Skip to main content
Glama

Agent Identity for MCP: Prefactor's Approach to Secure, Auditable AI Agents (Demo + Deep Dive)

Written by on .

mcp
security
Agent Identity
Auditing
Prefactor
SaaS
  1. The Urgent Need for Agent Identity in MCP
    1. Prefactor's Approach: Securing, Authenticating, and Auditing AI Agents
      1. How It Works: Prefactor's Agent Identity Platform
        1. My Thoughts
          1. Acknowledgements

            As organizations increasingly adopt AI agents, the fundamental question of "what is our agent strategy?" echoes through boardrooms globally. While the promise of productivity gains and innovation is immense, the rapid pace of development in the Model Context Protocol (MCP) ecosystem has outstripped the establishment of essential guardrails, creating a new and significant attack surface. Prefactor, an agent identity platform, directly addresses this critical gap. Drawing from extensive discussions with hundreds of companies, Prefactor recognizes the urgent mandate for speed in AI agent deployment, acknowledging that this intensity of innovation, while amazing, also introduces substantial security risks. The company's mission is to provide the missing security layer and governance capabilities to ensure that the transformative potential of MCP agents can be realized safely and effectively, preventing the "canary in the coal mine" scenario where an unsecured MCP deployment leads to a major security breach.

            The Urgent Need for Agent Identity in MCP

            The current state of MCP adoption, while incredibly rapid, presents significant security vulnerabilities. Enterprises are grappling with a "complete mess" when it comes to managing agents, often struggling even with basic practices like securing API keys off individual laptops. This highlights a critical disparity between the advanced capabilities of AI agents and the immature security controls available for them. Prefactor identifies two primary use cases for MCP where agent identity is paramount:

            Image

            1. External/Customer MCP: This involves exposing MCP servers and APIs directly to customers, aiming to add value in B2B and B2C interactions. While initial assumptions focused on this area, the pace of UI innovation (e.g., in Claude or ChatGPT) for integrating MCPs has been slower than internal deployments, potentially limiting user experience and adoption.

            2. Internal/Workforce MCP: Prefactor identifies this as the biggest immediate opportunity, particularly in highly regulated industries like banking, insurance, and real estate. These organizations are deploying numerous MCP servers for simple, yet impactful, use cases—for example, drastically reducing the time it takes to deliver data to frontline workers. However, "internal" does not equate to "safe"; these internal agents still require enterprise-grade control and governance to prevent them from spiraling out of control.

            Both external and internal agents share fundamental requirements for trust and management. Organizations need to control who (or what) can access their APIs, ensure accountability, and prevent unauthorized actions. Without a dedicated identity layer, MCP deployments risk becoming unmanageable and susceptible to security breaches, undermining the very benefits they promise. Prefactor positions itself as the "agentic identity security layer", designed to secure, authenticate, and audit agents across both scenarios.

            Prefactor's Approach: Securing, Authenticating, and Auditing AI Agents

            Prefactor addresses the security and governance challenges in MCP through a specialized identity platform. Its core offerings include:

            Image

            • MCP Authentication: This is Prefactor's foundational product, providing robust authentication specifically tailored for MCP interactions.

            • Chat Interface with Embedded Security: More recently, Prefactor introduced a chat interface that embeds MCP security directly into the chatbot experience, eliminating the need for a separate authentication process. This allows for the end-to-end flow of agent provisioning, message assignment, and secure interaction.

            Key Concepts and Differentiators:

            1. Agent Identity as First-Class Citizens: Prefactor's underlying philosophy is to treat agents as "first-class citizens", distinct from both humans and machines. This means developing an identity system fundamentally based around the agent, granting them the appropriate level of control at the right moment, eventually evolving towards task-based access control.

            2. Separate Human and Agent Identities: The platform explicitly separates human and agent identities, even when they interact or are linked. This granular distinction is crucial for robust auditing and authorization, allowing for specific policies to be applied to agents based on their assigned roles and permissions. For example, in a demo, a human user has one identity, while an assistant (an agent) paired with the human has its own unique identity within Prefactor.

            3. Immutable Audit Log: Prefactor maintains an immutable log of all agent activities, providing a transparent and auditable trail of every request and action. This log includes signed payloads (JWTs) that contain both user and agent identities, ensuring accountability and traceability.

            4. Seamless Authorization to MCP Servers: The system facilitates seamless authorization checks. When an agent (acting on behalf of a human or autonomously) uses a tool via an MCP server, Prefactor transmits both the human and agent identities to the MCP server. The MCP server can then evaluate these identities against predefined authorization strategies to determine if the action is permitted.

            5. Configurable Rule Sets: Prefactor's backend provides highly configurable rule sets that govern authentication, how agents work together, and human identity integration. It can also wrap around existing Identity Providers (IDPs) for seamless integration into existing enterprise security infrastructures.

            Demo Workflow: Simon's demo showcases a chat interface where a user queries an account balance. The agent uses an exchange tool to convert Euros to Australian dollars. Behind the scenes, the request payload is signed as a JWT, containing the user's identity within Prefactor. An assistant agent, with its own unique identity, also performs actions, and its requests are similarly signed and logged, creating an immutable chain. The Prefactor backend tracks human and agent identities, devices, and sessions separately, but linked where appropriate. This granular tracking enables detailed audit trails and fine-grained authorization policies.

            How It Works: Prefactor's Agent Identity Platform

            Prefactor operates as a SaaS platform, with current cloud-based offerings and plans for on-premise or private cloud deployments. The platform's core is an underlying identity system that provides the "below the surface" security and authentication that is typically hard to demo.

            Image

            Architectural Overview:

            • Centralized Identity System: Prefactor maintains a centralized identity system that distinctly tracks human and agent identities. This system manages devices, sessions, and the relationships between humans and their agents.

            • JWT-based Signing: Every request or action initiated by an agent or a human through the Prefactor platform is signed using JSON Web Tokens (JWTs). These JWTs encapsulate critical identity information (human user, agent ID) and are part of the immutable log.

            • MCP Server Integration: For MCP servers to leverage Prefactor's security, they interact with the Prefactor system to validate identities and enforce authorization. When an agent calls a tool on an MCP server, the agent's identity, along with the user's identity (if applicable), is passed to the server, allowing for real-time authorization decisions.

            • Configurable Policies: Prefactor's backend allows administrators to define highly configurable rule sets for authentication and authorization. This includes managing how agents interact with each other and with humans, and how existing IDPs can be integrated.

            • Audit Trails and Session Management: The platform provides comprehensive session management and audit trails, offering live activity observation of agents. This allows enterprises to monitor agent behavior, track resource access, and ensure compliance.

            MCP Protocol Evolution: Prefactor anticipates and contributes to the evolution of the MCP specification, particularly regarding authentication. The current MCP OAUTH implementation is primarily geared towards external authorization (e.g., connecting a system like Claude). However, there's a recognized need for more enterprise-focused features, such as workload identity and mechanisms that reduce user friction in internal systems. This involves removing constant consent screens for internal agent connections and ensuring that a user's identity reliably propagates through multiple systems without modification. Critically, the concept of a dedicated "agent identity" within the MCP standard is currently missing but is actively being discussed in working groups, and Prefactor is working "a bit ahead of where maybe MCP auth is today" to address these emerging needs.

            My Thoughts

            Prefactor's platform represents a critical and timely innovation in the rapidly expanding landscape of AI agents and the Model Context Protocol. The core insight that agents require their own distinct identities, separate yet linkable to human users, is a foundational shift that addresses a major blind spot in current AI security paradigms. The traditional approach of relying solely on user authentication for agent actions is insufficient for enterprise-grade deployments, where auditability, granular access control, and robust governance are paramount.

            The emphasis on an immutable audit log, with signed payloads containing both human and agent identities, is a powerful feature. It provides the necessary transparency and accountability for agent activities, which is essential for compliance in regulated industries and for debugging complex multi-agent systems. This proactive approach to security positions Prefactor as a leader in defining the guardrails for a secure agentic future.

            Furthermore, the strategic focus on internal/workforce MCP deployments highlights a realistic understanding of where enterprises are seeing immediate value and, concurrently, immediate risk. By providing a secure foundation for these internal agents, Prefactor enables organizations to harness AI's productivity gains without compromising their security posture. The vision for agent-to-agent authentication and a cross-orchestration provisioning system is ambitious and aligns perfectly with the future trajectory of AI, where autonomous and semi-autonomous agents will increasingly collaborate. As the MCP standard evolves, Prefactor's contributions to shaping its security and identity aspects will be invaluable.

            Acknowledgements

            Sincere gratitude to Matt Doughty (CEO, Prefactor) and co-founder Prefactor for their illuminating presentation and demo on Agent Identity for MCP: Prefactor’s Approach to Secure, Auditable AI Agents. Their work is vital for the secure adoption of MCP, and we thank the broader MCP and AI community for their continuous efforts in advancing this field.

            Written by Om-Shree-0709 (@Om-Shree-0709)