WEBVTT 00:00:03.660 --> 00:00:06.240 Welcome to the Azure Security Podcast, where 00:00:06.240 --> 00:00:08.759 we discuss topics relating to security, privacy, 00:00:09.060 --> 00:00:11.480 reliability, and compliance on the Microsoft 00:00:11.480 --> 00:00:15.660 Cloud Platform. Hey everybody, welcome to episode 00:00:15.660 --> 00:00:19.140 123 and welcome to 2026. This week is myself, 00:00:19.320 --> 00:00:22.359 Michael, with Sarah and Mark, and our guest this 00:00:22.359 --> 00:00:24.960 week is Nick Reiter, and we're going to talk 00:00:24.960 --> 00:00:27.679 about agentic identity and probably a few other 00:00:27.679 --> 00:00:30.579 things too. But before we get stuck into talking 00:00:30.579 --> 00:00:32.539 to Nick, let's take a little lap around the news. 00:00:32.700 --> 00:00:35.259 Sarah, why don't you kick things off? Okay, so 00:00:35.259 --> 00:00:39.399 just a quick one from me. The AI tour is starting 00:00:39.399 --> 00:00:42.200 again in various different parts of the world. 00:00:42.240 --> 00:00:45.640 It took its... Christmas New Year break. We'll 00:00:45.640 --> 00:00:47.979 put the link to the website in the show notes. 00:00:48.320 --> 00:00:50.960 The AI tour is going all around the world. So 00:00:50.960 --> 00:00:54.920 come and see us. And it's a one -day event. It's 00:00:54.920 --> 00:00:57.340 free. You have to apply to attend. Come and visit 00:00:57.340 --> 00:01:00.060 us if there's one near you. It'll be going on 00:01:00.060 --> 00:01:02.759 for the next few months. I mean, it's a yearly 00:01:02.759 --> 00:01:05.760 thing now. I'm at a few of the stops. Come and 00:01:05.760 --> 00:01:08.000 say hello if you're at one of the stops I'm at. 00:01:08.180 --> 00:01:12.019 And come see some cool AI stuff and mingle with 00:01:12.400 --> 00:01:15.560 good Microsoft people. So yeah, that's my piece 00:01:15.560 --> 00:01:18.959 of news. Sarah, on that AI tour, is there going 00:01:18.959 --> 00:01:21.989 to be AI security discussed as well? Yes, there 00:01:21.989 --> 00:01:27.010 is. So there are security sessions at the AI 00:01:27.010 --> 00:01:30.129 tour. So you've got obviously building AI, blah, 00:01:30.209 --> 00:01:31.870 blah, blah, but there are some security specific 00:01:31.870 --> 00:01:35.049 sessions as well. So although it's not a pure 00:01:35.049 --> 00:01:37.709 security event, there is stuff for security people. 00:01:37.909 --> 00:01:40.810 So yeah, definitely worth popping along if there 00:01:40.810 --> 00:01:44.439 is one nearby to you. And from my part of the 00:01:44.439 --> 00:01:46.319 world, the big thing I just want to make sure 00:01:46.319 --> 00:01:49.319 to draw people's attention to is the security 00:01:49.319 --> 00:01:51.060 roles and glossary standard that we published. 00:01:51.180 --> 00:01:53.620 I'll throw a link in the show notes there. But 00:01:53.620 --> 00:01:58.640 this really covers how to think about. security 00:01:58.640 --> 00:02:00.200 accountabilities all the way from the fiduciary 00:02:00.200 --> 00:02:02.719 duty of board members into the accountabilities 00:02:02.719 --> 00:02:04.620 of business leaders and tech people and into 00:02:04.620 --> 00:02:07.439 the responsibilities of security specializations 00:02:07.439 --> 00:02:11.219 and professionals and managers and whatnot. So 00:02:11.219 --> 00:02:13.800 really kind of getting into those standards and 00:02:13.800 --> 00:02:16.080 why it's important for everybody to do their 00:02:16.080 --> 00:02:18.219 different security jobs. So very much looking 00:02:18.219 --> 00:02:21.560 for feedback on that. So we'll pop in. Okay, 00:02:21.900 --> 00:02:23.460 I've got a few product announcements. The first 00:02:23.460 --> 00:02:26.159 one is public preview. Azure Cosmos DB database 00:02:26.159 --> 00:02:28.599 mirroring is now available with private endpoint 00:02:28.599 --> 00:02:31.180 support. Said this a billion times, going to 00:02:31.180 --> 00:02:32.900 say it again. It's always good to see private 00:02:32.900 --> 00:02:34.620 endpoint support being added to products for 00:02:34.620 --> 00:02:37.500 various scenarios because that way it keeps data 00:02:37.500 --> 00:02:40.639 off the internet. Next, in public preview for 00:02:40.639 --> 00:02:44.139 Azure NetApp files, there is now advanced ransomware 00:02:44.139 --> 00:02:47.840 protection. Very cool to see this. Every file 00:02:47.840 --> 00:02:49.740 system should have that kind of capability built 00:02:49.740 --> 00:02:52.139 into it. So it's great to see this being added 00:02:52.139 --> 00:02:55.979 to Azure NetApps too. This next one kind of took 00:02:55.979 --> 00:02:59.340 me by surprise, actually. You may have heard 00:02:59.340 --> 00:03:02.460 that we were going to block implicit outbound 00:03:02.460 --> 00:03:05.340 connections from VMs in Azure. That was going 00:03:05.340 --> 00:03:07.400 to take effect, I believe, was originally the 00:03:07.400 --> 00:03:10.590 end of September or October in 2025. that has 00:03:10.590 --> 00:03:14.770 now been extended to March the 31st, 2026. So 00:03:14.770 --> 00:03:16.129 basically there's a whole bunch of stuff that 00:03:16.129 --> 00:03:17.889 you must do if you want outbound connections 00:03:17.889 --> 00:03:19.930 from a VM. And the whole point of it is to prevent 00:03:19.930 --> 00:03:24.550 egress of sensitive data. It's well worth reading 00:03:24.550 --> 00:03:28.780 that particular document in the show notes. Next 00:03:28.780 --> 00:03:32.560 one is in general availability is FIPS compliant 00:03:32.560 --> 00:03:36.360 mode for app gateway version two. And this is 00:03:36.360 --> 00:03:40.919 essentially the ability to enforce FIPS 140 -2 00:03:40.919 --> 00:03:45.439 validated algorithms for TLS. Not everyone needs 00:03:45.439 --> 00:03:47.199 this, but it's really important, especially if 00:03:47.199 --> 00:03:51.159 you have FedRAMP requirements. Next is in general 00:03:51.159 --> 00:03:54.520 availability is a Azure MCP server support for 00:03:54.520 --> 00:03:57.319 Azure Confidential Ledger. So now basically you 00:03:57.319 --> 00:04:01.620 can write immutable logging information or immutable 00:04:01.620 --> 00:04:05.139 data to confidential ledgers through an MCP server, 00:04:05.300 --> 00:04:09.250 which is great to see. And last, for me, in general 00:04:09.250 --> 00:04:11.349 availability, my old stomping ground of Azure 00:04:11.349 --> 00:04:15.310 Data, there is now a cred check extension in 00:04:15.310 --> 00:04:17.949 Azure Database for PostgreSQL Flexible Server. 00:04:18.250 --> 00:04:21.790 So this will allow you to enforce password and 00:04:21.790 --> 00:04:24.310 credential validation policies directly within 00:04:24.310 --> 00:04:27.930 PostgreSQL. Not that I'm a big fan of passwords, 00:04:28.009 --> 00:04:30.329 because I'm not, but at least there's something 00:04:30.329 --> 00:04:32.050 in there that's going to help you at least have 00:04:32.050 --> 00:04:34.759 a... decent policy put in place and actually 00:04:34.759 --> 00:04:37.620 enforce that at the database level. All right, 00:04:37.639 --> 00:04:38.740 now we've got the news out of the way, let's 00:04:38.740 --> 00:04:41.959 switch our attention to our guest. As I mentioned, 00:04:42.040 --> 00:04:44.120 our guest is Nick Reiter, who's here to talk 00:04:44.120 --> 00:04:48.379 to us about agentic identity. So Nick, welcome 00:04:48.379 --> 00:04:51.300 back to the podcast. We'd like to take a quick 00:04:51.300 --> 00:04:53.420 moment and introduce yourself to our listeners. 00:04:54.079 --> 00:04:56.240 Thank you, Michael. Yeah, my name is Nick Reiter. 00:04:56.319 --> 00:04:58.620 I'm a principal product manager. I get to work 00:04:58.620 --> 00:05:01.399 with lots of customers learning how they're building 00:05:01.399 --> 00:05:05.519 agents. But my primary job today, I think from 00:05:05.519 --> 00:05:08.379 last time when I used to look after multi -cloud 00:05:08.379 --> 00:05:11.879 access governance, is focusing on how to secure 00:05:11.879 --> 00:05:15.399 access to AI agents. So first and foremost, so 00:05:15.399 --> 00:05:19.240 what... is an agent? How would you go about describing 00:05:19.240 --> 00:05:21.899 what an agent is? Why are they all of a sudden 00:05:21.899 --> 00:05:25.100 literally appeared overnight? And give some examples 00:05:25.100 --> 00:05:27.500 of agents. Let's just start with the notion of 00:05:27.500 --> 00:05:30.040 an agent at runtime, right? I think a lot of 00:05:30.040 --> 00:05:33.680 people understand what an LLM is and what an 00:05:33.680 --> 00:05:39.379 LLM does. But an agent is basically an LLM that 00:05:39.379 --> 00:05:42.199 has short -term memory, long -term memory, and 00:05:42.199 --> 00:05:44.839 has some tools and some skills that it can basically 00:05:44.839 --> 00:05:48.610 use. And all that combined together at runtime 00:05:48.610 --> 00:05:51.769 with some orchestration functionality, things 00:05:51.769 --> 00:05:53.689 like their profile, their goals, instructions, 00:05:53.930 --> 00:05:57.569 and their model -based reasoning is what an agent 00:05:57.569 --> 00:06:00.709 actually consists of. And what can they do? Well, 00:06:00.790 --> 00:06:03.509 agents today can be used for lots and lots of 00:06:03.509 --> 00:06:06.550 different actions and tasks, right? So in our 00:06:06.550 --> 00:06:10.790 world in security or just online, agents can 00:06:10.790 --> 00:06:14.810 help do things like assist you with certain type 00:06:14.810 --> 00:06:18.540 of tasks Things like interactions. You can interact 00:06:18.540 --> 00:06:21.500 with the agent in a way that it can assist you 00:06:21.500 --> 00:06:25.199 to do certain types of actions and act on demand 00:06:25.199 --> 00:06:28.000 using delegated permissions. You know, it's ideal 00:06:28.000 --> 00:06:30.680 for tasks like summarizing emails or responding 00:06:30.680 --> 00:06:33.779 to queries without ever needing, you know, your 00:06:33.779 --> 00:06:36.800 own access. That's one type of an agent. And 00:06:36.800 --> 00:06:38.879 then there's the notion of an autonomous agent, 00:06:39.000 --> 00:06:42.120 which basically has his own roles and permissions. 00:06:42.519 --> 00:06:46.430 And the agent is enabled. to then perform complex 00:06:46.430 --> 00:06:49.430 goal -oriented work independently. Things like 00:06:49.430 --> 00:06:52.189 monitoring logs, auditing activities, or acts 00:06:52.189 --> 00:06:54.949 on behalf of itself, or things like coordinating 00:06:54.949 --> 00:06:59.829 actions on behalf of the user and the user's 00:06:59.829 --> 00:07:02.709 schedule. That's an autonomous agent. But now, 00:07:02.790 --> 00:07:05.829 more and more, what we're seeing is this whole 00:07:05.829 --> 00:07:09.129 new type of agents who basically are working 00:07:09.129 --> 00:07:12.149 with others, right? And this is a fully provisioned 00:07:12.149 --> 00:07:14.920 agent with user -like credentials, right? They 00:07:14.920 --> 00:07:17.399 can join team meetings or Slack. They can create 00:07:17.399 --> 00:07:20.160 and edit documents, interact in conversations, 00:07:20.220 --> 00:07:23.600 and even collaborate with other agents through 00:07:23.600 --> 00:07:26.839 a registry. These agents combine human -like 00:07:26.839 --> 00:07:30.439 interactions with things like superhuman capabilities, 00:07:31.000 --> 00:07:33.800 things like API calls, language translation. 00:07:34.160 --> 00:07:37.019 Those are typical examples. They can collaborate 00:07:37.019 --> 00:07:40.319 with other agents and tools or people. And it 00:07:40.319 --> 00:07:42.920 preventions its own access and resources basically 00:07:42.920 --> 00:07:45.800 to help achieve goals on their own behalf and 00:07:45.800 --> 00:07:48.879 schedule. It's pretty cool technology that's 00:07:48.879 --> 00:07:52.620 out there today. Yeah, that's a great introduction 00:07:52.620 --> 00:07:55.540 to agents. The way that I sort of think about 00:07:55.540 --> 00:07:57.160 them, I'm interested in your thoughts on this, 00:07:57.279 --> 00:08:00.839 is I look at it as kind of breaking it down as 00:08:00.839 --> 00:08:03.550 component parts. Agents have an LLM involved, 00:08:03.870 --> 00:08:05.949 right? And so there's that dynamic code and whatnot 00:08:05.949 --> 00:08:09.029 that you get from a large language model for 00:08:09.029 --> 00:08:11.970 generative AI. But most of the time, it's not 00:08:11.970 --> 00:08:15.149 just a raw model. There's like some sort of deterministic 00:08:15.149 --> 00:08:18.189 code, kind of classic code to make it do certain 00:08:18.189 --> 00:08:20.189 things, make it not say certain things, make 00:08:20.189 --> 00:08:22.389 it cover certain topics or not touch other topics. 00:08:23.509 --> 00:08:27.050 And then just tell it what to call and whatnot 00:08:27.050 --> 00:08:31.259 to do things. The one that I always focus on 00:08:31.259 --> 00:08:35.120 is the access, right? So that agent has permission 00:08:35.120 --> 00:08:38.460 to do things. And, you know, the more I think 00:08:38.460 --> 00:08:40.940 about like agents is they're just like the software 00:08:40.940 --> 00:08:44.500 already know, right? Which is they're things 00:08:44.500 --> 00:08:48.379 that run in my context as a user, right? And 00:08:48.379 --> 00:08:50.279 they're doing things on my behalf, you know, 00:08:50.299 --> 00:08:52.950 which introduces a security problem of. Was it 00:08:52.950 --> 00:08:54.809 me that did it or was it the agent that did it 00:08:54.809 --> 00:08:56.610 on my behalf, right? So that's sort of the question 00:08:56.610 --> 00:08:58.230 you have to answer with logs and the controls 00:08:58.230 --> 00:08:59.929 that you have to put in place to separate, right? 00:09:00.649 --> 00:09:04.330 And then there's the software that runs all on 00:09:04.330 --> 00:09:07.159 its own. And whether that's in the context of 00:09:07.159 --> 00:09:09.460 a Teams meeting or whether it's doing some back 00:09:09.460 --> 00:09:11.779 -end maintenance tasks or whatever. But it's 00:09:11.779 --> 00:09:15.440 just autonomous code. We've had services. We've 00:09:15.440 --> 00:09:18.320 had OT technology. We've had IT technology. We've 00:09:18.320 --> 00:09:20.399 had all that for a long time. It's just we're 00:09:20.399 --> 00:09:24.720 now doing it with LLMs in the mix. And the interesting 00:09:24.720 --> 00:09:27.419 combination for me is when you have one of these 00:09:27.419 --> 00:09:29.220 things that's doing that, that's sort of separate 00:09:29.220 --> 00:09:31.200 from the user identity, it has to have its own 00:09:31.200 --> 00:09:32.620 identity and the lifecycle and the governance 00:09:32.620 --> 00:09:36.720 and all that kind of stuff. But the way I think 00:09:36.720 --> 00:09:40.500 about the agents, those sort of independent agents 00:09:40.500 --> 00:09:44.019 that kind of do their own things is, you know, 00:09:44.039 --> 00:09:45.940 you have to govern them. You have to monitor 00:09:45.940 --> 00:09:48.480 them. And one of the best things you can do is 00:09:48.480 --> 00:09:52.259 least privilege because AI is non -deterministic, 00:09:52.279 --> 00:09:54.700 right? It's going to do stuff within a range 00:09:54.700 --> 00:09:56.500 of similar tasks. It's not going to do the exact 00:09:56.500 --> 00:10:01.090 same code path every time. I really think about 00:10:01.090 --> 00:10:03.149 least privilege as being a very, very key thing. 00:10:03.250 --> 00:10:05.549 And of course, monitoring, et cetera. That's 00:10:05.549 --> 00:10:07.049 just how I look at it from a security perspective. 00:10:07.250 --> 00:10:09.990 I'm curious if that jives with what you're seeing, 00:10:10.070 --> 00:10:13.090 Nick. Yeah, Mark, I think that's 100 % what we're 00:10:13.090 --> 00:10:15.669 seeing, right? Agents belong in the same identity 00:10:15.669 --> 00:10:18.889 conversation as users, applications, and devices, 00:10:19.070 --> 00:10:23.190 because obviously they take actions and they 00:10:23.190 --> 00:10:26.789 require access to. resources, right? The difference 00:10:26.789 --> 00:10:30.330 is agents basically do not fit neatly into that 00:10:30.330 --> 00:10:32.629 old bucket of, oh, let's just give it a non -human 00:10:32.629 --> 00:10:35.870 identity. Because sometimes an agent acts on 00:10:35.870 --> 00:10:39.210 behalf of a user. Sometimes it behaves more like 00:10:39.210 --> 00:10:42.289 an application. And unlike traditional applications, 00:10:42.710 --> 00:10:45.629 agents are not static because they can acquire 00:10:45.629 --> 00:10:50.029 new skills like LLM capabilities. And as the 00:10:50.029 --> 00:10:54.899 LLM capabilities evolve, which changes what they 00:10:54.899 --> 00:10:58.259 can do over time. And that's the biggest change. 00:10:58.480 --> 00:11:00.840 And that is exactly why they need to be treated 00:11:00.840 --> 00:11:04.580 as a first -class identity within anybody's environment 00:11:04.580 --> 00:11:06.879 and bring all those security controls that we 00:11:06.879 --> 00:11:10.340 know for users to agents. To your point, Mark, 00:11:10.539 --> 00:11:13.279 was it the agent that did it or was it me who 00:11:13.279 --> 00:11:14.919 did it? So if I have an agent running on my behalf, 00:11:15.759 --> 00:11:17.559 Was it me who did it or the agent? I mean, that's 00:11:17.559 --> 00:11:19.399 a classic example of the confused deputy problem, 00:11:19.580 --> 00:11:21.740 right? Who actually did it? Me or someone acting 00:11:21.740 --> 00:11:24.659 on my behalf? So yeah, it opens up all those 00:11:24.659 --> 00:11:28.460 kinds of issues we need to be aware of. Yeah, 00:11:28.460 --> 00:11:31.220 including everybody's favorite obscure security 00:11:31.220 --> 00:11:33.639 word in the threat model of repudiation, which 00:11:33.639 --> 00:11:36.860 I like to think of as the shaggy, it wasn't me 00:11:36.860 --> 00:11:42.220 problem. Exactly. So the next question is, I 00:11:42.220 --> 00:11:44.889 mean, so how do people build these things? uh 00:11:44.889 --> 00:11:47.009 i mean is it a i mean i know about a windows 00:11:47.009 --> 00:11:49.250 service we know about like mobile apps and that 00:11:49.250 --> 00:11:51.149 sort of stuff so what is it i mean how how would 00:11:51.149 --> 00:11:54.509 i build and deploy one of these things yeah building 00:11:54.509 --> 00:11:56.769 agents i mean there's lots of platforms out there 00:11:56.769 --> 00:12:00.210 i think all the major cloud service providers 00:12:00.210 --> 00:12:03.789 all have their own agent building factory so 00:12:03.789 --> 00:12:06.250 for example within microsoft we have platforms 00:12:06.250 --> 00:12:10.330 like microsoft foundry and microsoft co -pilot 00:12:10.330 --> 00:12:13.830 studio as an example right and within you know 00:12:14.419 --> 00:12:17.740 Amazon, there's Bedrock, and Google has Vertex. 00:12:18.259 --> 00:12:20.500 They have lots of different ways you can go. 00:12:20.559 --> 00:12:23.080 And most of these cloud service providers... 00:12:23.689 --> 00:12:26.809 basically help you provision these agents. And 00:12:26.809 --> 00:12:29.129 what I mean by provision is they give you the 00:12:29.129 --> 00:12:32.029 orchestration, they put all the memory, they 00:12:32.029 --> 00:12:34.789 add all the skills and tools for you. And all 00:12:34.789 --> 00:12:37.110 you have to do is basically choose an LLM that 00:12:37.110 --> 00:12:40.370 you'd like. And then boom, you're up and running 00:12:40.370 --> 00:12:42.110 with this agent and you can just keep adding 00:12:42.110 --> 00:12:45.230 skills to it. But building an agent really takes 00:12:45.230 --> 00:12:48.750 understanding how an agent, all the components 00:12:48.750 --> 00:12:52.440 of agents come together, right? And so But building 00:12:52.440 --> 00:12:55.580 one is not super hard. Obviously, you just need 00:12:55.580 --> 00:12:59.019 to start with your large language model, figure 00:12:59.019 --> 00:13:01.559 out what kind of tools and scaling and knowledge 00:13:01.559 --> 00:13:04.980 that you want for the agent, add some memory 00:13:04.980 --> 00:13:08.440 to it, long -term and short -term, and then basically 00:13:08.440 --> 00:13:10.539 have an orchestration layer where you can add 00:13:10.539 --> 00:13:14.179 instructions, specific goals to their profile, 00:13:14.340 --> 00:13:17.159 and then add some model -based reasoning to it, 00:13:17.200 --> 00:13:21.100 and boom, you got an agent. Hey, so does this 00:13:21.100 --> 00:13:23.720 thing run inside of Azure, for example? I mean, 00:13:23.740 --> 00:13:26.820 is it always some standalone code that I run 00:13:26.820 --> 00:13:28.899 somewhere else? And also when you say, you know, 00:13:28.899 --> 00:13:31.279 choose a model, what have you, is there programming 00:13:31.279 --> 00:13:35.220 involved as well? Or is it all declarative? There's 00:13:35.220 --> 00:13:38.080 definitely some code in there. And, you know, 00:13:38.080 --> 00:13:40.759 platforms, and maybe I'll speak to Microsoft's 00:13:40.759 --> 00:13:43.360 builders and factories, because that's what I'm 00:13:43.360 --> 00:13:45.320 very well versed with. And, you know, I play 00:13:45.320 --> 00:13:47.759 with, you know, other models and other agents. 00:13:48.279 --> 00:13:51.460 other factories but um for example within copilot 00:13:51.460 --> 00:13:55.240 studio as an example it's a very pro no code 00:13:55.240 --> 00:13:57.419 solution meaning they don't want you to put any 00:13:57.419 --> 00:13:59.539 code running anywhere they basically compile 00:13:59.539 --> 00:14:02.399 all the different components for you and all 00:14:02.399 --> 00:14:06.539 you do is you know ask a few questions they pre 00:14:06.539 --> 00:14:08.460 -provision that agent for you and you're up and 00:14:08.460 --> 00:14:12.139 running but for example microsoft foundry you 00:14:12.139 --> 00:14:14.860 create a resource within Azure and then you start 00:14:14.860 --> 00:14:16.899 adding the different components to them, right? 00:14:16.980 --> 00:14:19.539 So as I mentioned, all those components can be, 00:14:19.539 --> 00:14:22.720 you know, pro code. So you can write specific 00:14:22.720 --> 00:14:26.039 code to specific skills, specific memory items 00:14:26.039 --> 00:14:28.399 and specific instructions that you want for the 00:14:28.399 --> 00:14:33.519 agent, et cetera. So all up, yeah, you can basically 00:14:33.519 --> 00:14:36.580 write the pro code or no code or use less code 00:14:36.580 --> 00:14:39.769 to build your agent. And one of the things that 00:14:39.769 --> 00:14:42.750 I find that's really interesting about really 00:14:42.750 --> 00:14:45.830 anything generative AI is when you think about 00:14:45.830 --> 00:14:47.870 building software, we're so used to having to 00:14:47.870 --> 00:14:49.809 literally build it brick by brick. Either you 00:14:49.809 --> 00:14:52.570 write the code or you include a module or you 00:14:52.570 --> 00:14:55.210 call something else, and then you add your own 00:14:55.210 --> 00:14:57.269 piece to it. You're essentially building a brick 00:14:57.269 --> 00:14:59.549 wall or brick building, right? Whether you're 00:14:59.549 --> 00:15:02.169 using your own bricks or somebody else's. But 00:15:02.169 --> 00:15:06.450 when you think about the LLMs and generative 00:15:06.450 --> 00:15:09.299 AI, it comes with a whole bunch of capabilities, 00:15:09.580 --> 00:15:12.919 some of which you don't need, right? And so it's 00:15:12.919 --> 00:15:15.559 almost like having a really smart but inexperienced 00:15:15.559 --> 00:15:18.820 intern and you have to kind of tell it what not 00:15:18.820 --> 00:15:20.960 to do almost as much as you're telling it what 00:15:20.960 --> 00:15:22.840 to do. And so that's one of the things that I 00:15:22.840 --> 00:15:24.639 kind of find fascinating about it is it sort 00:15:24.639 --> 00:15:27.059 of inverts the problem of how do you make this 00:15:27.059 --> 00:15:28.679 thing do what it's supposed to do and only that. 00:15:29.259 --> 00:15:31.159 And we kind of forget the second half of it because 00:15:31.159 --> 00:15:33.110 we've had to... build everything we do is we're 00:15:33.110 --> 00:15:34.509 not going to build a bunch of code modules we're 00:15:34.509 --> 00:15:37.230 not going to use in classic software but when 00:15:37.230 --> 00:15:40.350 an llm comes along it can do a lot more and it's 00:15:40.350 --> 00:15:42.710 a matter of making sure it does only the things 00:15:42.710 --> 00:15:46.669 you want it to do mark you're spot on you are 00:15:46.669 --> 00:15:50.730 spot on it's so true because i think traditional 00:15:50.730 --> 00:15:55.009 development does not understand oh you have all 00:15:55.009 --> 00:15:57.490 of this knowledge that an llm has versus like 00:15:57.490 --> 00:16:00.470 traditional building an app right and so what 00:16:00.840 --> 00:16:03.259 When you're building agent and you can actually 00:16:03.259 --> 00:16:06.519 add new skills to it and add memory to it, it 00:16:06.519 --> 00:16:12.480 becomes a very, very big monster to secure and 00:16:12.480 --> 00:16:16.000 make sure all those items are protected pretty 00:16:16.000 --> 00:16:17.659 well. A couple of things I want to get out of 00:16:17.659 --> 00:16:18.879 the way. So the first one, when we're talking 00:16:18.879 --> 00:16:20.259 about memory, we're not talking about RAM right 00:16:20.259 --> 00:16:22.419 here. We're talking about maintaining context 00:16:22.419 --> 00:16:24.259 across conversations and that sort of stuff. 00:16:24.759 --> 00:16:26.860 Correct. This is just the agent's memory, right? 00:16:27.000 --> 00:16:30.669 Yeah. Okay. Next thing is, So to your point, 00:16:30.730 --> 00:16:33.870 Mark, about the LLM can do, you expect to do 00:16:33.870 --> 00:16:36.730 A, B, and C, but it knows all about X, Y, Z, 00:16:36.929 --> 00:16:40.830 1, 2, 3, 4, 5, and 6. Could part of that be mitigated 00:16:40.830 --> 00:16:43.970 by using a small language model that's designed 00:16:43.970 --> 00:16:48.350 to take on a certain type of task? Yeah, if the 00:16:48.350 --> 00:16:51.080 small language model meets the need. And it only 00:16:51.080 --> 00:16:53.700 knows about bridge engineering or whatever the 00:16:53.700 --> 00:16:56.019 heck the topic is. And it doesn't know about 00:16:56.019 --> 00:16:58.620 how to play chess or how to build a bomb or what 00:16:58.620 --> 00:17:02.200 are the best tourist spots in Rome in 2024, right? 00:17:03.860 --> 00:17:06.200 That's one way of doing it, right? Now, of course, 00:17:06.220 --> 00:17:09.180 that SLM has to have sufficient language functionality 00:17:09.180 --> 00:17:11.359 and all the other things that you need to accomplish 00:17:11.359 --> 00:17:13.460 the app. But if you've got an SLM that's focused 00:17:13.460 --> 00:17:15.680 and does what you need, don't bring the overhead 00:17:15.680 --> 00:17:18.190 you don't need. But again, it really depends 00:17:18.190 --> 00:17:20.329 on which models are available. So there's a lot 00:17:20.329 --> 00:17:23.410 of model selection sort of challenges at play, 00:17:23.509 --> 00:17:25.670 at least in my experience. Yeah, it's like, you 00:17:25.670 --> 00:17:27.670 know, I like to use language models when I talk 00:17:27.670 --> 00:17:29.970 about Rust, right? It knows I'm not talking about 00:17:29.970 --> 00:17:32.809 ferric oxide, iron oxide. I'm not talking about 00:17:32.809 --> 00:17:34.190 the movie called Rust. I'm not talking about 00:17:34.190 --> 00:17:36.130 the video game Rust. I'm talking about the programming 00:17:36.130 --> 00:17:41.329 language Rust. So that's important to me. Next 00:17:41.329 --> 00:17:44.359 question. This is where I think we kind of touched 00:17:44.359 --> 00:17:47.099 on some of this stuff implicitly when we talk 00:17:47.099 --> 00:17:49.420 about least privilege. But where does identity 00:17:49.420 --> 00:17:51.920 come to play and how do we control it? How can 00:17:51.920 --> 00:17:56.420 we control what a potentially runaway agent could 00:17:56.420 --> 00:18:00.200 actually do? Yeah, right. So, I mean, as I was 00:18:00.200 --> 00:18:03.720 talking about why we need to treat agents' access 00:18:03.720 --> 00:18:08.660 to resources and look at the identity, if an 00:18:08.660 --> 00:18:11.220 agent is compromised, right, it can operate at 00:18:11.220 --> 00:18:13.710 speed and at scale. Treating it as an identity 00:18:13.710 --> 00:18:18.670 is how you get an attribution, enforce protections 00:18:18.670 --> 00:18:21.470 consistently, and investigate quickly when something 00:18:21.470 --> 00:18:24.430 goes wrong. What does this really mean? If you 00:18:24.430 --> 00:18:26.589 look at an application today, how does an application 00:18:26.589 --> 00:18:29.210 get access to a resource? It's through its client 00:18:29.210 --> 00:18:33.269 credentials. For an agent, it's not necessarily 00:18:33.269 --> 00:18:38.630 that because it has access to tools and skills 00:18:38.630 --> 00:18:42.789 and knowledge that it just knows. And so, you 00:18:42.789 --> 00:18:45.509 know, agents need an identity so that access 00:18:45.509 --> 00:18:48.390 can be granted and reviewed consistently and 00:18:48.390 --> 00:18:50.710 activity can be tracked and traced back to a 00:18:50.710 --> 00:18:53.170 specific agent itself. So without that, without 00:18:53.170 --> 00:18:56.650 an identity, you cannot reliably answer who the 00:18:56.650 --> 00:18:59.890 agent is and what it can access or what it did. 00:18:59.990 --> 00:19:02.369 Right. And I think Mark covered it a little bit 00:19:02.369 --> 00:19:04.890 of that earlier. But Mark, what do you think 00:19:04.890 --> 00:19:08.190 about that? Yeah, I mean, it's I view it like 00:19:08.190 --> 00:19:11.470 any other. like any other identity like you need 00:19:11.470 --> 00:19:14.130 the whole life cycle right from cradle to grave 00:19:14.130 --> 00:19:18.019 as it were And you need to have all the security 00:19:18.019 --> 00:19:20.500 fun on it in terms of preventing bad things from 00:19:20.500 --> 00:19:23.380 happening and monitoring if you can't prevent 00:19:23.380 --> 00:19:26.180 that, or if you can, or if that control failed, 00:19:26.339 --> 00:19:29.539 if it went off the rails. And I just think of 00:19:29.539 --> 00:19:32.160 it as like an entire lifecycle. And you have 00:19:32.160 --> 00:19:34.960 to apply, you know, all the security things to 00:19:34.960 --> 00:19:37.819 each point in that agent lifecycle. And of course, 00:19:37.819 --> 00:19:39.980 absolutely make sure that the lifecycle closes 00:19:39.980 --> 00:19:43.289 so that... if you no longer need that agent or 00:19:43.289 --> 00:19:45.490 it got deprecated or replaced or whatever, that 00:19:45.490 --> 00:19:48.589 the identity doesn't hang around like some domain 00:19:48.589 --> 00:19:50.609 admins that are no longer with the company or 00:19:50.609 --> 00:19:53.710 no longer of this earth. I recognize that this 00:19:53.710 --> 00:19:56.650 is probably very, very early and we're constantly 00:19:56.650 --> 00:19:58.910 evolving this stuff. So, you know, what do we 00:19:58.910 --> 00:20:01.329 do? How can we make sure that, you know, an agent 00:20:01.329 --> 00:20:03.309 runs at least privilege? What sort of tooling 00:20:03.309 --> 00:20:05.150 do we have? What sort of monitoring do we have? 00:20:05.230 --> 00:20:06.890 Anything we can do to actually identify that 00:20:06.890 --> 00:20:10.990 this was the agent. Yeah, I mean, Lots of companies, 00:20:11.130 --> 00:20:13.529 lots of customers are building lots and lots 00:20:13.529 --> 00:20:15.990 of agents and they're building really fast, right? 00:20:16.069 --> 00:20:17.630 Because everybody just wants to be at the cutting 00:20:17.630 --> 00:20:20.910 edge of technology. Microsoft's approach is, 00:20:21.069 --> 00:20:23.769 well, you can build an agent either with a service 00:20:23.769 --> 00:20:26.250 principle or you can build an agent with what 00:20:26.250 --> 00:20:29.849 we like to call an agent identity. And if you 00:20:29.849 --> 00:20:32.269 go the service principle route, you're basically 00:20:32.269 --> 00:20:36.730 choosing that your agent will use tokens on behalf 00:20:36.730 --> 00:20:40.220 of a particular user. or use some kind of client 00:20:40.220 --> 00:20:43.819 credential that an agent actually can be given, 00:20:43.980 --> 00:20:48.720 right? And this is very much tied to what I talked 00:20:48.720 --> 00:20:52.599 about if the agent is an interactive agent or 00:20:52.599 --> 00:20:54.940 like an assistive type of agent or an autonomous 00:20:54.940 --> 00:20:57.400 agent, right? Those things are very, very good. 00:20:57.500 --> 00:20:59.940 You can go through the path of using service 00:20:59.940 --> 00:21:03.079 principles, but... This new notion of an agent 00:21:03.079 --> 00:21:06.299 identity basically gives you that first class 00:21:06.299 --> 00:21:08.920 citizen. And that's the approach that Microsoft 00:21:08.920 --> 00:21:12.539 is building for all of our factory, right? Our 00:21:12.539 --> 00:21:15.720 agent factory buildings. So for example, today, 00:21:15.819 --> 00:21:18.960 when you build an agent within Microsoft Foundry, 00:21:19.059 --> 00:21:21.740 it gets an agent identity. So why is Microsoft 00:21:21.740 --> 00:21:25.119 doing this? Or why are we doing this? We believe 00:21:25.119 --> 00:21:30.200 when an agent is given an agent identity, That's 00:21:30.200 --> 00:21:32.380 when you start that life cycle that Mark was 00:21:32.380 --> 00:21:34.160 talking about, right? You're going to be able 00:21:34.160 --> 00:21:36.740 to apply protections to it. You're going to be 00:21:36.740 --> 00:21:40.099 able to apply network security, governance, all 00:21:40.099 --> 00:21:42.880 the identity things like authentication and authorization. 00:21:43.259 --> 00:21:46.960 So we start with how can that agent be authenticated, 00:21:47.059 --> 00:21:50.980 one, and then two, how can you provide an authorization 00:21:50.980 --> 00:21:54.500 to that protective resource that the agent is 00:21:54.500 --> 00:21:58.259 trying to get to? And then we also help you discover 00:21:58.259 --> 00:22:01.319 and register that agent in a centralized place, 00:22:01.500 --> 00:22:04.079 in a centralized manner, so that you can start 00:22:04.079 --> 00:22:07.319 that lifecycle process. So that's the approach 00:22:07.319 --> 00:22:09.339 that Microsoft has taken, right? So we start 00:22:09.339 --> 00:22:12.319 with agent identity. We want you to be able to 00:22:12.319 --> 00:22:14.839 register and manage your AI agent. be able to 00:22:14.839 --> 00:22:18.119 govern it so that agent identities and life cycles, 00:22:18.259 --> 00:22:20.680 you're governing just the access, right? So when 00:22:20.680 --> 00:22:23.299 I talk about governance, sometimes some people 00:22:23.299 --> 00:22:24.920 think about the data governance. I'm speaking 00:22:24.920 --> 00:22:28.960 specifically about governance and who gets access 00:22:28.960 --> 00:22:32.200 to that agent, how you can involve sponsors and 00:22:32.200 --> 00:22:36.000 owners of agents and be able to request permissions 00:22:36.000 --> 00:22:37.819 for that agent, whether it's graph permissions, 00:22:38.019 --> 00:22:40.039 et cetera. And then lastly, to be able to protect 00:22:40.039 --> 00:22:42.779 that agent access to resource, being able to 00:22:42.779 --> 00:22:46.240 block the agent, disable the agent, get some 00:22:46.240 --> 00:22:48.480 signals, some risk signals. So if that agent 00:22:48.480 --> 00:22:51.599 becomes risky, you'll be able to do those things 00:22:51.599 --> 00:22:55.099 with agent identity today. So if you can run 00:22:55.099 --> 00:22:58.059 an agent as a service principal, is there something 00:22:58.059 --> 00:23:01.160 in the service principal that identifies it as 00:23:01.160 --> 00:23:03.740 an agent? It depends on the platform that you're 00:23:03.740 --> 00:23:07.640 using. So for Microsoft Copilot Studio platform, 00:23:08.190 --> 00:23:11.250 you can opt in to basically building agents with 00:23:11.250 --> 00:23:13.509 agent identities or building agents with service 00:23:13.509 --> 00:23:16.390 principles. When you go through that path, we 00:23:16.390 --> 00:23:18.490 still tag that service principle as an agent 00:23:18.490 --> 00:23:21.049 so that we can help you in your security teams. 00:23:21.849 --> 00:23:25.130 But again, the approach that we're sharing with 00:23:25.130 --> 00:23:27.750 customers today is to adopt the agent identity 00:23:27.750 --> 00:23:30.849 because it gives you that robust security based 00:23:30.849 --> 00:23:33.269 upon being able to register it, govern and protect 00:23:33.269 --> 00:23:36.220 AI agents all up. And then if it's got its unique 00:23:36.220 --> 00:23:38.960 identity, then I can obviously authorize access 00:23:38.960 --> 00:23:42.299 to certain objects and files and all this. Okay. 00:23:42.420 --> 00:23:44.359 You got it. Yep. So really, at the end of the 00:23:44.359 --> 00:23:46.460 day, there's really not a heck of a lot of difference 00:23:46.460 --> 00:23:49.859 between like a normal user or an app and an agent, 00:23:49.900 --> 00:23:52.359 right? It's just an identity that's just on the 00:23:52.359 --> 00:23:55.539 agent process. That's it. Well, remember what 00:23:55.539 --> 00:23:58.599 I mentioned earlier, agents have this thing called, 00:23:58.640 --> 00:24:02.400 you know, skills and they have these instructions 00:24:02.400 --> 00:24:05.000 and these profiles that's tied to their orchestration 00:24:05.000 --> 00:24:07.940 that kind of make them a little bit different 00:24:07.940 --> 00:24:10.720 than a human, right? So you, you'll have to, 00:24:10.740 --> 00:24:14.579 you as a human have to go research knowledge 00:24:14.579 --> 00:24:17.339 to become smarter. An agent does it, right? They're 00:24:17.339 --> 00:24:20.160 basically fed these things. And if they need 00:24:20.160 --> 00:24:23.079 access to a resource, a human basically has to 00:24:23.079 --> 00:24:25.799 be granted, access from an authorization system. 00:24:26.539 --> 00:24:28.640 Just like when they authenticate, they have to 00:24:28.640 --> 00:24:31.299 actually authenticate to, you know, an identity 00:24:31.299 --> 00:24:35.220 provider somewhere. Well, agents usually, there's 00:24:35.220 --> 00:24:37.559 no concept of an identity provider for agents 00:24:37.559 --> 00:24:40.819 as an example, right? But we do want to make 00:24:40.819 --> 00:24:45.259 sure when that agent has been created. They actually, 00:24:45.279 --> 00:24:47.779 when they try to get access to a resource, we 00:24:47.779 --> 00:24:50.299 are able to actually say, okay, let's grant them 00:24:50.299 --> 00:24:52.880 access to their resource based upon maybe a token 00:24:52.880 --> 00:24:55.900 that's given to them through, you know, our token 00:24:55.900 --> 00:24:59.140 service with agent identity and entra. Or if 00:24:59.140 --> 00:25:00.839 they're using the service principle, what kind 00:25:00.839 --> 00:25:03.640 of service, you know, client credential are they 00:25:03.640 --> 00:25:06.640 using? And will that protective resource actually 00:25:06.640 --> 00:25:10.069 take that client credential? That's the question 00:25:10.069 --> 00:25:12.730 that I think most customers should ask themselves 00:25:12.730 --> 00:25:14.470 when they're building these agents and trying 00:25:14.470 --> 00:25:17.390 to bring identity into it. Yeah, but at the end 00:25:17.390 --> 00:25:18.730 of the day though, right? I mean, if an agent 00:25:18.730 --> 00:25:20.509 decides to do something really, really funky, 00:25:20.710 --> 00:25:22.390 let's just say decides he's going to send an 00:25:22.390 --> 00:25:24.690 email, that's not going to happen unless the 00:25:24.690 --> 00:25:28.109 agent has got the right to do that, right? Yeah, 00:25:28.130 --> 00:25:30.190 that's tied to its role. So remember - Yeah, 00:25:30.190 --> 00:25:33.789 exactly. Yeah, and that has to be done to that 00:25:33.789 --> 00:25:36.430 type of agent, right? So an autonomous agent 00:25:36.430 --> 00:25:39.759 or an assistive agent, technically cannot do 00:25:39.759 --> 00:25:42.180 those kind of behaviors. They can't send an email 00:25:42.180 --> 00:25:44.900 as an example. We've said that identity is very 00:25:44.900 --> 00:25:47.900 similar. You know, agent identities are basically 00:25:47.900 --> 00:25:52.539 also very similar to service principle or a human 00:25:52.539 --> 00:25:56.779 identity. But are there any specific risks or 00:25:56.779 --> 00:26:01.759 concerns that we want to think about when thinking 00:26:01.759 --> 00:26:06.599 about? agent identity specifically? Risks. The 00:26:06.599 --> 00:26:08.759 sky's the limit when it comes to agent building 00:26:08.759 --> 00:26:12.220 and how things are evolving. So risks, obviously 00:26:12.220 --> 00:26:15.599 there's risk to almost any approach anyone takes 00:26:15.599 --> 00:26:18.259 when it comes into the world of building agents 00:26:18.259 --> 00:26:22.359 or agent identity. What I'll say today is adopting 00:26:22.359 --> 00:26:25.819 agent identity helps organizations, again, start 00:26:25.819 --> 00:26:29.390 that. agent lifecycle. And it brings the same 00:26:29.390 --> 00:26:31.769 security controls that we have for humans and 00:26:31.769 --> 00:26:34.670 user objects to that agent and basically extend 00:26:34.670 --> 00:26:38.849 it. One of the things that I usually share with 00:26:38.849 --> 00:26:42.490 a lot of my customers is when you have an agent 00:26:42.490 --> 00:26:46.009 that was built somewhere, how does it get access 00:26:46.009 --> 00:26:50.569 to that particular protected resource? If you 00:26:50.569 --> 00:26:53.329 don't have a way for that agent to acquire a 00:26:53.329 --> 00:26:58.220 token or for that agent to be able to do some 00:26:58.220 --> 00:27:01.559 downstream calls to APIs, then your agent won't 00:27:01.559 --> 00:27:05.000 be able to actually continuously perform specific 00:27:05.000 --> 00:27:07.599 actions and tasks that it actually is capable 00:27:07.599 --> 00:27:12.319 of doing. And so risks, I would say the risk 00:27:12.319 --> 00:27:15.420 is pretty minimum because it's just adopting 00:27:15.420 --> 00:27:17.960 just a new mechanism that actually will make 00:27:17.960 --> 00:27:21.640 your security a little bit more robust. I think 00:27:21.640 --> 00:27:24.039 the biggest risk is if you don't use... least 00:27:24.039 --> 00:27:25.539 privilege, which is something that Mark touched 00:27:25.539 --> 00:27:27.660 on at the beginning. I mean, you can't just go 00:27:27.660 --> 00:27:33.019 running an agent with global admin abilities. 00:27:33.380 --> 00:27:37.160 I mean, that's just terrifying. So I would say 00:27:37.160 --> 00:27:38.480 least privilege. I mean, we've always known that 00:27:38.480 --> 00:27:40.480 least privilege was a big deal, but I would argue 00:27:40.480 --> 00:27:43.720 that in the case of an agent that is non -deterministic, 00:27:43.980 --> 00:27:46.539 least privilege is absolutely paramount now. 00:27:46.900 --> 00:27:49.619 I mean, 100%. I mean, what do we see today? I 00:27:49.619 --> 00:27:52.910 think the agents sprawl. are actually growing 00:27:52.910 --> 00:27:56.130 at a substantial amount that it outnumbers user 00:27:56.130 --> 00:27:58.029 objects in a lot of customers' tenants today. 00:27:58.390 --> 00:28:00.849 So there is a risk to least privilege. Got to 00:28:00.849 --> 00:28:03.289 get a handle on that agent sprawl too. Yeah, 00:28:03.289 --> 00:28:04.529 because if the only thing this thing is supposed 00:28:04.529 --> 00:28:06.789 to do is read over a database and come up with 00:28:06.789 --> 00:28:09.730 a summary report, it shouldn't have right to 00:28:09.730 --> 00:28:11.150 that database. It shouldn't be able to touch 00:28:11.150 --> 00:28:12.630 other databases. It shouldn't be able to send 00:28:12.630 --> 00:28:15.390 email. So you just have to kind of bring that 00:28:15.390 --> 00:28:19.109 rigor. I almost think of some of the stuff that 00:28:19.109 --> 00:28:23.109 we let, get a little sloppy in the deterministic 00:28:23.109 --> 00:28:25.109 era, which is document your code. What is it 00:28:25.109 --> 00:28:29.529 actually supposed to do? And do least privilege. 00:28:29.730 --> 00:28:32.390 Those things kind of sometimes go by the wayside 00:28:32.390 --> 00:28:34.950 because the deterministic code does the exact 00:28:34.950 --> 00:28:37.049 same thing every time and everybody kind of wings 00:28:37.049 --> 00:28:38.970 it a little bit. So until an attacker takes it 00:28:38.970 --> 00:28:41.549 over, it kind of doesn't matter. It really matters 00:28:41.549 --> 00:28:45.259 when they do. I feel like because of the dynamic 00:28:45.259 --> 00:28:48.059 nature of these things, because they're not deterministic 00:28:48.059 --> 00:28:49.779 and they do something a little different each 00:28:49.779 --> 00:28:52.740 time, that's where your least privilege and you're 00:28:52.740 --> 00:28:54.660 documenting what it's supposed to do so that 00:28:54.660 --> 00:28:57.279 someone in six months, eight months, a year, 00:28:57.299 --> 00:28:59.619 two years, five years knows what this thing is 00:28:59.619 --> 00:29:02.019 even supposed to do or someone right away knows 00:29:02.019 --> 00:29:03.519 how to threat model it and what it is supposed 00:29:03.519 --> 00:29:06.099 to do, what it's not supposed to do or to build 00:29:06.099 --> 00:29:08.859 a SOC detection or whatever. That kind of rigor, 00:29:09.059 --> 00:29:12.779 ironically, gets more important because the easier 00:29:12.779 --> 00:29:14.619 it is to code the more important is to know what 00:29:14.619 --> 00:29:17.019 the heck you're actually trying to do i don't 00:29:17.019 --> 00:29:18.339 think you need to document what it shouldn't 00:29:18.339 --> 00:29:21.480 do because that list is infinite oh yeah yeah 00:29:21.480 --> 00:29:24.480 i mean implicit but like essentially this is 00:29:24.480 --> 00:29:27.720 supposed to do this and nothing else right yeah 00:29:27.720 --> 00:29:30.160 exactly like you know like you say read a database 00:29:30.160 --> 00:29:32.299 and this database and in fact only these tables 00:29:32.299 --> 00:29:34.799 in this database that kind of stuff yeah And 00:29:34.799 --> 00:29:37.460 if you say only good to go. Yeah. Yep. A hundred 00:29:37.460 --> 00:29:39.299 percent. I mean, I would like to add something 00:29:39.299 --> 00:29:41.700 even that I've seen in a lot of customers environment. 00:29:41.880 --> 00:29:44.259 So with the creation and build the building of 00:29:44.259 --> 00:29:46.380 agents out there, there's so many unpublished 00:29:46.380 --> 00:29:48.099 agents out there and some of them are published. 00:29:48.200 --> 00:29:50.359 How about the unpublished ones? Right. It goes 00:29:50.359 --> 00:29:53.900 back to the problem we had for, you know, some 00:29:53.900 --> 00:29:56.779 service accounts that people just use just, just 00:29:56.779 --> 00:29:59.309 for certain things. Right. It's the same notion. 00:29:59.630 --> 00:30:02.470 There's a huge risk there because a bad actor 00:30:02.470 --> 00:30:04.130 could basically come in there and say, oh, let 00:30:04.130 --> 00:30:05.869 me just only take a look at the unpublished ones 00:30:05.869 --> 00:30:07.950 because nobody's actually paying attention to 00:30:07.950 --> 00:30:09.190 those. They only care about the ones that are 00:30:09.190 --> 00:30:12.690 published. However, most of those code could 00:30:12.690 --> 00:30:16.710 just be exposed just as easily, right? Yeah, 00:30:16.730 --> 00:30:19.009 if you look at some of the work that we did as 00:30:19.009 --> 00:30:21.269 part of the Secure Future Initiative, a big part 00:30:21.269 --> 00:30:23.589 of that was removing apps that had essentially 00:30:23.589 --> 00:30:26.589 been abandoned because no one was maintaining 00:30:26.589 --> 00:30:29.019 them. And we basically said, if you haven't used 00:30:29.019 --> 00:30:32.099 an app within N months or whatever it was, we'll 00:30:32.099 --> 00:30:33.859 give you a warning. And then after that, it's 00:30:33.859 --> 00:30:37.259 deleted. I mean, it's gone. Because the attackers 00:30:37.259 --> 00:30:38.920 don't care, right? The attackers don't care if 00:30:38.920 --> 00:30:41.680 it's being actively managed or not. If it's there 00:30:41.680 --> 00:30:43.740 and it's got a bug in it, then they can possibly 00:30:43.740 --> 00:30:46.960 take it over. I like what you said before as 00:30:46.960 --> 00:30:49.990 well, Mark, about... the LLM does the same thing 00:30:49.990 --> 00:30:51.710 over and over and over again. And in my head 00:30:51.710 --> 00:30:56.069 I was thinking, yeah, until it doesn't. The deterministic 00:30:56.069 --> 00:30:57.950 code does the exact same thing every time. The 00:30:57.950 --> 00:31:00.950 LLM, not so much. Not so much, yeah. I think 00:31:00.950 --> 00:31:03.730 what strikes me that I've been talking with folks 00:31:03.730 --> 00:31:07.150 about is that essentially, and I've been having 00:31:07.150 --> 00:31:08.930 this conversation now for what, at least a year, 00:31:09.009 --> 00:31:13.170 18 months, is that people are worried about AI, 00:31:13.230 --> 00:31:17.700 of course. worried and think oh there's new security 00:31:17.700 --> 00:31:19.259 stuff but then you know when we're looking at 00:31:19.259 --> 00:31:22.480 these agents we're like hey exactly the same 00:31:22.480 --> 00:31:25.140 things are the problem as in an agent that's 00:31:25.140 --> 00:31:27.519 over permissioned is going to do some weird stuff 00:31:27.519 --> 00:31:29.779 and we've been talking about over permissioning 00:31:29.779 --> 00:31:32.119 and least privilege since the beginning of time 00:31:32.119 --> 00:31:36.220 so it's i know it just strikes me as amusing 00:31:36.220 --> 00:31:39.730 that actually the main problems are I say amusing, 00:31:39.809 --> 00:31:41.730 amusing, maybe not the right word. It just strikes 00:31:41.730 --> 00:31:44.529 me as interesting that we're actually same technology, 00:31:44.630 --> 00:31:48.009 different technology, same problem. Yeah. I mean, 00:31:48.009 --> 00:31:50.589 there are obviously AI specific security issues 00:31:50.589 --> 00:31:52.529 that are very concerning, like prompt injection 00:31:52.529 --> 00:31:55.450 and so on and so forth. But yeah, at the end 00:31:55.450 --> 00:31:57.130 of the day, a lot of it boils down to just the 00:31:57.130 --> 00:31:59.230 classics. I mean, least privilege, you know, 00:31:59.250 --> 00:32:01.069 was documented. It was known about for a long 00:32:01.069 --> 00:32:02.990 time, but, you know, kind of the major documentation 00:32:02.990 --> 00:32:06.049 that was. Salter and Schroeder in the mid -70s. 00:32:06.069 --> 00:32:11.250 It's been around forever. Don't lose track of 00:32:11.250 --> 00:32:14.549 the basics. It's the same today as it was 50 00:32:14.549 --> 00:32:17.529 years ago. It's a hard problem, Michael. I think 00:32:17.529 --> 00:32:20.250 that's why a lot of organizations are trying 00:32:20.250 --> 00:32:22.589 to figure out, okay, what are some standards? 00:32:22.809 --> 00:32:26.349 I really do like the agent factory and the new 00:32:26.349 --> 00:32:29.079 world everyone's trying to build. based upon 00:32:29.079 --> 00:32:32.160 like a standards -based approach and trying to 00:32:32.160 --> 00:32:34.660 get and work together. I mean, that's the approach 00:32:34.660 --> 00:32:36.039 that we're taking. We're trying to figure out, 00:32:36.140 --> 00:32:38.839 okay, what is everybody else doing when it comes 00:32:38.839 --> 00:32:40.579 to their agent building? And how can we actually 00:32:40.579 --> 00:32:44.119 get to the portion of least privilege for customers 00:32:44.119 --> 00:32:46.500 and do what's right to the customer, right? And 00:32:46.500 --> 00:32:48.900 so we're taking a lot of standards -based approaches, 00:32:49.119 --> 00:32:51.819 right? And that's a very intricate thing that 00:32:51.819 --> 00:32:54.130 our team is actually focused on. And one of the 00:32:54.130 --> 00:32:56.109 standards that I mentioned in the news when we 00:32:56.109 --> 00:32:59.190 started is the roles and glossary standard, because 00:32:59.190 --> 00:33:02.130 at the end of the day, the accountability for 00:33:02.130 --> 00:33:04.349 anything that goes wrong needs to be with a person 00:33:04.349 --> 00:33:06.069 that actually made the decision, whether it's 00:33:06.069 --> 00:33:08.130 the developer, the IT person, the business person 00:33:08.130 --> 00:33:10.450 that says, go push this out there and skip the 00:33:10.450 --> 00:33:13.269 security. You know, the outcome of it has to 00:33:13.269 --> 00:33:15.930 accrue to the person that actually makes the 00:33:15.930 --> 00:33:17.630 decision. And they need to feel that when they 00:33:17.630 --> 00:33:19.690 make the decision, not just, oh, I can blame 00:33:19.690 --> 00:33:21.839 security for this later. So that's why we put 00:33:21.839 --> 00:33:24.000 that in the standards. So got to plug that one. 00:33:24.200 --> 00:33:26.299 Yeah, I mean, that's such a powerful thing. One 00:33:26.299 --> 00:33:29.920 other plug is obviously when you adopt with agent 00:33:29.920 --> 00:33:32.240 identity, we have a concept of owner and sponsor. 00:33:32.460 --> 00:33:35.019 Why do we do that? It's exactly that. We want 00:33:35.019 --> 00:33:39.460 to make sure least privilege gets into the person 00:33:39.460 --> 00:33:41.640 that's creating the agent, the person that's 00:33:41.640 --> 00:33:44.140 using the agent, and the person that is going 00:33:44.140 --> 00:33:46.579 to now come in there and secure that agent, right? 00:33:46.680 --> 00:33:49.440 So making sure. There's accountability for the 00:33:49.440 --> 00:33:52.640 owner and the sponsors of those agents. So basically 00:33:52.640 --> 00:33:55.920 you want to know who to yell at. We want to know 00:33:55.920 --> 00:33:58.220 who should make a good decision so we can educate 00:33:58.220 --> 00:34:01.019 them on the policy. That's the ideal state, but 00:34:01.019 --> 00:34:04.480 afterwards, yeah. All right, let's start to bring 00:34:04.480 --> 00:34:07.779 this episode to an end. So Nick, actually I think 00:34:07.779 --> 00:34:09.639 one thing, we didn't have this when we first 00:34:09.639 --> 00:34:12.239 had you on the podcast, but one question we like 00:34:12.239 --> 00:34:15.920 to ask our guests is what does a day in the life 00:34:15.920 --> 00:34:18.849 of Nick look like? What a great question. A day 00:34:18.849 --> 00:34:21.809 in the life of Nick looks like meeting with customers, 00:34:22.210 --> 00:34:26.469 researching what's going on in the world of AI 00:34:26.469 --> 00:34:29.449 so that I can keep up with all the million different 00:34:29.449 --> 00:34:32.429 signals that the world is going crazy with with 00:34:32.429 --> 00:34:35.030 agents. And lastly, just talking and collaborating 00:34:35.030 --> 00:34:37.949 across Microsoft. Microsoft is a one Microsoft 00:34:37.949 --> 00:34:40.010 team, so I get to collaborate with a lot of different 00:34:40.010 --> 00:34:42.750 teams across Microsoft, whether it's internal 00:34:42.750 --> 00:34:46.630 Microsoft, security teams, red teams. data scientists, 00:34:47.190 --> 00:34:50.610 researchers, and other product groups. That's 00:34:50.610 --> 00:34:54.030 what I get to do every day. So Nick, we always 00:34:54.030 --> 00:34:56.710 ask this and we warned you, so hopefully you've 00:34:56.710 --> 00:35:00.230 thought about it. We always ask, if you wanted 00:35:00.230 --> 00:35:01.949 to leave our listeners with a final thought, 00:35:02.329 --> 00:35:06.309 what would it be? I have a couple thoughts here. 00:35:07.590 --> 00:35:11.730 One, in order to get all your agents under control, 00:35:11.949 --> 00:35:16.199 it always begins with limiting who can create 00:35:16.199 --> 00:35:18.860 those agents to begin with. So that's my first 00:35:18.860 --> 00:35:22.480 thought for the listeners. And I'll say, please 00:35:22.480 --> 00:35:25.059 adopt agent identity because it gives you a way 00:35:25.059 --> 00:35:27.420 to register, govern and protect your AI agents 00:35:27.420 --> 00:35:30.199 and help you secure access to your AI agents 00:35:30.199 --> 00:35:33.000 so they can get access to protective resources 00:35:33.000 --> 00:35:35.840 for your organization. Well, Nick, thanks again 00:35:35.840 --> 00:35:37.980 for joining us this week. I know you're a really 00:35:37.980 --> 00:35:41.719 busy guy and you always learn something on these 00:35:41.719 --> 00:35:44.300 episodes and I certainly did as well. And to 00:35:44.300 --> 00:35:46.039 all our listeners out there, again, welcome to 00:35:46.039 --> 00:35:48.019 2026. We hope you found this episode useful. 00:35:48.500 --> 00:35:51.260 Stay safe, and we'll see you next time. Thanks 00:35:51.260 --> 00:35:53.199 for listening to the Azure Security Podcast. 00:35:53.639 --> 00:35:56.599 You can find show notes and other resources at 00:35:56.599 --> 00:36:01.199 our website, azsecuritypodcast .net. If you have 00:36:01.199 --> 00:36:04.380 any questions, please find us on Twitter at AzureSecPod. 00:36:05.380 --> 00:36:08.980 Background music is from ccmixter .com and licensed 00:36:08.980 --> 00:36:10.679 under the Creative Commons license.