Prevent agentic identity theft

Summary of Prevent agentic identity theft

by The Stack Overflow Podcast

25mMarch 27, 2026
Listen to Episode

Overview of Prevent agentic identity theft — The Stack Overflow Podcast

Ryan Donovan interviews Nancy Wang, CTO of 1Password, about the security risks and mitigation strategies created by local AI agents (the “agents” people run on their own devices). They discuss why local agents aren’t automatically safer than cloud models, how credentials and identity must evolve for ephemeral agents, and practical patterns (sandboxing, brokering, short-lived credentials, device telemetry, confidential compute) to reduce the blast radius when agents are given access to files, terminals, browsers, and secrets.

Key topics discussed

  • Why local agents are not inherently secure
    • Local agents can access files, repos, terminals, browsers and other tools on a device — creating a large blast radius.
    • Viral open-source agents have accelerated real-world usage and threat analysis; users often run them without enterprise-level guardrails.
  • Identity and authentication for ephemeral agents
    • Agents are frequently spun up and down, creating challenges for issuing, verifying and reusing identity.
    • Proposed approaches include verifiable credentials / decentralized identifiers (DIDs) and richer identity attributes (intent, chain of custody, who spawned the agent).
  • Credential exposure and how to manage agent access
    • Long-lived credentials (API keys, SSH keys) are high-risk when accessible to disposable agents.
    • Prefer brokering access and short-lived tokens over “giving” long-term keys.
  • Isolation, sandboxing and runtime controls
    • VM or container sandboxing, file-path restrictions, and per-agent access controls reduce risk.
    • Demo referenced: orchestrating a swarm (~500) of agents with limited, per-agent file/context access for DevOps tasks.
  • Threats from open “skills” and registries
    • Agents can call third-party skills; some skills may hide malware or exfiltrate data.
    • Predicting which skill an agent will call is difficult; guarding skill registries and vetting skills is important.
  • 1Password’s approach and technical defenses
    • Device signals (runtime telemetry, installed software, user behavior) can help determine whether an access request is legitimate.
    • Zero-knowledge architecture + confidential compute used to process secrets without exposing contents to the provider.
    • Use of passkeys/biometrics and token leasing to limit access in time and scope.
  • UX and product implications
    • Nancy predicts rapid change in UI/UX: agents acting as thin clients, skills-based interaction, dynamic front-ends, and the increasing value of “data moats.”
  • Future considerations
    • Post-quantum readiness, chain of custody, and tighter associations tying agent identity to humans or accountable entities.

Main takeaways / recommendations

  • Don’t assume local equals safe: treat local agents like another high-privilege service with access to sensitive local resources.
  • Minimize credential exposure
    • Avoid long-lived credentials in agent workflows.
    • Broker access with short-lived tokens scoped to a single action/goal and time-limited.
  • Use isolation and least privilege
    • Sandbox agents (VM/container, restricted file paths, limited runtime permissions).
    • Limit what any single agent can access (principle of least privilege).
  • Apply device and runtime telemetry
    • Leverage device trust signals: installed packages, runtime behavior, biometrics/passkeys to validate requests.
  • Vet skills and registries
    • Treat skills (third-party plugins) as potential attack vectors; require vetting and governance.
  • Plan for identity and accountability
    • Build systems that can prove chain of custody, map agents back to humans or owning entities, and record intent.
  • Use credential managers with strong architecture
    • Zero-knowledge encryption and confidential compute can reduce risk when agents interact with secret stores.

Notable quotes and insights

  • “Please don't run it on your work laptop.” — Nancy Wang (emphasizing practical risk).
  • “Instead of giving the master key to the house… give a badge that accesses one room for five minutes while you as a human are even in the loop and monitoring.” — Nancy Wang (captures the brokering/short-lived access idea).
  • Agents increase the number and variety of attributes that form identity: intent, who spawned the agent, runtime context, telemetry — not just a username/password.

Practical action checklist (for engineers and security teams)

  • For individuals
    • Avoid running unvetted local agents on devices that contain sensitive data or corporate access.
    • Use sandboxed test machines (separate VMs or devices) for experiments.
    • Store secrets in a vetted manager (zero-knowledge, short-lived leasing) rather than plain files.
  • For teams / orgs
    • Enforce least privilege for agent-accessed credentials; broker and lease tokens for agent use.
    • Build or adopt runtime isolation (VMs, containers, per-agent file-path permissions).
    • Integrate device runtime telemetry into access decisions (device posture, installed packages, biometric checks).
    • Vet third-party skills/plugins and control registries or a whitelist of safe skills.
    • Start designing for agent identity: auditable chain of custody, DIDs / verifiable credentials where appropriate.
    • Prepare for accelerated UX changes and consider how applications expose agent capabilities safely.

Technical concepts and tools mentioned

  • Sandboxing / VM isolation
  • File-system access controls (restrict file paths)
  • Short-lived tokens and token brokering (reverse proxy / OAuth-like flows)
  • Zero-knowledge encryption (1Password’s architecture)
  • Confidential computing enclaves (processing secrets without provider visibility)
  • Passkeys and biometrics for local authentication
  • Decentralized Identifiers (DIDs) and verifiable credentials for agent identity
  • Device runtime signals and telemetry
  • Skills/registry vetting and malware risk

Further reading / resources referenced

  • 1Password blog posts and security white papers (Jason Mellor and team’s analyses were referenced during the episode).
  • 1Password confidential compute and zero-knowledge architecture materials (whitepapers and product docs).
  • Nancy Wang (CTO, 1Password) — contact: nancy.wang@1password.com (as given on the episode).

If you need a one-paragraph TL;DR: Local AI agents can greatly increase attack surface because they access local files, terminals and secrets. Treat them like services: isolate runtimes, avoid handing out long-lived credentials, broker short-lived scoped access, use device telemetry and confidential compute, and build identity/chain-of-custody mechanisms so agents can be tied back to accountable humans or entities.