CNCF: Agent Auth — secure identity and authority delegation for AI agents

Why the classic auth model fails for agents

When an AI agent performs actions on behalf of a user, the classic approach — the agent inherits the user’s token — creates a security gap: systems cannot tell whether an action was triggered by a human or an autonomous agent, and audit trails become unusable. Lin Sun, CNCF Ambassador, published an analysis on June 23, 2026, describing how to solve this problem in production systems.

Five requirements every agent auth system must meet

The solution rests on five technical conditions. First, every agent must have its own strong identity — SPIFFE (Secure Production Identity Framework for Everyone, an open standard for cryptographic identities of cloud-native workloads) gives agents a provable certificate independent of the user. Second, the agent must propagate the principal identity — it must know and convey who authorized it. Third, the system must be able to issue and validate a delegation token. Fourth, policy enforcement must be explicit. Fifth, every delegated action must leave an audit trail.

What is an OBO token and how does it surpass a user token?

The key artifact is the On-Behalf-Of (OBO) token — unlike a classic token that passes full user access, an OBO contains four elements: the agent’s identity, the principal (user) identity, delegated permissions, and a scope. The result: the system knows exactly what the agent may do and on whose behalf — instead of the agent effectively becoming the user with no restrictions.

The ecosystem that already enables this

The reference tools Lin Sun cites — cert-manager, Istio, and agentgateway — already exist within the CNCF ecosystem. This means teams do not need to build auth infrastructure from scratch; they simply need to compose proven components around OBO tokens and SPIFFE identities.