The Air Canada chatbot case from a couple of years back was a preview. The bot gave a customer incorrect information about bereavement fares, Air Canada tried to disclaim responsibility, and a tribunal ruled that the airline owned what its AI did. The AI worked for them. Full stop.
That precedent gets more complicated fast when the AI isn’t just answering questions but taking actions — running shell commands, calling APIs, writing and deploying code, touching production systems. Ian Livingstone, co-founder and CEO of Keycard, calls it the lethal trifecta: an autonomous system with high connectivity and high privilege, operating without meaningful constraints. “There’s nothing that stops them from dropping the database or taking customer data out of the wrong place,” he told me. “That’s an incredible security issue.”
I had an opportunity to chat with Livingstone and Mike Malone, founder and CEO of Smallstep, ahead of their announcement this week of a product integration that combines Keycard’s runtime agent governance with Smallstep’s hardware-rooted device identity platform. The two companies are working on adjacent parts of the same problem. And the product announcement, on its own, undersells what the actual challenge is.
The Trust Model Wasn’t Built for Agents
The security model underpinning most of the internet was built around one assumption: verify who the human is, then extend them a broad base of implicit trust. That worked because humans have judgment and, more fundamentally, self-preservation. They’re social creatures with real incentives not to wreck the systems they rely on.
“Agents don’t have implicit self-preservation incentives,” Livingstone said. “They just are a distribution of probabilities that’s capable of reasoning and exploring and searching through many different paths at the same time. That is incredibly valuable for automation, but it has a bunch of downside effects.”
The practical version of that plays out fast. A human employee asked to search a SharePoint directory will look where they were told to look. An agent will find every other directory it also has access to — and it will do it at machine speed. The unknown unknowns in your access controls get found quickly. Whether you wanted them found that way is another matter.
This is also a liability question. Livingstone pointed to a credit card processor example: if an agent performs a transaction the user didn’t intend, who’s responsible — the user, the developer who built the agent, or the platform? Right now, there’s no clear answer, and the audit trail to even reconstruct what happened often doesn’t exist.
Two Different Pieces of the Same Problem
Keycard’s focus is runtime governance — enforcing policy on what an agent can actually do while it’s doing it. The platform governs tool calls, credential issuance, and access scope at the task level. Credentials are ephemeral: an agent gets what it needs for a specific task, and that’s it. The pitch to security teams is that guardrails are built into the agent workflow from the start, rather than something bolted on after an incident.
Smallstep addresses a different layer. Most AI agent authentication today runs on OAuth or API keys — Malone described both as fundamentally “a single-factor password, a shared secret approach.” The integration with Keycard layers in certificate-based authentication that’s hardware-bound to specific trusted devices. The idea is that before an agent session gets any credentials at all, the environment it’s running in has to pass attestation.
Smallstep’s platform uses ACME Device Attestation, a protocol developed with Google, which relies on the TPM or Secure Enclave chip present in modern devices to cryptographically verify hardware identity. This replaces what Malone described as a 30-year-old foundation of password-based device authentication. “An attacker simply has to impersonate a user to attack a system,” in the old model, he said. With hardware-bound credentials, they would need a physical presence on a specific device.
The integration ties these together: Keycard governs what the agent is allowed to do; Smallstep verifies that the session is actually running on trusted infrastructure before any credentials are issued. No attestation, no certificate, no access.
The Consent Dialog Problem
The goal isn’t to lock agents down so tightly that they stop being useful. Livingstone was direct about this: “We can’t have a world where we actually just push all of the judgment back over to the human,” he said. “Otherwise, there’s no value. You just die from consent.”
The practical starting point most CISOs land on, Livingstone said, is pretty simple: don’t let the agent delete things. If it’s writing or updating something that touches production, get a human in the loop. At minimum, keep an audit trail detailed enough to reconstruct what happened and who — or what — made the decision.
Malone made a related point about hardware-bound credentials: they solve a usability problem as much as a security one. Because the device authenticates itself continuously and cryptographically, session lifetimes can be extended — users don’t have to re-authenticate as often. Snap is a public example of a company that deployed Smallstep’s platform and used that to reduce login friction while actually improving security posture.
An Infrastructure Problem, Not Just a Policy One
Agentic AI is a shift from humans pointing and clicking — and serving as the ultimate arbiters of judgment — to agents making calls on our behalf. The security infrastructure for that shift largely doesn’t exist yet. Livingstone put it in terms of missing primitives: “The web actually doesn’t have an undo button,” he said. “We are missing very simple primitives to enable some of these operations, because we relied on human judgment for the software design for the last 30 years.”
Malone’s read on the device identity side is similar — the pieces needed to do this well have only recently come together. TPMs are now standard in modern hardware. Apple natively supports ACME-DA. The protocol work is done. What hasn’t kept pace is organizational awareness that a device identity program deserves the same attention as a user identity program. “Every security org we talk to is like, thank you for finally doing the thing we’ve all wanted for 20 years,” he told me.
The liability questions, the audit trail gaps, the access controls that were never scoped for machine actors — those aren’t problems a product launch resolves. But they are problems that need to be on the security roadmap, whether organizations are ready to admit it or not.
- How Cayosoft Is Pushing Identity Security ‘Left’ of the Attack - April 13, 2026
- The Browser Was Already a Problem – Now Add a Billion AI Agents - April 10, 2026
- The Internet Is No Longer Built For Humans - March 30, 2026
