TL;DR: We are building a new Agentic Access Gateway in Pomerium to safely let AI agents (like GPT-based deep researchers, scripts or assistants) access internal apps and resources on your behalf – with fine-grained, just-in-time authorization for every action. It's open source (GitHub link below) and we're looking for feedback and early access users.

What is Pomerium? For those unfamiliar, Pomerium is an open-source identity-aware proxy (a "zero trust" access gateway). It sits in front of your internal apps and APIs, continually verifying identity and context on every request.

The problem: AI agents are starting to act on our behalf in software – making requests, pulling data, and triggering actions autonomously. The rise of AI agents and protocols like Model Context Protocol (MCP) is really exciting. The potential for agents to interact with diverse tools (APIs, databases, SaaS) both internal and hosted to perform complex tasks is immense.

However, the current MCP spec focuses on tool interaction and discovery but leaves per-request authorization largely undefined. Relying solely on initial OAuth scopes, as suggested, falls short for dynamic agent workflows where context can change mid-task. Pushing complex, context-aware AuthZ logic into every single tool creates security sprawl, inconsistency, and operational overhead – antithetical to core Zero Trust principles.

Our solution: Agentic Access Gateway is a new feature in Pomerium designed for this AI-driven world. It extends Pomerium's core capabilities (continuous authn/authz) to non-human agents. In a nutshell, it treats AI agents as first-class identities that carry context and require policy checks at each step.

Key functionality includes:

  - Centralized Policy Enforcement: Pomerium acts as a gateway in front of your MCP tools (and potentially other APIs agents might use). One place to define and enforce access policy.
  - Context-aware policy enforcement: Every request from the AI agent is checked against policy – including who (or what) the agent is acting for, what data it's trying to access, and any anomaly in behavior. If an agent strays out of bounds, it's denied on the spot.
  - Leverages Existing Identity: Agents authenticate via standard flows (OAuth2.1/OIDC style), so you can tie an agent's actions back to a real user or service account. Example: an agent acting for user Alice can inherit Alice's permissions (but only the ones you allow, and only while performing the task).
  - Just-in-time credentials: Instead of static API keys, an agent can request access through Pomerium and get a short-lived token scoped to the specific task or tool. No more "one token to rule them all" lying around.
  - Audit & traceability: All agent actions pass through a single gateway, so you get centralized logs and visibility. It's easy to see "which AI did what, when" for compliance or debugging.
  - Works with existing tools: Because it's built into Pomerium, you don't need a whole new stack. You configure policies in one place, and your internal APIs don't have to be modified.

Demo: We made a 60s video showing Pomerium can protect access to both SaaS (Google Docs) and an internal apps (a internal db). See Claude pull data from a Google Doc, then pivot to an internal Postgres query – all in one run.

https://www.youtube.com/shorts/IwMmuI-DMhs

The Ask: We'd love the HN community's feedback on this approach. Are you dealing with AI agents in your systems yet?

Sound interesting? Looking leverage an internal datasource to your LLMs? Sign up for early access to the Agentic Access Gateway:

https://www.pomerium.com/secure-agentic-access

If you'd like to contribute or want to dig into the code:

https://github.com/pomerium/pomerium

Thanks for reading! We built this because we believe the age of AI agents calls for a new kind of access control. Let us know what you think!