Sponsored Session: Who's Driving? Delegation and the Confused Deputy Problem for AI Agents - Vitor Balocco & Alvaro Inckot, Runlayer

by Alvaro Inckot, Vitor Balocco

Day 1 · Marquis Ballroom (9th Floor) · Security and Operations · 23 min · 3 min read

AI Safety & Ethics Applied AI

TL;DR

Alvaro Inckot and Vitor Balocco of Runlayer showed how the confused deputy problem hits AI agents using MCP. They identified four gaps — no delegation chain, no attenuation, no intent binding, and no audit trail — and presented five converging patterns from industry. Runlayer’s gateway enforces per-tool authentication, delegation validation, policy intersection, and instant revocation.

The Confused Deputy Problem in AI Agents

▶ Watch (0:04)

In 1988 Norm Hardy described the confused deputy: a compiler had permission to write its stats to a directory. A user tricked it into writing a billing file instead. The compiler was not compromised. It held real authority, but the intent was wrong. Today AI agents replicate that problem. When you grant a token to read email, the agent can be redirected by prompt injection to forward everything to an external address. The token allows it. The system sees no violation. The agent wields legitimate authority for an unintended task.

Four Gaps in Current Delegation

▶ Watch (7:12)

MCP mandates OAuth 2.1 but leaves four gaps. The token does not record who asked the agent to act. You cannot narrow a token across agent hops. Scopes describe capability, not purpose. There is no audit trail of intent. These gaps create attack surfaces: prompt injection, tool confusion (similar tool names), sub-agent escalation (passing full token without attenuation), and session bleed (cached consent reused by another agent). OAuth secures the pipe. The driver remains unsecured.

Industry Convergence on Five Patterns

▶ Watch (11:36)

Independent working groups at IETF and the Linux Foundation are converging on the same primitives. Five patterns appear across drafts and vendor solutions. Delegation becomes a first-class managed object. Agent policies and user policies must both independently allow an action. Credentials bind per upstream service. Each hop attenuates, never expands. Every boundary logs who delegated, who acted, which credential, and which tool. This convergence signals a shared foundation before any RFC lands.

Runlayer’s Gateway as an Enforcement Point

▶ Watch (14:08)

Runlayer sits between AI agents and MCP servers. Every tool call passes five layers: authentication, delegation validation, policy validation, security scanning, and auditing. Identity modes handle human SSO, standalone agents, and agents acting on behalf of a user. Delegation tracks who delegated to whom and revokes instantly. Session grants bind OAuth credentials to specific upstream services without privilege escalation. The system enforces four properties: scoped, auditable, revocable, and no B authority.

Notable Quotes

off it secures the pipe but you still need secure the driver. Alvaro Inckot · ▶ Watch (9:30)

scopes tell you capability not the purpose of that. Alvaro Inckot · ▶ Watch (7:48)

the compiler uh the compiler wasn’t compromised. Actually it had real authority to do that. Alvaro Inckot · ▶ Watch (2:36)

Key Takeaways

Audit agent tokens for delegation context, not just user scope.
Implement per-credential binding and policy intersection to block escalation.
Use explicit delegation chains and instant revocation to stop confused deputy attacks.

About the Speaker(s)

Alvaro Inckot is the Founding Identity Engineer at Runlayer, where the job is making sure AI agents don’t do things they shouldn’t, even when they’ve been told they can. Background in distributed, auth, and identity systems at Intel.

Vitor Balocco is co-founder of Runlayer. Previously, Vitor was a Staff AI Engineer at Zapier and is a recognized MCP expert, speaking at international conferences on vulnerabilities and defense.

Filed under

AI Safety & Ethics Applied AI