Uber Tackles AI Agent Identity

Uber is building an internal platform for AI agents, but ensuring security and accountability for these autonomous systems presents a significant challenge. The company detailed its approach to solving the "identity crisis" for AI agents in a recent blog post, outlining updates to its identity and access technology stack. This effort is crucial as AI agents increasingly perform tasks on behalf of users and interact with production systems.

The core problem lies in traditional identity models, designed for humans and static workloads, which fail to capture the dynamic nature of AI agents. These agents often act as intermediaries, delegating tasks and executing actions in a multi-step process. Without clear attribution, tracing who initiated an action, why, and when becomes difficult, impacting auditing, compliance, and trust.

The Agency Gap

Uber observed a pattern where multi-step agent workflows resulted in downstream systems seeing only generic service identities. The origin of the action—a specific agent acting on behalf of a specific user—was lost. This lack of original provenance across agent hops complicates audits and limits the enforcement of fine-grained access policies.

For instance, an on-call engineer using an agent to fix a system alert might see a pull request generated by a monitoring agent, but the engineer’s identity as the initiator would be obscured. This is problematic because agentic workflows are characterized by delegation as the default, compositional workflows, and dynamic behavior.

A Zero Trust Foundation for AI Agents

To address these issues, Uber extended its existing Zero Trust Architecture. The solution focuses on establishing verifiable cryptographic identity for AI agents and enforcing authorization for downstream system access. Key components include an Agent Registry, an AI Agent Mesh for agent communication, and a Security Token Service (STS) for issuing dynamic, short-lived tokens.

The STS acts as a trust broker, issuing JWT tokens for each hop in an agent's workflow. These tokens are scoped for specific destinations and have a short time-to-live, preventing replay attacks. Crucially, the STS embeds the full attested actor chain into each token, providing end-to-end traceability from the originating user through intermediate agents.

This architecture also integrates with the MCP® (Model Context Protocol) Gateway, which acts as a policy enforcement point for tool invocations. The MCP Gateway verifies agent identities and authorizes tool calls, leveraging AI Guard for security guardrails like prompt injection detection and PII redaction. This allows for policies that evaluate both human and agent identities.

Agent Identity in Action

When an on-call engineer initiates a session with an Oncall Agent, the request is anchored by the user’s identity. The Oncall Agent then requests a new JWT from the STS, presenting its own workload identity and the user’s context. This JWT is specifically scoped for the next agent, say, an Investigation Agent.

The Investigation Agent, upon receiving the JWT, verifies it and then performs its own token exchange with the STS to call the MCP Gateway. The resulting JWT for this next hop carries a verifiable history: [user1, oncall-agent, investigation-agent].

This multi-hop JWT propagation ensures that the MCP Gateway and downstream systems have the complete context of the request lineage. Policies can then be enforced based on the verified intent of the entire chain, not just the immediate caller. Uber is tracking emerging standards, including IETF WIMSE working group drafts, to align with industry direction.

To ensure consistent implementation, Uber developed a Standardized A2A (Agent-to-Agent) Client that automates STS JWT exchanges and actor chain propagation, creating a secure-by-default developer experience.