MASTERCLASS SERIES
When agent behavior can't be predicted, identity becomes the foundational control. Here's what that means for how you build.
What You'll Learn
Why non-deterministic AI breaks the infrastructure security patterns you've relied on — and what a new design foundation looks like
How cryptographic identity and ephemeral privileges solve the challenge of scoping and containing AI agents that behave differently on every run
How to apply consistent identity controls across Kubernetes for both humans and AI workloads
Why MCP has enterprise security gaps out of the box — and what closing them actually requires
4 minutes, 34 seconds
Featuring Teleport Engineering Leaders
Read Full Transcript
The world's infrastructure is not ready because we are so used to writing pieces of deterministic code where say a CI/CD pipeline is going to take input A and we know that we want to get it to output B. But now we're starting to live in a world where we are giving a non-deterministic agent or LLM or what have you the ability to make decisions on our behalf and that is destructive potentially.
One of the problems if you don't provide limited access is that agentic AI is sort of like a toddler. It will probe all of your systems. It might rm-rf delete your root directory. It might dump your database. If you give the permissions, the LLM will use this permissions that you've given it.
Certificate-based authentication is very very powerful. I can create cryptographic footprint and let's call it passport of who you are in that moment. And in that piece of cryptographic identity, I can define who you are, how long I believe you should exist and be able to function and accomplish your work. So the ephemeral nature of how certificate-based authentication works makes it prime for the effective use in AI workloads. Your AI is non-deterministic. Being able to dynamically scope its work on every single task that it does is crucial. Being able to define what it should do even though it may change every time it runs is paramount.
It has been about a year since Anthropic released MCP to the world and through its ability to provide context to LLMs and to workloads, it has seen large adoption in the community. The issue is with any young protocol, it does not provide all the enterprise features that are necessary to deploy it at scale. Out of the box, the protocol did not have an answer for any of the OWASP top 10 AI and agentic threats. Teleport released secure MCP about 6 months after the protocol's initial release. And through our existing foundation and bedrock of how we solve the identity problem and the access problem as an extension, we're able to cover five to six of the top 10 threats that AI is facing according to all of us.
Sam Altman was on the KubeCon stage I believe about six years ago and he declared that Kubernetes is going to be the AI platform and he's not wrong. OpenAI has been very vocal about how they run ChatGPT on Kubernetes, how everything that they do is Kubernetes first. Kubernetes has become the backbone of most modern infrastructure and most modern applications that we touch in our daily lives and being able to define the access not only to Kubernetes itself but utilize the same tools to define the access of the AI that is going to be running on that platform becomes invaluable. Giving you the easy button to Kubernetes access, to giving you the easy button to defining roles, to defining the who, the what, the why, the how of Kubernetes for humans and utilizing the exact same technologies, the exact same knobs for the AI workloads that will run on Kubernetes.

Traditional CI/CD: input A → output B. Predictable. AI agents make decisions on your behalf. The path changes every run. Infrastructure built for deterministic code isn't ready for agentic AI.
If you give the permissions, the agent will use them. Without short-lived, task-based privileges, an AI agent will probe every system it can reach. It might rm -rf your root directory. It might dump your database.
Static credentials and standing privileges don't hold when behavior changes on every run. Certificates establish who an AI agent is and for how long. Short-lived privileges define what it can do, scoped dynamically to each task.
Rapid adoption outpaced security design — deploying MCP at enterprise scale requires an identity and authorization layer the protocol doesn't ship with.
Sam Altman called it six years ago: Kubernetes is the AI platform. OpenAI runs ChatGPT on it. The same access controls that work for humans work for AI agents. One control plane for both.

00:60
Why AI agents don't need static tokens — and how eliminating standing privileges reduces the attack surface.

00:45
Why cryptographic identity and short-lived privileges should govern machines the same way they govern humans.

00:50
Why certificate-based authentication enables every identity — human or machine — to do exactly what it needs for that specific task, and nothing more.

00:43
Why 2026 is the year AI graduates from labs to production at scale—and what that means for infrastructure identity.
Start the discussion on infrastructure identity:
1. Are our AI agents using static tokens? What's the blast radius if they are compromised, and how long would they remain valid?
2. How are we scoping privileges for AI agents? Can we define them per-task, or is it all-or-nothing?
3. If we're using MCP, have we addressed the OWASP top 10 AI threats? Which ones are still gaps?
4. Can we define the who, what, why, and how of Kubernetes access consistently for both humans and AI workloads — or are we maintaining two separate models?
Read White Paper
Access, authorization, and audit for enterprise AI
Read Technical Guide
OWASP threats, architecture patterns, implementation steps
Watch Webinar
How to bring cryptographic identity to AI workflows