel** (Software Engineer II) · **Bayard Walsh** (Software Engineer I). Tous chez **Uber** · équipe Security/Identity infrastructure responsable du déploiement de l'architecture d'identité agentique en production. Composition d'équipe représentative : un Engineering Manager · un Staff senior cadre · un Staff IC architecte · deux SWE séniors/intermédiaires · un SWE I — pattern classique d'une équipe Uber qui livre une plateforme transverse mission-critical.

Agentes de codificación IA y Skills Traducción verificada automáticamente

the 2026 ai engineer roadmap

Manifesto-style X thread by Rohit (@rohit4verse) laying out the *2026 AI engineer roadmap*: a $150k gap between prompt engineer and systems architect, the end of *generic wrappers* "sherlocked by big tech", and 5 portfolio projects ranked by complexity level (offline mobile SLM, self-improving coding agent, multimodal *Cursor for video editors*, privacy-first personal life OS agent, autonomous enterprise workflow agent). Each project describes its *key architectural decisions* (lazy loading, sliding window, sandboxing, scene detection, personal knowledge graph, event-driven multi-agent, audit trail, RBAC, observability). Structuring slogan: *"the replaceable: building wrappers / the unfireable: shipping autonomous systems"*. Injunctive, viral tone typical of X in 2026.

#2026 AI engineer roadmap#Rohit#rohit4verse

Rohit (@rohit4verse) — créateur de contenu IA sur X · vulgarisateur d'architecture et roadmaps de carrière en ingénierie IA.