Pieter Kasselman
March 26, 2025
From securing microservices to identifying AI agents, IETF 122 was packed with major developments in workload identity. New standards are emerging that will shape how software authenticates, authorizes, and integrates across clouds, domains. If you care about the future of zero trust, workload identity, or AI on the web — this one’s for you.
Standards form the backbone of the world’s identity infrastructure. Standards define the interfaces, data formats, usage patterns and protocols we need to ensure the right human, workload or machine has access to the right resources, at the right time, and for the right reason.
So how do we do that? It starts by ensuring every workload—whether a basic batch job or a complex AI agent—has an identity for authentication and authorization.
Using standards to do this gives us clear, interoperable interfaces so workloads—AI or otherwise—can securely authenticate, get authorized, and access data across diverse environments at scale. Standards capture industry expertise, letting everyone benefit from proven best practices for securing workload identities. Standards make everything better!
Last week, the Internet Engineering Task Force (IETF) met in Bangkok for IETF 122 to bring together engineers, researchers and technologists from around the world to debate, explore and develop the standards – including identity standards – that the internet is built on.
The Workload Identity in Multi-Service Environments (WIMSE) working group was specifically chartered a year ago to develop workload identity standards. In its first year it evaluated numerous proposals and adopted three working group drafts.
But wait, there's more! I'm excited about the new WIMSE Credential Exchange draft that outlines patterns and approaches for using a workload identity credential to obtain additional credentials to interact with resources and systems. This is a critical integration capability. It is the glue needed to connect modern workload identity infrastructure with existing identity systems.
The OAuth working group always has a packed agenda, and IETF 122 was no exception. OAuth is a broadly adopted authorization delegation protocol. It has an extended protocol specification family spanning well beyond the IETF, totalling more than 100 documents! Two new standards currently under development will have an important impact in securing workload identity, especially when it comes to interacting with OAuth systems:
In addition to the above, the following work in OAuth is on my watchlist:
Post Quantum Cryptography (PQC) has been a theme over the last 4-5 years at the IETF. PQC adoption goes well beyond updating the standards. Deploying these new algorithms on the timescales published by the National Institute of Standards and Technology (NIST) will require massive change management programs. The work continues for this once-in-a-generation shift in cryptographic capabilities.
No gathering of technologists would be complete without AI as a topic of conversation. Two meetings with AI as a theme stood out at IETF 122.
One thing that stood out was that it is essential that AI workloads can be identified and authenticated. AIs will be interacting with systems that were designed for human end-users (web sites) and engineers (APIs), and they will do so in ways that are unexpected. To manage the risk from these unexpected usage patterns three things are needed:
Authentication and fine-grained authorization is not new, but AI will make them indispensable, and it is encouraging to see the early engagement in the IETF.
IETF 122 is behind us. I can't wait for IETF 123 to see the progress being made on these critical standards for workload identity practitioners.
Pieter Kasselman
Workload Identity Enthusiasts, WIMSE Chair, Director of Product Engineering at SPIRL