Prithvi Poreddy

Access reviews weren’t meant to be painful, tedious, or something people dread seeing in their inbox. The idea was simple: periodically check who has access to what, and confirm whether they still need it. Remove what’s no longer necessary. Reduce risk. Keep auditors happy. But somewhere along the way, a good security practice became an overloaded checkbox. The result? Compliance checkbox, not governance. Reviews get bulk-approved. Entitlements pile up. And nobody really trusts the system. ...

Tool calling is easy. Trust isn’t. Every new wave of infrastructure brings its own version of the “simpler protocol.” With AI agents, that moment arrived fast — the Universal Tool Calling Protocol (UTCP) has started making noise as the next big thing. Its promise sounds familiar: no wrapper servers, no middleware, no proxy hops. Agents can “just call” APIs, CLIs, or services directly using a JSON manual. Elegant. Minimal. Free of the heavy machinery that came with the Model Context Protocol (MCP). ...

The identity security landscape is evolving fast. For years, we focused on finding and fixing vulnerabilities like leaked credentials, misconfigurations, and exposures. But the next phase of identity maturity is not just about fixing what is broken, it is about seeing clearly. Visibility has become the new foundation for control. Today, three layers are redefining how modern enterprises secure identity: ISPM, IVIP, and ITDR. Together, they provide posture, visibility, and response — the three pillars of a complete identity defense strategy. ...

If you missed my last post on what makes something an identity, start there — it sets the groundwork. This piece goes deeper: how to architect identity as the control plane for enterprises running cloud workloads and autonomous agents. This isn’t theory. It’s about production identity architectures that handle millions of authentications, thousands of microservices, and the new security challenges of AI agents. Whether you’re securing traditional enterprise apps, cloud-native services, or agent-driven workflows, the patterns here offer a roadmap — from where most organizations are today to where identity is heading. ...

I think therefore IAM OAuth validates requests. Agents create sequences. The gap between the two is where risk lives. Most teams building with the Model Context Protocol treat it like a normal API: put OAuth in front, validate a token, move on. That won’t work. OAuth can confirm that a caller is authenticated and has some permissions. What it can’t do is prevent an autonomous agent from chaining multiple legitimate tools in a way that produces an unauthorized outcome. Each individual call might be allowed, but the combined action — the emergent behavior — is outside what the system was designed to allow. ...