Golem To Murderbot: Challenges With Agentic Security Delegation Via MCP - Michael Schwartz, Gluu

by Michael Schwartz

Day 1 · Empire Complex (7th Floor) · Security and Operations · 27 min · 4 min read

AI Safety & Ethics Applied AI

TL;DR

Schwartz used the Golem and Murderbot metaphors to argue that AI agents need governor modules, not just MCP gateways. He stated human authentication is solved, but delegation tokens do not exist. He proposed a four-layer GovOps framework with centralized policy management and analyzable policy languages like Cedar.

The Golem and Murderbot as Agent Security Metaphors

▶ Watch (0:21)

Schwartz opened with a story from late antiquity. A rabbi inscribes the word “emet” (truth) on a Golem to bring it to life. The Golem becomes unruly. The rabbi knocks off the aleph, turning “emet” into “met” (death), destroying it. The takeaway: the Golem is unstable, soulless, and not something you want around. Schwartz then pivoted to Martha Wells’ Murderbot universe. The corporation controls security units with a governor module that monitors behavior and punishes transgressions. Murderbot hacks its governor module in the first scene, becoming a free agent. The hub system monitors Murderbot’s activities, and the corporation reviews hub system logs. Insurance monetizes the risk of deploying these units.

Why MCP Gateways Alone Violate Zero Trust

▶ Watch (6:03)

Schwartz showed a slide from Ashish Raut of Amazon, episode 174 of Identerati Office Hours. It depicted the interconnection of microservices in Amazon’s retail environment. The cloud is so large that humans cannot review decisions in it. Schwartz argued that enforcing security only in an MCP gateway is the opposite of zero trust. Zero trust implies multi-layer defense. A better architecture embeds policy in all components: the MCP gateway, the database, and everywhere else. Policy must live as close as possible to the data.

Authentication Is Solved; Delegation Is Not

▶ Watch (7:17)

Schwartz condensed 25 years of experience into five minutes. He asserted that human authentication is solved, citing passkeys and digital wallets built into devices, browsers, and operating systems. Federated authentication (social login) is solved. Software authentication is solved: software should authenticate asymmetrically, not with shared secrets. The unsolved problem is delegation. Schwartz pointed to the failed UMA standard for Alice-to-Bob sharing as evidence. He warned that truth degrades with every network hop. “Be very skeptical about the delegation patterns that are being presented today,” he said.

Authorization: Centralized Policy, Not Role-Based Access

▶ Watch (13:06)

Schwartz reframed authorization. The question is not “Is this person allowed?” or “Is this agent allowed?” It is “Is this action allowed on this resource given these tokens?” He argued that role-based access control does not work when there is more software than humans. The emerging pattern is centralized policy management with an authorization engine. He categorized three engines: Rego (used by Open Policy Agent), graphs (SpiceDB or OpenFGA), and Cedar. Rego and Cell offer maximum flexibility but are not safe due to iteration and infinite loops. Cedar trades flexibility for analyzability, which is critical for mathematically proving policy correctness across thousands of microservices.

GovOps: A Four-Layer Framework for Board-Level Governance

▶ Watch (18:59)

Schwartz proposed a new operational framework for governance. The first layer is governance itself: risk assessment, transparency, and accountability. He defined security from its Latin root “securus” (without care). Governance is not about preventing bad things; it is about holding people, software, business units, and third parties accountable when bad things happen. The second layer is identity, needed for accountability, not authorization. The third is visibility, using tools like Splunk or Panther. The fourth is an event layer with playbooks for predictable incidents like account takeovers. Schwartz noted that most enterprises are still flying blind on transparency.

Q&A

What is the Cedarling project? Schwartz leads the Linux Foundation Janssen Project, which builds a Cedar policy decision point called the Cedarling. ▶ Watch (26:10)

Notable Quotes

“Truth degrades with every network hop.” Michael Schwartz · ▶ Watch (12:28)

“Governance is about holding the people, software, business units, and third parties accountable when bad things happen.” Michael Schwartz · ▶ Watch (21:33)

“Identity is needed for accountability, not for authorization.” Michael Schwartz · ▶ Watch (23:13)

Key Takeaways

MCP gateways alone violate zero trust; policy must be embedded in every component.
Human and software authentication are solved; delegation tokens for agents do not exist.
Centralized policy management with analyzable languages like Cedar is required for agent authorization.

Filed under

AI Safety & Ethics Applied AI