Every Tool Call is a Trust Boundary: Authorization for AI Agents
Every Tool Call is a Trust Boundary: Authorization for AI Agents
Every Tool Call is a Trust Boundary: Authorization for AI Agents
This session covers what changes when you treat every agent tool call as an authorization decision.
AI agents don't click buttons. They chain tool calls, hundreds per minute, into CRMs, databases, HR systems, and internal APIs. They act on behalf of a human but can easily exceed that human's intent. The blast radius of a single unchecked action is whatever the user's static role allows.
Zero Trust says never trust, always verify. That principle matters more when the actor is autonomous, fast, and tireless. But most authorization models were built for humans clicking through UIs, not agents chaining MCP tool calls at machine speed.
We'll walk through the 4 assumptions that break (speed, autonomy, delegation, scope), 3 enforcement points that matter (gate the action, authorize the tool, filter the data), and how Tailscale's identity layer, combined with policy-based authorization, gives you a practical control surface.
Using a live demo built on Aperture and Cerbos, we'll show how every tool call from an agent gets evaluated against declarative authorization policies informed by the user's role, delegation context, and Tailscale identity.
One thing we've learned working with early adopters is that teams want to observe what agents are actually doing, build an evidence base, then tighten controls via policy. That progression (observe, define, enforce) turns out to be the right adoption path regardless of where the infrastructure is.
We'll also cover why the confused deputy problem (an agent acting with permissions the user shouldn't have) is the security gap that keeps coming up, and how Tailscale's identity and capability grants along with Cerbos give you the context to actually solve it.
You'll leave with a concrete reference architecture for securing AI agents at the infrastructure layer, real policy examples you can adapt, and a practical path from visibility to enforcement that starts with what's available today.
