Today I am releasing AGent Based Access Control (AGBAC) under Apache 2.0. This is a new Access Control Security Specification that introduces the concept of dual-subject authentication. Included is AGBAC-Min, which allows you to implement agent and human aware authentication today (right now!) with your existing IAM Solution!

https://github.com/kahalewai/agbac

AI agents broke one of the oldest assumptions in identity. For as long as I can remember, IAM has assumed a simple model: One action → one subject → one authorization decision. That worked when only humans were accessing things. But AI agents changed everything. So now we an evolution of Access Control Models (RBAC, PBAC, ABAC, now AGBAC).

When an AI agent acts on behalf of a human, there are two identities involved: The agent executing the request and the human whose authority triggered it. From a security standpoint, the correct rule becomes obvious: An action should only be allowed if both the agent and the human are authorized to perform it. Not agent or human. Agent and human.

The good news? This is now solved. And it works with your existing IAM solution protecting your enterprise today. Do you want to start enforcing (and logging) both agent and human authorization today? Or move one step closer to Zero Trust alignment within AI agent architectures? Check out AGBAC and drop a star if you think this is awesome!