Keycard x Insecure Agents: Building a Big Tent for Agentic Security

Keycard x Insecure Agents: Building a Big Tent for Agentic Security
Ian Livingstone
Ian Livingstone Announcements
3m read

Today, we’re excited to announce that Keycard is sponsoring the growth of Insecure Agents, and that its host, Allie Howe, is joining Keycard to continue growing the podcast, the live events, and the community she’s built.

Agents are reshaping the way we build and operate software, and they’re breaking the security models we’ve trusted for decades in the process. No single company can figure that out alone, and we’re committed to growing Insecure Agents into a community where the people building agents and the people securing them are learning together.

From Podcast to Community

I’ve been a fan of Insecure Agents since the early episodes, and what Allie started as a podcast about AI security has grown into a genuine community where developers building agents and the security practitioners governing them are working through the same problems together.

The guest list speaks for itself: Dick Hardt, the author of OAuth, talking through what authentication looks like when the caller is an agent, not a human. Peter Steinberger, the creator of OpenClaw, on the security implications of agents that can discover and invoke arbitrary tools. Alex Stamos, CPO at Corridor and former CISO at Facebook, on what enterprise security teams are actually seeing as agents hit production. These conversations go deep, and they’re happening in the open where everyone in the ecosystem can learn from them.

The community has grown beyond the podcast too. Building Internal AI brought together leaders from Sentry, Browserbase, Cloudflare, and Keycard in front of 100+ attendees to work through the operational and security challenges of deploying agents inside organizations. The energy in that room was something I haven’t seen since the early days of DevSecOps.

Why This Matters Now

The security models we’ve relied on for thirty years were built around two assumptions: you can trust the actor, and you have time to find and fix what goes wrong. Identity fires once at login or deploy time, whether it’s a human authenticating into a session or a workload running with a service account. When vulnerabilities, misconfigurations, or policy violations surface, a scanner picks them up on its next daily run and security teams remediate them via a prioritized backlog. The whole system depends on predictable actors and review cycles that can afford to run after the fact.

Why traditional security models break down for non-deterministic agents acting at runtime

Agents break all of that because they’re not intelligent actors you can trust to do the right thing, they’re incredibly powerful non-deterministic reasoning engines that invoke tools dynamically, delegate to sub-agents, and act differently at runtime based on the task they’re working on. They can find, exploit, and act on vulnerabilities without any malicious intent, faster than any scan cycle can catch, which means things like context poisoning, intent drift, unverified tools, and data leakage all have to be caught in real time with in-band controls, not discovered in the next audit.

The challenge goes beyond governance, because every developer building an agent is deciding what tools to expose, what data to pass into the context, and what scope to grant, and those choices determine the security posture before any security team ever sees it. At the same time, companies are restructuring around agents, changing how teams operate and how work moves through the organization. We’ve seen this firsthand with our customers and in the work we’ve been doing with the Agentic AI Foundation and others. The scope of what needs to be built correctly and governed continuously at runtime keeps expanding.

Keycard is rooted in identity and access for agents, and that’s our piece of the puzzle, but the puzzle is enormous and the way the industry gets through it is by getting builders and security people in the same room. That’s what Insecure Agents has been doing, and it’s the thing I’m most excited about in welcoming Allie to the Keycard team and sponsoring the continued growth of the community.

Get Involved

If you’re in San Francisco for the AI Engineer World’s Fair, join us at AAuth Night: Moving Beyond OAuth. Dick Hardt, Keycard CTO Jared Hanson, and others will be doing lightning talks and live demos on the future of agent auth, with a panel Q&A moderated by Allie.

Beyond events, there are a lot of ways to be part of this community:

Building and securing agents is bigger than any one company, and Insecure Agents is where that community is growing. We’re excited to help it get there.

Last updated June 3, 2026

Have questions about agent security?

Ask our agent — it's a live Keycard-on-Keycard demo.