<p>Episode 422 is the debut of Decoded by Identity at the Center, a new sub-series hosted by Jeff Steadman and Sean O&#39;Dell dedicated to unpacking the specifications and standards powering IAM. Joining them is Pieter Kasselman, VP of Open Standards at Defakto and chair of the WIMSE working group. The conversation covers why traditional non-human identity approaches break at agentic scale, how SPIFFE and SPIRE enable short-lived automated credential provisioning without long-lived secrets, and why treating agents as workloads unlocks a decade of existing standards. Pieter walks through critical OAuth specs including JWT authorization grant, token exchange, client ID metadata, and the emerging transaction tokens draft. Sean connects these to practical gateway architecture, continuous access evaluation, and policy-based authorization. The episode closes with real-world deployment examples and a clear takeaway: the tools to secure agentic identity are available today.</p><p><br></p><p>Episode Links:Pieter Kasselman: https://www.linkedin.com/in/pieter-kasselman-0259862/AI Agent Authentication and Authorization: https://datatracker.ietf.org/doc/draft-klrc-aiagent-auth/Workload Identity in Multi-system environments (WIMSE): https://ietf-wg-wimse.github.io/OAuth SPIFFE Client Authentication: https://datatracker.ietf.org/doc/draft-ietf-oauth-spiffe-client-auth/Transaction Tokens: https://datatracker.ietf.org/doc/draft-ietf-oauth-transaction-tokens/08/Agentic Identity Control Framework. You Already Have the Pieces. Now Build It. by Sean O&#39;Dell: https://www.linkedin.com/pulse/agentic-identity-control-framework-you-already-have-pieces-o-dell-61b5e/</p><p><br></p><p><br></p><p><br></p><p>Timestamps:</p><p>00:00 Introduction to Decoded by Identity at the Center</p><p>00:13 The mission of the Decoded sub-series</p><p>03:02 Guest intro: Pieter Kasselman, VP of Open Standards at Defakto</p><p>06:21 Why agentic identity is urgent: scale, multi-platform, and shifting threat landscape</p><p>10:42 The real cost of API keys and credential sprawl in agentic systems</p><p>13:23 Agentic identity identifiers and how SPIFFE assigns unique workload IDs</p><p>21:00 Credential types: X.509, JWTs, and workload identity tokens</p><p>31:00 Connecting SPIFFE to OAuth and dynamic registration with client ID metadata</p><p>38:18 SPIFFE SVIDs, multiple credentials per agent, and governance traceability</p><p>41:44 Authentication versus authorization: delegation versus impersonation</p><p>47:00 Transaction tokens: binding access to specific transactions to stop token theft</p><p>51:21 Identity chaining and cross-domain authorization</p><p>55:00 Shared Signals Framework and dynamic authorization</p><p>57:00 Gateways, CAEP, and mid-flight token revocation for rogue agents</p><p>59:31 What you can deploy today with SPIFFE, OAuth, and existing IDPs</p><p>01:02:58 Policy-based access control and why instance-level governance cannot scale</p><p>01:04:58 Workload identity federation: Anthropic and Google Agent ID updates</p><p>01:07:13 Cross-platform federation and the law of agentic utility</p><p>01:11:55 Elevator pitch: agents are workloads and 95% of the problem is solved now</p><p>01:17:03 What is coming next: a transaction tokens deep dive</p><p><br></p><p>Keywords:</p><p>agentic identity, SPIFFE, SPIRE, OAuth, transaction tokens, Shared Signals Framework, WIMSE, workload identity, non-human identity, authorization delegation, JWT, CAEP, API gateway, IAM standards, AIMS, Jeff Steadman, Sean O&#39;Dell, Pieter Kasselman, IDAC, Identity at the Center, Jim McDonald, Decoded by Identity at the Center</p><p><br></p><p><br></p><p><br></p><p>Decoded by Identity at the Center:</p><p><br></p><p>Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/</p><p><br></p><p>Sean O&#39;Dell: https://www.linkedin.com/in/seanodentity/</p><p><br></p><p>Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/</p><p><br></p><p>Visit the show on the web at https://idacdecoded.com/</p>