Skip to content

Auth-for-AI Four Pillars

Auth0's framework for what identity/authorization must do in an agentic world. Galan's claim: interactive chatbots and code editors aren't the future — task runners, autonomous agents, and agent-to-agent traffic are. Identity must cover all modalities.

The four pillars

  1. AI needs to know who I am. If the agent doesn't know the user, it can't apply any security or restriction — every actor is anonymous. Authentication is the floor; everything else stacks on it.

  2. AI can call APIs on my behalf. Agents will need to consume upstream services (Slack, Google, Salesforce, internal APIs). This requires delegated authorization — not passing the user's token, but establishing a three-way trust relationship (user ↔ agent ↔ upstream service). See token-vault.

  3. AI can request my confirmation. Agents will try risky operations. For those, they need a channel to reach out-of-band, show the user structured transaction detail, and wait for explicit approval before proceeding. See async-auth-ciba.

  4. AI access should be fine-grained. The user must control exactly which resources the agent can touch — specific documents/collections, not "everything I have access to." See Auth0's FGA (separate talk).

Why this framing matters

Most agent security today collapses into "run the LLM with whatever permissions the session has." That fails at both ends: agents inherit too much (prompt-injection → full account compromise, cf. ai-generated-code-is-untrusted) and too little (no way to persist long-term upstream access across sessions).

The four-pillar model maps cleanly onto existing OAuth primitives (OIDC for pillar 1; delegated grants for pillar 2; CIBA for pillar 3; scopes + FGA for pillar 4), which is why Auth0 can implement it without inventing new cryptography.

Enterprise dimension (Okta overlay)

When the user is an employee, they're not only acting on their own behalf — they're representing the company. That adds an enterprise policy layer: Okta controls which agents an employee can use and what those agents can do, independent of the four user-side pillars. Auth0 + Okta together span user-agent + employee-agent trust.

Cross-references