<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
  <channel>
    <title>vnceb</title>
    <link>https://www.20-100.net/</link>
    <description>Vincent Brousseau · Enterprise Architect, IAM &amp; Cybersecurity</description>
    <generator>Hugo</generator>
    <language>en-us</language>
    <lastBuildDate>Tue, 14 Apr 2026 00:00:00 &#43;0000</lastBuildDate>
    <atom:link href="https://www.20-100.net/index.xml" rel="self" type="application/rss+xml" />
    
    <item>
      <title>The End of NTLM and the Kerberos Reckoning</title>
      <link>https://www.20-100.net/research/the-end-of-ntlm-and-the-kerberos-reckoning/</link>
      <pubDate>Tue, 14 Apr 2026 00:00:00 &#43;0000</pubDate>
      <guid>https://www.20-100.net/research/the-end-of-ntlm-and-the-kerberos-reckoning/</guid>
      <description>&lt;p&gt;&lt;strong&gt;Independent Research Note | April 2026&lt;/strong&gt;&lt;/p&gt;
&lt;hr&gt;
&lt;h2 id=&#34;bottom-line&#34;&gt;Bottom Line&lt;/h2&gt;
&lt;p&gt;Microsoft is dismantling NTLM, the 30-year-old authentication protocol still used by 64% of Active Directory accounts, through a three-phase deprecation plan that will disable it by default in the next major Windows Server release. This transition represents the most significant shift in Windows enterprise authentication since Kerberos replaced NTLM as the default protocol in Windows 2000. Organizations that delay migration face escalating risk: at least 10 actively exploited NTLM CVEs were disclosed in 2024-2025 alone, and identity-based attacks became the leading intrusion vector in 2024, accounting for &lt;strong&gt;30% of all breaches&lt;/strong&gt; according to IBM X-Force. Meanwhile, Kerberos itself faces a parallel crisis. Newly discovered attack techniques like BadSuccessor and Golden dMSA exploit the very features Microsoft designed to replace legacy weaknesses, while Kerberoasting remains the dominant credential-theft technique across enterprise environments.&lt;/p&gt;
&lt;hr&gt;
&lt;h2 id=&#34;key-findings&#34;&gt;Key Findings&lt;/h2&gt;
&lt;ol&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Microsoft formally deprecated all NTLM versions in June 2024 and published a three-phase deprecation roadmap on January 29, 2026.&lt;/strong&gt; NTLMv1 has been fully removed from Windows 11 24H2 and Windows Server 2025. NTLMv2 will be disabled by default in the next major Windows Server LTSC release. Complete removal has no announced date.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;At least 10 actively exploited NTLM CVEs were disclosed in 2024-2025, including two CVSS 9.8 vulnerabilities.&lt;/strong&gt; The patch-bypass-repatch cycle around CVE-2025-24054 demonstrates that NTLM&amp;rsquo;s architectural weaknesses cannot be incrementally fixed. Cymulate bypassed Microsoft&amp;rsquo;s patches twice, achieving zero-click credential leakage on fully patched systems.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Kerberoasting activity increased 583% year-over-year&lt;/strong&gt; (CrowdStrike), and new attack techniques targeting Windows Server 2025 features designed to replace NTLM (BadSuccessor, Golden dMSA) show that Kerberos itself requires significant hardening.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;64% of Active Directory user accounts still regularly authenticate with NTLM&lt;/strong&gt; (Silverfort), and Gartner estimates over 50% of organizations actively use it. Enterprise migration typically requires 18-22 months. The gap between deprecation intent and operational reality is substantial.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;The passwordless authentication market has reached a tipping point.&lt;/strong&gt; FIDO2 passkeys achieve a 93% login success rate versus 63% for traditional authentication. Microsoft made passkeys the default sign-in for all new accounts in May 2025. The market is valued at $18.8-24.1 billion and projected to reach $55-90 billion by 2030-2035.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Nation-state actors weaponize NTLM vulnerabilities within days of disclosure.&lt;/strong&gt; CVE-2025-24054 was exploited eight days after patch release, with campaigns targeting Polish and Romanian government institutions traced to infrastructure previously linked to APT28 (Fancy Bear). Volt Typhoon, Scattered Spider, and Wizard Spider all incorporate NTLM exploitation into their toolkits.&lt;/p&gt;
&lt;/li&gt;
&lt;/ol&gt;
&lt;hr&gt;
&lt;h2 id=&#34;forward-looking-assumptions&#34;&gt;Forward-Looking Assumptions&lt;/h2&gt;
&lt;ol&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;By mid-2027, Microsoft will disable NTLMv2 by default in the next Windows Server LTSC release,&lt;/strong&gt; forcing organizations that have not migrated into explicit re-enablement through policy. Organizations without NTLM audit data by Q4 2026 will face emergency remediation timelines.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Through 2028, Kerberoasting will remain the dominant Active Directory credential-theft technique,&lt;/strong&gt; despite RC4 deprecation efforts. Enterprises with mixed Windows Server 2019/2025 environments will encounter encryption type mismatches that slow AES-only enforcement.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;By 2027, at least one major breach attributed to a BadSuccessor or Golden dMSA attack will force Microsoft to reclassify dMSA attack surface from &amp;ldquo;moderate&amp;rdquo; to &amp;ldquo;critical&amp;rdquo; severity.&lt;/strong&gt; Akamai found 91% of environments had non-admin users with sufficient permissions to execute BadSuccessor. The attack surface is too broad for the current severity classification to hold.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;By 2029, FIDO2/passkeys will be the default enterprise authentication method for over 50% of Fortune 500 companies.&lt;/strong&gt; The combination of Microsoft, Google, and Apple platform support, 87% enterprise deployment or planning rates (FIDO Alliance), and regulatory pressure from CISA and NIST will drive adoption past the tipping point.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Through 2027, the most common cause of NTLM migration failure will be hidden NTLM fallback from misconfigured SPNs and IP-based access patterns,&lt;/strong&gt; not legacy application hardcoding. Phase 1 auditing will reveal NTLM dependencies that organizations did not know existed, extending migration timelines beyond initial estimates.&lt;/p&gt;
&lt;/li&gt;
&lt;/ol&gt;
&lt;hr&gt;
&lt;h2 id=&#34;analysis&#34;&gt;Analysis&lt;/h2&gt;
&lt;h3 id=&#34;1-microsofts-three-phase-deprecation-roadmap&#34;&gt;1. Microsoft&amp;rsquo;s Three-Phase Deprecation Roadmap&lt;/h3&gt;
&lt;p&gt;Microsoft formally deprecated all NTLM versions (LANMAN, NTLMv1, and NTLMv2) in &lt;strong&gt;June 2024&lt;/strong&gt;, adding them to the Windows Deprecated Features list. NTLMv1 was not just deprecated but &lt;strong&gt;fully removed&lt;/strong&gt; from Windows 11 24H2 and Windows Server 2025. NTLMv2 remains functional but receives no active development. On January 29, 2026, Microsoft published a definitive roadmap with three phases.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Phase 1 (available now)&lt;/strong&gt; delivers enhanced NTLM auditing in Windows Server 2025 and Windows 11 24H2. New event IDs (4020-4033) capture which accounts use NTLM, which processes trigger it, why Kerberos failed, and the NTLM version negotiated. This visibility layer is the critical first step. Most organizations cannot enumerate their NTLM dependencies without it.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Phase 2 (H2 2026)&lt;/strong&gt; addresses the technical barriers that force NTLM fallback. Two new capabilities ship: &lt;strong&gt;IAKerb&lt;/strong&gt; (Initial and Pass Through Authentication Using Kerberos), which enables Kerberos authentication without direct domain controller connectivity, and &lt;strong&gt;Local KDC&lt;/strong&gt;, which provides Kerberos for local account authentication. Microsoft estimates these cover roughly 5% of remaining NTLM usage, specifically the hardest cases involving workgroup-joined systems, IP-based access, and disconnected scenarios.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Phase 3 (next major Windows Server LTSC release)&lt;/strong&gt; will &lt;strong&gt;disable network NTLM by default&lt;/strong&gt;. Applications requiring NTLM must explicitly re-enable it through policy. Microsoft has been careful to clarify: &lt;em&gt;&amp;ldquo;Disabling NTLM by default does not mean completely removing NTLM from Windows yet.&amp;rdquo;&lt;/em&gt; Complete removal has no announced date. The &lt;code&gt;BlockNTLMv1SSO&lt;/code&gt; registry key will flip from audit to enforce mode by &lt;strong&gt;October 2026&lt;/strong&gt;, and &lt;strong&gt;RC4 encryption for Kerberos&lt;/strong&gt;, the cryptographic weakness enabling Kerberoasting, will be disabled by default for new domains in Q1 2026, with broader enforcement by mid-2026.&lt;/p&gt;
&lt;h3 id=&#34;2-kerberos-under-siege-old-attacks-persist-new-ones-emerge&#34;&gt;2. Kerberos Under Siege: Old Attacks Persist, New Ones Emerge&lt;/h3&gt;
&lt;p&gt;While Microsoft positions Kerberos as NTLM&amp;rsquo;s successor, the protocol faces its own expanding attack surface. &lt;strong&gt;Kerberoasting&lt;/strong&gt; remains the single most impactful Active Directory attack technique. CrowdStrike documented a &lt;strong&gt;583% year-over-year increase&lt;/strong&gt; in Kerberoasting activity, and the Ascension Health ransomware breach in May 2024, which exposed 5.6 million patient records, was enabled by RC4 support in Kerberos. That breach prompted a U.S. Senator to demand an FTC investigation into Microsoft&amp;rsquo;s security defaults.&lt;/p&gt;
&lt;p&gt;The traditional attack taxonomy (Golden Tickets, Silver Tickets, Pass-the-Ticket, AS-REP Roasting) remains fully relevant. But researchers have introduced increasingly stealthy variants that challenge conventional detection:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Diamond Tickets&lt;/strong&gt; modify a legitimately issued TGT by decrypting it with the KRBTGT key, altering the PAC to add privileged group memberships, and re-encrypting. Because the ticket has a corresponding AS-REQ in KDC logs, it evades detections that look for forged tickets without authentication history.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Sapphire Tickets&lt;/strong&gt; go further, replacing the PAC entirely with a legitimate PAC obtained through S4U2Self+U2U extensions. The resulting ticket contains no forged data whatsoever, making detection through PAC inspection effectively impossible.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;BadSuccessor&lt;/strong&gt; (disclosed by Akamai, April 2025) exploits Delegated Managed Service Accounts (dMSA), a Windows Server 2025 feature designed to mitigate Kerberoasting. An attacker with CreateChild permissions on any OU can create a dMSA that impersonates a Domain Admin. Akamai found &lt;strong&gt;91% of environments&lt;/strong&gt; had non-admin users with sufficient permissions to execute this attack. Microsoft classified it as &amp;ldquo;moderate severity&amp;rdquo; and released a patch in August 2025.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Golden dMSA&lt;/strong&gt; (Semperis, July 2025) enables an attacker who obtains the KDS root key to brute-force valid dMSA passwords offline with only ~1,024 possible combinations, providing persistent access to all managed service accounts in the forest with no expiration.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;The most critical Kerberos CVE of this period was &lt;strong&gt;CVE-2024-43639 (CVSS 9.8)&lt;/strong&gt;, an unauthenticated remote code execution vulnerability in the Windows KDC Proxy caused by an integer overflow. It required no user interaction and affected Windows Server 2012 through 2025. Microsoft&amp;rsquo;s &lt;strong&gt;PAC validation enforcement&lt;/strong&gt;, completed in April 2025 after a multi-year rollout, represents the most significant defensive improvement, making Golden and Silver Ticket attacks harder to execute undetected.&lt;/p&gt;
&lt;h3 id=&#34;3-ntlms-2024-2025-cve-crisis&#34;&gt;3. NTLM&amp;rsquo;s 2024-2025 CVE Crisis&lt;/h3&gt;
&lt;p&gt;The volume and severity of NTLM vulnerabilities disclosed in 2024-2025 has been extraordinary, demonstrating that NTLM&amp;rsquo;s fundamental design cannot be patched into safety.&lt;/p&gt;
&lt;table&gt;
  &lt;thead&gt;
      &lt;tr&gt;
          &lt;th&gt;CVE&lt;/th&gt;
          &lt;th&gt;CVSS&lt;/th&gt;
          &lt;th&gt;Type&lt;/th&gt;
          &lt;th&gt;Exploited in Wild&lt;/th&gt;
          &lt;th&gt;Key Detail&lt;/th&gt;
      &lt;/tr&gt;
  &lt;/thead&gt;
  &lt;tbody&gt;
      &lt;tr&gt;
          &lt;td&gt;CVE-2024-21410&lt;/td&gt;
          &lt;td&gt;9.8&lt;/td&gt;
          &lt;td&gt;Exchange NTLM relay&lt;/td&gt;
          &lt;td&gt;Yes&lt;/td&gt;
          &lt;td&gt;Prompted default EPA enablement&lt;/td&gt;
      &lt;/tr&gt;
      &lt;tr&gt;
          &lt;td&gt;CVE-2024-43451&lt;/td&gt;
          &lt;td&gt;6.5&lt;/td&gt;
          &lt;td&gt;NTLMv2 hash disclosure (zero-day)&lt;/td&gt;
          &lt;td&gt;Yes&lt;/td&gt;
          &lt;td&gt;Used by Russian-linked UAC-0194, BlindEagle, Head Mare&lt;/td&gt;
      &lt;/tr&gt;
      &lt;tr&gt;
          &lt;td&gt;CVE-2025-21311&lt;/td&gt;
          &lt;td&gt;&lt;strong&gt;9.8&lt;/strong&gt;&lt;/td&gt;
          &lt;td&gt;NTLMv1 privilege escalation&lt;/td&gt;
          &lt;td&gt;Automatable&lt;/td&gt;
          &lt;td&gt;CISA flagged &amp;ldquo;total technical impact&amp;rdquo;&lt;/td&gt;
      &lt;/tr&gt;
      &lt;tr&gt;
          &lt;td&gt;CVE-2025-24054&lt;/td&gt;
          &lt;td&gt;6.5&lt;/td&gt;
          &lt;td&gt;Hash disclosure via .library-ms&lt;/td&gt;
          &lt;td&gt;Yes&lt;/td&gt;
          &lt;td&gt;Exploited 8 days after patch; CISA KEV&lt;/td&gt;
      &lt;/tr&gt;
      &lt;tr&gt;
          &lt;td&gt;CVE-2025-33073&lt;/td&gt;
          &lt;td&gt;High&lt;/td&gt;
          &lt;td&gt;NTLM reflection to SYSTEM&lt;/td&gt;
          &lt;td&gt;PoC available&lt;/td&gt;
          &lt;td&gt;Any domain user to SYSTEM on hosts without SMB signing&lt;/td&gt;
      &lt;/tr&gt;
      &lt;tr&gt;
          &lt;td&gt;CVE-2025-59214&lt;/td&gt;
          &lt;td&gt;Medium&lt;/td&gt;
          &lt;td&gt;Third bypass of hash disclosure patch&lt;/td&gt;
          &lt;td&gt;Demonstrated&lt;/td&gt;
          &lt;td&gt;Zero-click on fully patched systems&lt;/td&gt;
      &lt;/tr&gt;
  &lt;/tbody&gt;
&lt;/table&gt;
&lt;p&gt;&lt;strong&gt;CVE-2025-24054&lt;/strong&gt; illustrates the problem&amp;rsquo;s urgency. Patched on March 11, 2025, it was exploited in the wild by March 19, just &lt;strong&gt;eight days&lt;/strong&gt; later. Check Point Research documented approximately 10 campaigns by March 25, targeting Polish and Romanian government institutions. SMB hash-collection servers were traced to Russia, Bulgaria, Netherlands, Australia, and Turkey, with one IP previously linked to &lt;strong&gt;APT28 (Fancy Bear)&lt;/strong&gt;. CISA added it to the Known Exploited Vulnerabilities catalog with a mandatory remediation deadline.&lt;/p&gt;
&lt;p&gt;Cymulate Research Labs discovered that Microsoft&amp;rsquo;s patches for CVE-2025-24054 could be &lt;strong&gt;bypassed twice&lt;/strong&gt; (CVE-2025-50154 and CVE-2025-59214), with the latter achieving zero-click NTLM credential leakage on fully patched systems. This pattern of patch-bypass-repatch underscores that NTLM&amp;rsquo;s architectural weaknesses cannot be incrementally fixed. They require protocol elimination.&lt;/p&gt;
&lt;p&gt;Nation-state actors and ransomware groups actively weaponize these weaknesses. &lt;strong&gt;Volt Typhoon&lt;/strong&gt;, &lt;strong&gt;APT28&lt;/strong&gt;, &lt;strong&gt;Scattered Spider&lt;/strong&gt;, and &lt;strong&gt;Wizard Spider&lt;/strong&gt; all incorporate NTLM exploitation into their toolkits. &lt;strong&gt;90% of ransomware breaches&lt;/strong&gt; involve RDP abuse (Sophos), and groups like ALPHV/BlackCat, Akira, and RansomHub routinely leverage NTLM-based lateral movement to escalate from initial access to domain compromise.&lt;/p&gt;
&lt;h3 id=&#34;4-enterprise-migration-barriers&#34;&gt;4. Enterprise Migration Barriers&lt;/h3&gt;
&lt;p&gt;Despite the clear threat, enterprise NTLM elimination remains a significant operational challenge. Silverfort&amp;rsquo;s research found that &lt;strong&gt;64% of Active Directory user accounts regularly authenticate with NTLM&lt;/strong&gt;, and Gartner estimates over &lt;strong&gt;50% of organizations&lt;/strong&gt; still actively use it.&lt;/p&gt;
&lt;p&gt;The primary obstacles are well-documented. Legacy applications (ERP systems, HR platforms, and industrial control software built before the 2000s) often hardcode NTLM with no Kerberos support. Third-party firmware in printers, network devices, and IoT equipment frequently embeds NTLMv1 with no upgrade path. Hidden NTLM fallback occurs when Kerberos fails silently due to misconfigured SPNs, IP-based access patterns, or missing DNS entries. Cross-forest trust scenarios and Exchange hybrid migrations add further complexity. Mandiant&amp;rsquo;s January 2026 release of &lt;strong&gt;8.6 terabytes of NTLMv1 rainbow tables&lt;/strong&gt;, enabling hash recovery in under 12 hours on $600 hardware, was a deliberate forcing function designed to eliminate any remaining justification for NTLMv1 retention.&lt;/p&gt;
&lt;p&gt;Organizations following Microsoft&amp;rsquo;s recommended migration path typically plan &lt;strong&gt;18-22 months&lt;/strong&gt; for full NTLM elimination. The most heavily affected industries include &lt;strong&gt;manufacturing&lt;/strong&gt; (50% of observed NTLM exploitation targets per Kaspersky telemetry), &lt;strong&gt;healthcare&lt;/strong&gt; (the Ascension breach being the most prominent case), &lt;strong&gt;government&lt;/strong&gt; (CISA assessments identify credential access as the most prevalent attack against federal agencies), and &lt;strong&gt;financial services&lt;/strong&gt; (where strict compliance requirements both motivate and complicate migration timelines).&lt;/p&gt;
&lt;h3 id=&#34;5-vendor-landscape&#34;&gt;5. Vendor Landscape&lt;/h3&gt;
&lt;p&gt;The NTLM deprecation has catalyzed a competitive vendor landscape spanning detection, migration, governance, and replacement.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Microsoft&lt;/strong&gt; is driving the transition most aggressively, with Entra ID as the centerpiece. Microsoft Entra Private Access (GA July 2024) acts as an OAuth/OIDC-to-Kerberos bridge, layering Conditional Access and MFA on legacy NTLM/Kerberos applications without code changes. Entra Kerberos (Cloud Kerberos Trust) turns Entra ID into a cloud-based KDC, enabling passwordless SSO to on-premises resources and is now the recommended deployment model for Windows Hello for Business. Windows Server 2025 ships with &lt;strong&gt;EPA enabled by default&lt;/strong&gt; for AD CS and LDAP, &lt;strong&gt;Credential Guard enabled by default&lt;/strong&gt;, and mandatory SMB signing.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Silverfort&lt;/strong&gt; has emerged as the most prominent vendor specifically addressing NTLM security, offering the only solution that extends MFA to NTLM and Kerberos authentications without agents. Their research discovered that on-premises applications can bypass the Group Policy designed to block NTLMv1, creating what they called a &amp;ldquo;false sense of protection.&amp;rdquo; Gartner&amp;rsquo;s May 2025 report &amp;ldquo;A Well-Run Active Directory Requires Strong Identity Controls&amp;rdquo; named Silverfort as an example vendor in three categories.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;CrowdStrike&amp;rsquo;s Falcon Identity Protection&lt;/strong&gt; performs real-time inspection of NTLM, Kerberos, and LDAP traffic, with specialized detection for relay attacks, Kerberoasting, and Golden/Silver Ticket usage. Their acquisition of Preempt Security in 2020, whose researchers discovered critical NTLM bypass vulnerabilities, underpins deep protocol expertise.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Semperis&lt;/strong&gt; focuses on AD resilience and recovery, with Directory Services Protector monitoring for NTLM-related indicators and a new Service Account Protection Essential (August 2025) specifically targeting Kerberoasting-vulnerable service accounts. Their researchers discovered the Golden dMSA attack and coordinated multiple CVE disclosures with Microsoft.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Cisco Duo&lt;/strong&gt; made a significant competitive entry in 2025-2026, extending MFA directly to all Active Directory authentications, including CLI and legacy applications using Kerberos and NTLM. Cisco Identity Intelligence provides deep posture management, and Cisco Talos found nearly half of identity-based attacks in 2024 focused on Active Directory.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Delinea&lt;/strong&gt; explicitly added Kerberos authentication support to Connection Manager in Q1 2025, noting it &amp;ldquo;mitigates risks associated with NTLM, including Pass-the-Hash, DCSync, NTLM relay.&amp;rdquo; &lt;strong&gt;Okta&amp;rsquo;s&lt;/strong&gt; Agentless Desktop SSO explicitly requires Kerberos tickets; NTLM tokens cause authentication failure by design. &lt;strong&gt;Ping Identity&lt;/strong&gt; and &lt;strong&gt;SailPoint&lt;/strong&gt; operate at the federation and governance layers respectively, providing standards-based SSO and identity lifecycle management that inherently bypass NTLM.&lt;/p&gt;
&lt;h3 id=&#34;6-modern-alternatives-reaching-enterprise-maturity&#34;&gt;6. Modern Alternatives Reaching Enterprise Maturity&lt;/h3&gt;
&lt;p&gt;The authentication stack replacing NTLM and password-based Kerberos is coalescing around three pillars: passwordless credentials, cloud identity platforms, and Zero Trust architecture.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;FIDO2 and passkeys reached a tipping point in 2025.&lt;/strong&gt; The FIDO Alliance reports that 87% of US and UK enterprises are deploying or planning passkey deployment for employee sign-ins. Passkeys achieve a &lt;strong&gt;93% login success rate&lt;/strong&gt; versus 63% for traditional authentication. Microsoft made passkeys the default sign-in for all new Microsoft accounts in May 2025, driving 120% growth in passkey authentications. Okta&amp;rsquo;s data shows phishing-resistant passwordless authentication grew 63% year-over-year, and workforce MFA adoption reached 70%.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Certificate-based authentication&lt;/strong&gt; serves regulated environments requiring digital signatures, email encryption, and high-assurance identity proofing. Microsoft Entra CBA is now generally available, enabling X.509 certificate authentication directly to Entra ID without AD FS and classified as phishing-resistant MFA by both Microsoft and CISA. Federal agencies using PIV/CAC smart cards can authenticate directly to cloud resources, removing a lateral movement path through Active Directory.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Zero Trust architecture&lt;/strong&gt; provides the strategic framework driving NTLM elimination. CISA&amp;rsquo;s Zero Trust Maturity Model v2.0 requires phishing-resistant MFA at the &amp;ldquo;Advanced&amp;rdquo; level and continuous identity validation at the &amp;ldquo;Optimal&amp;rdquo; level, both incompatible with NTLM&amp;rsquo;s implicit trust model. &lt;strong&gt;OMB M-22-09&lt;/strong&gt; mandates federal agencies achieve Zero Trust objectives including phishing-resistant MFA. Internationally, the EU&amp;rsquo;s NIS2 Directive, eIDAS 2.0 (requiring digital identity wallets by 2026), and PCI DSS 4.0 all strengthen authentication requirements. Eighty-one percent of companies are pursuing some form of Zero Trust strategy.&lt;/p&gt;
&lt;hr&gt;
&lt;h2 id=&#34;recommendations-for-security-and-risk-management-leaders&#34;&gt;Recommendations for Security and Risk Management Leaders&lt;/h2&gt;
&lt;ol&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Deploy Phase 1 NTLM auditing immediately.&lt;/strong&gt; Windows Server 2025 and Windows 11 24H2 provide new event IDs (4020-4033) that map all NTLM dependencies. Without this data, migration planning is guesswork. Set a 90-day deadline for complete NTLM dependency inventory.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Enforce NTLMv2-only and block NTLMv1 now.&lt;/strong&gt; Set LmCompatibilityLevel=5 across all systems. NTLMv1 is already removed from current operating systems. Mandiant&amp;rsquo;s rainbow tables make any remaining NTLMv1 usage an immediate compromise risk.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Begin RC4 deprecation for Kerberos as the single highest-impact defensive action.&lt;/strong&gt; Kerberoasting depends on RC4. Disable RC4 for new domains immediately; plan AES-only enforcement for existing domains by mid-2026. Test thoroughly in mixed Windows Server 2019/2025 environments where encryption type mismatches cause authentication failures.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Enable EPA, SMB signing, and Credential Guard on all servers.&lt;/strong&gt; These are the three controls that most effectively mitigate NTLM relay, pass-the-hash, and credential theft. Windows Server 2025 enables them by default; backport to older systems through Group Policy.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Block NTLM progressively, starting with domain controllers and certificate authorities.&lt;/strong&gt; Add privileged accounts to the Protected Users group. Use the Negotiate package instead of explicit NTLM calls (often a one-line code change). Plan 18-22 months for full domain-wide NTLM blocking.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Audit dMSA permissions immediately.&lt;/strong&gt; Akamai found 91% of environments have non-admin users with sufficient permissions to execute the BadSuccessor attack. Restrict CreateChild permissions on OUs and monitor dMSA creation events until Microsoft&amp;rsquo;s patch is widely deployed.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Invest in phishing-resistant authentication infrastructure.&lt;/strong&gt; FIDO2 passkeys and certificate-based authentication through Entra ID are the long-term replacements for password-based protocols. Begin pilot deployments now; align with NIST SP 800-63B-4 requirements for AAL3 hardware-based authenticators.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Block outbound SMB (TCP 445) at the network perimeter.&lt;/strong&gt; This prevents NTLM hash exfiltration to attacker-controlled servers, the technique used in CVE-2025-24054 campaigns. This is a low-effort, high-impact network control.&lt;/p&gt;
&lt;/li&gt;
&lt;/ol&gt;
&lt;hr&gt;
&lt;h2 id=&#34;market-outlook&#34;&gt;Market Outlook&lt;/h2&gt;
&lt;p&gt;The NTLM deprecation is creating distinct market dynamics across three vendor categories. Identity protection vendors (Silverfort, CrowdStrike, Semperis) are best positioned in the near term because they address the immediate operational challenge: detecting and controlling NTLM usage during the multi-year migration period. These vendors have a finite window of relevance tied to NTLM&amp;rsquo;s lifecycle, but the 18-22 month migration timeline and the long tail of legacy environments means that window extends through at least 2029.&lt;/p&gt;
&lt;p&gt;Microsoft holds the strongest structural position. Entra ID, IAKerb, Local KDC, and the Windows Server 2025 security defaults form a coherent stack that addresses both the deprecation path and the replacement architecture. Organizations heavily invested in Microsoft infrastructure will find the migration path most natural, though multi-cloud and hybrid environments will require supplementary tooling.&lt;/p&gt;
&lt;p&gt;The passwordless authentication market ($18.8-24.1 billion, projected to $55-90 billion by 2030-2035) reflects the scale of the broader transition away from password-based protocols. FIDO2/passkey vendors, cloud identity platforms, and Zero Trust architecture providers are the long-term beneficiaries. The organizations that treat NTLM elimination as a compliance checkbox rather than an architectural shift will find themselves repeatedly patching symptoms while the underlying protocol remains a liability.&lt;/p&gt;
&lt;p&gt;The honest assessment: NTLM elimination is operationally harder than any vendor marketing suggests, and Kerberos hardening introduces its own risks. But the alternative, maintaining a protocol with a demonstrated pattern of unpatchable vulnerabilities while nation-state actors exploit them within days, is no longer defensible.&lt;/p&gt;
&lt;hr&gt;
&lt;h2 id=&#34;key-sources&#34;&gt;Key Sources&lt;/h2&gt;
&lt;p&gt;&lt;strong&gt;Microsoft documentation:&lt;/strong&gt; NTLM Deprecation Roadmap (January 29, 2026); Windows Server 2025 Security Defaults; IAKerb and Local KDC announcements; Entra Private Access GA (July 2024); Entra Kerberos Cloud Trust documentation.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Vulnerability research:&lt;/strong&gt; Check Point Research CVE-2025-24054 analysis (March 2025); Cymulate Research Labs CVE-2025-50154 and CVE-2025-59214 bypass disclosures; Akamai BadSuccessor disclosure (April 2025); Semperis Golden dMSA disclosure (July 2025); Microsoft CVE-2024-43639 advisory.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Threat intelligence:&lt;/strong&gt; CrowdStrike 2025 Global Threat Report (583% Kerberoasting increase); IBM X-Force 2024 Threat Intelligence Index (30% identity-based breaches); Sophos Active Adversary Report (90% RDP abuse in ransomware); Mandiant NTLMv1 rainbow tables release (January 2026); CISA Known Exploited Vulnerabilities catalog.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Industry data:&lt;/strong&gt; Silverfort NTLM usage research (64% of AD accounts); Gartner estimates (50%+ organizations using NTLM); FIDO Alliance enterprise deployment survey (87% deploying or planning); Kaspersky NTLM exploitation telemetry; Ascension Health breach disclosures (May 2024).&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Government guidance:&lt;/strong&gt; Five Eyes joint advisory &amp;ldquo;Detecting and Mitigating Active Directory Compromises&amp;rdquo; (September 2024, updated January 2025); NIST SP 800-63B-4 (July 2025); CISA Zero Trust Maturity Model v2.0; CISA phishing-resistant MFA fact sheet; OMB M-22-09.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Vendor sources:&lt;/strong&gt; Silverfort NTLMv1 bypass research; CrowdStrike Falcon Identity Protection; Semperis Directory Services Protector; Cisco Duo AD authentication extension; Delinea Connection Manager Kerberos support (Q1 2025); Gartner &amp;ldquo;A Well-Run Active Directory Requires Strong Identity Controls&amp;rdquo; (May 2025).&lt;/p&gt;
</description>
    </item>
    
    <item>
      <title>The Audit Blind Spot: Why Workload Identities Escaped Review and Why That Era Is Ending</title>
      <link>https://www.20-100.net/research/the-audit-blind-spot-why-workload-identities-escaped-review-and-why-that-era-is-ending/</link>
      <pubDate>Wed, 08 Apr 2026 00:00:00 &#43;0000</pubDate>
      <guid>https://www.20-100.net/research/the-audit-blind-spot-why-workload-identities-escaped-review-and-why-that-era-is-ending/</guid>
      <description>&lt;p&gt;&lt;strong&gt;Independent Research Note | April 2026&lt;/strong&gt;&lt;/p&gt;
&lt;hr&gt;
&lt;h2 id=&#34;bottom-line&#34;&gt;Bottom Line&lt;/h2&gt;
&lt;p&gt;Most organizations cannot pass a rigorous audit of their non-human identity (NHI) controls today. PCI DSS 4.0.1, DORA, and NYDFS now explicitly require service account access reviews, inventory, and credential hygiene, yet the average enterprise still has 60% of its AWS IAM access keys older than one year (Datadog, State of Cloud Security 2024). The tooling market is real but immature. The AI agent identity problem is arriving faster than the standards to govern it. Security and risk management leaders who treat NHI governance as a 2027 initiative will find themselves remediating audit findings and incident response gaps simultaneously.&lt;/p&gt;
&lt;hr&gt;
&lt;h2 id=&#34;key-findings&#34;&gt;Key Findings&lt;/h2&gt;
&lt;ol&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;PCI DSS 4.0.1, effective March 2025, introduced the first explicit requirements for application and system account access reviews, password management, and interactive login prevention.&lt;/strong&gt; QSAs report these controls were not explicitly covered in version 3.2.1, catching many organizations unprepared (Intersec Worldwide, Schellman).&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;DORA&amp;rsquo;s Regulatory Technical Standards are the most prescriptive NHI governance mandate globally,&lt;/strong&gt; requiring financial entities to maintain service account inventories with documented owners, purposes, and periodic reviews at the same frequency as human privileged accounts. Early supervisory examinations in the Netherlands, Germany, and Ireland are requesting these artifacts now.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Every quantitative survey on NHI ownership gaps is vendor-sponsored.&lt;/strong&gt; The widely cited &amp;ldquo;51% have no clear NHI ownership&amp;rdquo; figure comes from a CSA/Oasis Security survey (n=383, August 2025) where the vendor co-designed the questionnaire. We found no independent data to contradict it, but the number should be treated as directional, not definitive.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;AI agent identity governance is arriving before the standards to support it.&lt;/strong&gt; NIST&amp;rsquo;s CAISI initiative launched in February 2026 but will not produce finalized standards until 2027 at earliest. Meanwhile, analyst projections suggest 40% of enterprise applications will embed task-specific AI agents by end of 2026.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;The CyberArk-Venafi integration is a sales success but not yet a product reality.&lt;/strong&gt; Venafi appeared in 9 of CyberArk&amp;rsquo;s top 10 deals in Q1 FY2025. But the technology has had three owners in two years (Thoma Bravo, CyberArk, now Palo Alto Networks), and practitioners at Venafi&amp;rsquo;s own Machine Identity Summit in 2024 were still requesting &amp;ldquo;one dashboard, please&amp;rdquo; (Kraft Heinz CISO Ricardo Lafosse).&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Credential rotation remains the most common source of self-inflicted NHI outages.&lt;/strong&gt; Cloudflare suffered a 67-minute global write outage in March 2025 because a rotation script deployed new credentials to dev instead of production. Microsoft paused key rotation after a previous outage, which contributed to the Storm-0558 signing key compromise. Fear of breaking production is the primary reason organizations do not rotate credentials, and it is not irrational.&lt;/p&gt;
&lt;/li&gt;
&lt;/ol&gt;
&lt;hr&gt;
&lt;h2 id=&#34;forward-looking-assumptions&#34;&gt;Forward-Looking Assumptions&lt;/h2&gt;
&lt;ol&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;By 2028, 60% of enterprises subject to PCI DSS, DORA, or NYDFS will receive audit findings specifically citing inadequate NHI access reviews,&lt;/strong&gt; up from fewer than 15% in 2025. The control language is now unambiguous. Auditor interpretation will catch up to the text.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;By 2027, fewer than 20% of organizations deploying AI agents will have implemented agent-specific identity governance controls.&lt;/strong&gt; Standards lag is the root cause. Most will retrofit governance after incidents or audit pressure, not before.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;By 2029, the standalone NHI governance market will consolidate into three categories: cloud-native platform features (Microsoft, AWS, Google), PAM-adjacent suites (Palo Alto/CyberArk, BeyondTrust), and pure-play NHI posture management for multicloud.&lt;/strong&gt; Two of the five current pure-play vendors (Astrix, Oasis, Clutch, Entro, Token Security) will be acquired or fail to reach scale.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Through 2028, the majority of NHI governance programs will be owned by platform engineering or DevOps teams, not IAM or GRC.&lt;/strong&gt; This is a problem. Platform teams optimize for velocity; they do not naturally build compliance artifacts. Organizations that do not create a federated governance model with IAM policy oversight will fail audits even if their technical controls are adequate.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;By 2027, at least one G7 financial regulator will issue enforcement action explicitly naming NHI management failures as a contributing cause.&lt;/strong&gt; The pattern is set: the OCC&amp;rsquo;s own service account breach (disclosed April 2025), the SEC&amp;rsquo;s SolarWinds victim penalties (October 2024), and DORA&amp;rsquo;s supervisory cycle all point to enforcement, not just guidance.&lt;/p&gt;
&lt;/li&gt;
&lt;/ol&gt;
&lt;hr&gt;
&lt;h2 id=&#34;analysis&#34;&gt;Analysis&lt;/h2&gt;
&lt;h3 id=&#34;1-the-audit-gap-is-no-longer-interpretive&#34;&gt;1. The Audit Gap Is No Longer Interpretive&lt;/h3&gt;
&lt;p&gt;The compliance landscape shifted in 2024 and 2025. Where frameworks previously used vague language about &amp;ldquo;all accounts&amp;rdquo; or &amp;ldquo;system users,&amp;rdquo; the latest revisions name service accounts, application accounts, and machine identities with specificity that leaves little room for creative interpretation.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;PCI DSS 4.0.1&lt;/strong&gt; (effective March 31, 2025) introduced Requirement 7.2.5.1, which requires periodic review of all access by application and system accounts and related access privileges, with management attestation that access remains appropriate. The review frequency is determined through a Targeted Risk Analysis, but the requirement is mandatory. Requirement 8.6.1 goes further: interactive login for system accounts must be prevented unless needed for an exceptional circumstance, and that circumstance must be documented and time-limited. Requirement 8.6.2 prohibits hardcoded passwords in scripts, configuration files, or source code. QSA firm Intersec Worldwide noted these controls were not explicitly covered in version 3.2.1, which left enforcement to individual QSA discretion. That discretion is gone.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;CIS Controls v8.1 Safeguard 5.5&lt;/strong&gt; requires organizations to establish and maintain an inventory of service accounts with department owner, review date, and purpose, and to perform reviews at a minimum quarterly. The CIS Assessment Specification enforces this with a gating metric: if the last review was more than three months ago, the control automatically fails. This is the most operationally specific NHI requirement in any major framework.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;NIST SP 800-53 Rev 5&lt;/strong&gt; addresses NHI through IA-4 (Identifier Management) and IA-5 (Authenticator Management), both of which explicitly list &amp;ldquo;service&amp;rdquo; alongside &amp;ldquo;individual, group, role, and device.&amp;rdquo; Control enhancement IA-5(7) prohibits embedding unencrypted static authenticators in applications or scripts. Control IA-9 (Service Identification and Authentication) requires unique identification and authentication of system services before establishing communications. These are not new to Rev 5, but their presence gives auditors a direct citation.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;ISO 27001:2022&lt;/strong&gt; Annex A 5.15 applies access control to &amp;ldquo;humans and non-human entities on a network.&amp;rdquo; Annex A 8.2 restricts privileged access for &amp;ldquo;users, software components, and services.&amp;rdquo; Lead auditors are now interpreting this to include integration accounts, automation scripts, and backup agents (Stuart Barker, ISO 27001 Lead Auditor, HighTable.io).&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;SOC 2&lt;/strong&gt; remains principles-based. The AICPA Trust Services Criteria do not include a named service account control. But if an organization&amp;rsquo;s system description states it manages &amp;ldquo;all accounts,&amp;rdquo; auditors will test that claim against service accounts. The trend among Type II auditors is to expand access review testing to include NHIs, particularly under CC6.1 through CC6.3. Organizations whose policies say &amp;ldquo;all accounts&amp;rdquo; but whose reviews cover only human users are creating their own audit findings.&lt;/p&gt;
&lt;p&gt;We believe the Big 4 audit firms are approximately 12 to 18 months behind the control text in their examination rigor. KPMG published &amp;ldquo;The Rise of Machine Identities&amp;rdquo; in 2025, the most visible public statement from any Big 4 firm. A 30-year financial industry veteran writing for the NHI Management Group reported that Big 4 auditor focus on NHI has increased substantially over the last 2-3 years and warned that organizations without NHI programs could face scrutiny soon. But we have not seen standardized Big 4 audit procedures for NHI controls. That gap will close.&lt;/p&gt;
&lt;h3 id=&#34;2-ai-agents-are-a-new-identity-category-and-nobody-is-ready&#34;&gt;2. AI Agents Are a New Identity Category, and Nobody Is Ready&lt;/h3&gt;
&lt;p&gt;AI agents are not service accounts with better marketing. They are fundamentally different: non-deterministic, capable of requesting permission escalation at runtime, able to spawn sub-agents, and designed to operate across multiple systems simultaneously. A service account calls a fixed API with fixed permissions. An AI agent decides at runtime which APIs to call based on reasoning. This distinction matters for identity governance because every assumption about static privilege assignment breaks down.&lt;/p&gt;
&lt;p&gt;SailPoint&amp;rsquo;s 2025 survey found that 80% of organizations using AI agents observed them acting unexpectedly or performing unauthorized actions. That number should alarm anyone building agent-based workflows without identity controls.&lt;/p&gt;
&lt;p&gt;The hyperscalers are responding, but unevenly. &lt;strong&gt;Microsoft Entra Agent ID&lt;/strong&gt; is the most ambitious effort: a new identity primitive for agents with blueprints, an agent registry, conditional access policies, lifecycle governance with human sponsors, and identity protection. It is also still in public preview as of April 2026 and requires a Microsoft 365 Copilot license with Frontier enabled. The vision is right. The production readiness is not there yet. &lt;strong&gt;AWS Bedrock AgentCore Identity&lt;/strong&gt; reached general availability in October 2025 with a more pragmatic, infrastructure-centric approach: existing IAM roles extended with agent-specific attributes, OAuth credential providers for third-party service access, and a Cedar-based policy engine in preview. AWS has no lifecycle governance or sponsor concepts. &lt;strong&gt;Google Cloud&amp;rsquo;s Agent Identity&lt;/strong&gt; (preview) takes the strongest credential security approach with mTLS-bound certificate tokens that prevent replay attacks, but has the least mature governance layer. None of the three platforms fully addresses sub-agent spawning, delegation chain accountability, or cross-platform identity federation.&lt;/p&gt;
&lt;p&gt;The OWASP NHI Top 10, published in 2025, was the first structured risk taxonomy for non-human identities. It ranks Improper Offboarding as the top risk, followed by Secret Leakage and Vulnerable Third-Party NHI. However, it focuses almost entirely on traditional NHIs. The OWASP Top 10 for Agentic Applications, released in December 2025, addresses agent-specific risks but does not connect them to identity governance frameworks. The two lists exist in parallel without integration.&lt;/p&gt;
&lt;p&gt;NIST&amp;rsquo;s CAISI initiative, launched February 2026, is the first U.S. government program dedicated to AI agent standards. It includes an NCCoE concept paper on AI agent identity and authorization that identifies prompt injection and accountability gaps as leading vulnerabilities. But the Request for Information comment period closed in March 2026, listening sessions are scheduled for April 2026, and finalized standards are expected in 2027 at the earliest. The majority of first-generation enterprise agent deployments will go live before any NIST agent-specific standard exists. We do not yet know what good agent identity governance looks like in practice, and honesty about that gap is more useful than a premature framework.&lt;/p&gt;
&lt;h3 id=&#34;3-the-vendor-market-is-funded-fragmented-and-early&#34;&gt;3. The Vendor Market Is Funded, Fragmented, and Early&lt;/h3&gt;
&lt;p&gt;Workload Identity Management appeared as a distinct category in the 2025 Gartner Hype Cycle for Digital Identity, the first year it was recognized. Based on available evidence, the category sits near the Innovation Trigger or early Peak of Inflated Expectations. KuppingerCole published its first Leadership Compass for Non-Human Identity Management in 2025, formally establishing NHIM as a market segment. The analyst recognition is real. The market maturity is not.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Funding is substantial but frequently overstated.&lt;/strong&gt; The &amp;ldquo;$400M+ in H1 2025&amp;rdquo; figure circulating in vendor marketing originates from a Doppler blog post (Security Boulevard, August 2025) and refers to all of 2025, not just H1. It also includes adjacent vendors beyond the NHI pure-plays. Our verified tally of pure-play NHI funding rounds through 2025: Astrix Security Series B ($45M, December 2024, Menlo Ventures), Oasis Security Series A plus extension ($75M total, 2024, Sequoia/Accel), Clutch Security Series A ($20M, 2024, SignalFire), Entro Security Series A ($18M, 2024, Dell Technologies Capital), Token Security Seed plus Series A ($27M total, through January 2025, TLV Partners/Notable Capital), and Defakto (formerly SPIRL) Series B ($30.75M, October 2025, XYZ Venture Capital). That totals approximately &lt;strong&gt;$216M in verified pure-play rounds through 2025.&lt;/strong&gt; Adding Oasis&amp;rsquo;s reported $120M Series B in March 2026 and NHI-adjacent vendors (Aembit, Veza, Natoma) pushes past $400M across 2024 through early 2026. The investment thesis is clear. The &amp;ldquo;$400M in H1 2025&amp;rdquo; framing is marketing.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Practitioner feedback is thin.&lt;/strong&gt; Astrix has the most independent validation: named a Cool Vendor by Gartner (2023), RSA Innovation Sandbox finalist, named sample vendor in the 2025 Hype Cycle, and 15.3% PeerSpot mindshare in NHIM as of March 2026. Gartner Peer Insights reviewers praise detection of leaked tokens and service account discovery but note onboarding could be smoother. Entro Security has the richest Gartner Peer Insights reviews, with users calling it an integral part of their cybersecurity strategy alongside a request for deeper AI-driven analysis capabilities. Oasis Security&amp;rsquo;s PeerSpot mindshare declined from 16.8% to 12.8% year over year, a signal worth watching for a vendor that exited stealth in January 2024. Clutch Security, Token Security, and Natoma have essentially no independent public reviews. &lt;strong&gt;CISOs evaluating these vendors are making bets on roadmaps, not proven production outcomes.&lt;/strong&gt; Discovery and posture management are the proven use cases. Lifecycle management and threat detection are emerging. AI agent governance is aspirational across the board.&lt;/p&gt;
&lt;p&gt;The CyberArk-Venafi story deserves particular scrutiny. CyberArk acquired Venafi for $1.54 billion in late 2024. Sales integration was immediate: Venafi appeared in 9 of CyberArk&amp;rsquo;s top 10 deals in Q1 FY2025. Product integration was targeted for 2025 (CLM plus secrets management) and 2026 (unified human and machine identity platform). Then Palo Alto Networks acquired CyberArk for $25 billion, closing in February 2026. Venafi has now had three owners in two years. Documentation still lives at docs.venafi.com. A Doppler competitive analysis noted that CyberArk&amp;rsquo;s architecture leans toward static identity models, which can be a poor fit for modern environments where machine identities are constantly created and destroyed. We believe the unified machine identity platform vision is now on Palo Alto Networks&amp;rsquo; roadmap, not CyberArk&amp;rsquo;s, and should be evaluated on a 2028 or later timeline.&lt;/p&gt;
&lt;h3 id=&#34;4-credential-rotation-works-in-theory-and-breaks-in-production&#34;&gt;4. Credential Rotation Works in Theory and Breaks in Production&lt;/h3&gt;
&lt;p&gt;The operational reality of NHI governance is less about tool selection and more about a specific, uncomfortable question: do you know what will break if you rotate this credential? Most organizations cannot answer it.&lt;/p&gt;
&lt;p&gt;Datadog&amp;rsquo;s State of Cloud Security 2024, based on telemetry from thousands of organizations, found that 46% of organizations still use unmanaged users with long-lived credentials. Among Google Cloud service accounts, 62% have access keys older than one year. Among AWS IAM users, 60% have keys older than one year. Andrew Krug, Datadog&amp;rsquo;s Head of Security Advocacy, concluded that it is unrealistic to expect long-lived credentials can be securely managed. This is the most authoritative data point available because it is based on actual infrastructure telemetry, not survey self-reporting.&lt;/p&gt;
&lt;p&gt;The fear of rotation-induced outages is well-founded. Cloudflare&amp;rsquo;s March 2025 R2 outage lasted 67 minutes and caused 100% write failures globally because a rotation script omitted the &lt;code&gt;--env production&lt;/code&gt; flag, deploying new credentials to dev while old credentials were deleted from production. Microsoft paused its key rotation process after a previous outage, which contributed to the delay that enabled the Storm-0558 signing key compromise. The Oasis Security team documented a Dropbox incident in 2024 where emergency rotation of an unrotated AD service account caused partial end-user disruption. CyberArk&amp;rsquo;s own 2025 survey (n=1,200, vendor-sourced) found 72% of organizations experienced certificate-related outages in the past 12 months, up from 45% reporting weekly outages compared to 12% in 2022.&lt;/p&gt;
&lt;p&gt;The practitioner consensus, visible across Reddit, security conference talks, and vendor-neutral blogs, follows a consistent failure pattern: an identity is created for an immediate need, permissions are broadened to avoid friction, credentials persist because rotation feels risky, access reviews get rubber-stamped to avoid outages, and nobody is confident enough to remove anything. The CSA blog (February 2026) articulated the structural problem: access reviews were designed to answer a human-centric question about whether a person still needs access. That question does not translate to NHIs without dependency mapping, usage telemetry, and owner accountability.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;SPIFFE/SPIRE&lt;/strong&gt; represents the most credible path to eliminating long-lived secrets for workload authentication. Both are CNCF Graduated projects with named production adopters including Uber, GitHub, Square (Block), and Pinterest. HPE invested heavily in core development through its Scytale acquisition. But Defakto Security states that small-scale deployments take 6 to 12 months and complex deployments require 12 to 24 months with a core team of experts. Legacy systems that cannot speak mTLS remain a hard blocker. Cloud-native workload identity federation (AWS IAM Roles, Azure Workload Identity Federation, GCP Workload Identity) works within a single cloud but fragments across multicloud and hybrid environments. The secure path is clear. The migration path for legacy environments is not.&lt;/p&gt;
&lt;h3 id=&#34;5-nobody-owns-nhi-governance-and-the-surveys-proving-it-are-all-vendor-funded&#34;&gt;5. Nobody Owns NHI Governance, and the Surveys Proving It Are All Vendor-Funded&lt;/h3&gt;
&lt;p&gt;The CSA/Oasis Security survey (January 2026, n=383) found that 51% of organizations reported no clear ownership or accountability for NHI governance. Oasis financed the project and co-designed the questionnaire. A separate CSA/Astrix survey (September 2024, n=818) found that only 15% feel highly confident in preventing NHI attacks and only 20% have formal NHI offboarding processes. Astrix sponsored that survey. CyberArk&amp;rsquo;s 2025 Identity Security Landscape report (n=2,600) found that 88% define &amp;ldquo;privileged user&amp;rdquo; as solely human identities. CyberArk funded it. Entro&amp;rsquo;s 2025 analysis found 97% of NHIs have excessive privileges. Entro is a vendor. The Keeper Security RSAC 2026 survey (n=109) found 76% of NHIs are not governed under privileged access policies. Keeper is a PAM vendor with a convenience sample of 109 conference attendees.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;We found no fully independent, non-vendor-sponsored survey that specifically quantifies NHI governance ownership gaps.&lt;/strong&gt; The closest is the 2021 Ponemon/Keyfactor State of Machine Identity Management report (n=1,162), which used Ponemon&amp;rsquo;s independent methodology but was funded by Keyfactor and focused on certificates and keys rather than NHI governance ownership. The directional finding across all sources is consistent: NHI ownership is fragmented and unclear in most organizations. But the specific percentages should be treated as approximate. This is a data gap the analyst community has not filled.&lt;/p&gt;
&lt;p&gt;In practice, HashiCorp (now IBM) observed that platform teams are often the de facto NHI managers: the people handling cloud IAM roles for microservices and certificate rotation for service mesh are typically platform engineers, not IAM staff. GitGuardian&amp;rsquo;s analysis found that the person who can answer most questions about an NHI is the developer who created it, which does not mean they are responsible for rotation or lifecycle management. The Gartner IAM Summit in December 2025 advocated a layered identity fabric model where Access Management, IGA, and PAM are interdependent layers that must work together rather than compete for ownership or visibility. ServiceNow added Non-Human and Agentic Identity Governance as a new domain in its IAM capability map, recommending organizations start with NHI discovery and ownership attribution.&lt;/p&gt;
&lt;p&gt;Legacy PAM tools have structural limitations for NHI use cases. They are vault-centric (assuming persistent accounts), human-speed (manual checkout workflows), session-oriented (recording RDP/SSH, not API calls), and centralized (requiring vault connectivity). Ephemeral cloud workloads, serverless functions, and CI/CD pipelines do not fit this architecture. The CSA/Astrix 2024 survey found that 54% of respondents use PAM for NHI, but these tools are not specifically designed to address NHI security challenges. BeyondTrust and Delinea face similar architectural gaps. The Palo Alto Networks acquisition of CyberArk signals that PAM is becoming an infrastructure-level control rather than a standalone tool category, but the product integration timeline extends well past 2027.&lt;/p&gt;
&lt;h3 id=&#34;6-regulators-are-building-the-enforcement-case&#34;&gt;6. Regulators Are Building the Enforcement Case&lt;/h3&gt;
&lt;p&gt;No U.S. or EU regulation uses the term &amp;ldquo;non-human identity.&amp;rdquo; But the enforcement infrastructure is forming around the underlying concepts, and the gap between regulatory intent and explicit NHI language is closing fast.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;DORA&lt;/strong&gt; is the most important development for financial sector CISOs. The Regulatory Technical Standards on ICT Risk Management, effective January 2025, require financial entities to maintain an inventory of service accounts, document the purpose of each, assign a human owner, prevent interactive use where not required, and review access at the same frequency as human privileged accounts. MFA for privileged accounts is legally mandated, not optional. Early supervisory examinations in the Netherlands, Germany, and Ireland are requesting these artifacts. The service account inventory requirement is, per practitioner reports, one of the most commonly missed items in initial DORA readiness assessments.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;The FFIEC&amp;rsquo;s 2021 guidance&lt;/strong&gt; on Authentication and Access remains the most NHI-explicit U.S. regulatory document. Footnote 2 defines &amp;ldquo;users&amp;rdquo; to include employees, third parties, service accounts, applications, and devices. The guidance requires authentication considerations for system-to-system communications. The irony is painful: the OCC, which issued this guidance jointly with other banking regulators, disclosed in April 2025 that its own Microsoft 365 tenant was compromised through a service account with administrative privileges that lacked MFA. The breach persisted for 20 months. It was reported to Congress as a major information security incident.&lt;/p&gt;
&lt;p&gt;The SEC has not cited NHI by name, but its October 2024 enforcement actions against four SolarWinds victim companies penalized the minimization of credential compromise in public disclosures. Unisys paid $4 million for describing risks as hypothetical despite knowing that seven network credentials and 34 cloud-based accounts were compromised. Mimecast paid $990,000 for failing to disclose that a threat actor exfiltrated an authentication certificate used by approximately 10% of its customers. The FTC&amp;rsquo;s Drizly consent order (January 2023) explicitly cited failure to securely store AWS and database login credentials and failure to scan repositories for unsecured credentials such as usernames, passwords, API keys, secure access tokens, and asymmetric private keys. Personal liability was imposed on the CEO.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;NYDFS 23 NYCRR 500&lt;/strong&gt; merits specific attention. The amended regulation, fully effective November 2025, requires Class A companies to implement PAM solutions and mandates MFA for any individual accessing any information system. There is a carve-out for service accounts that prohibit interactive login, but this creates risk rather than eliminating it. Organizations must ensure non-interactive service accounts truly cannot be used interactively, and must implement compensating controls.&lt;/p&gt;
&lt;p&gt;The &lt;strong&gt;EU AI Act&lt;/strong&gt; (effective in stages through 2027) requires that AI systems interacting with natural persons disclose they are AI (Article 50, effective August 2026) and that high-risk AI systems be registered in an EU database. But the Act is silent on how AI agents authenticate to other systems, manage credentials, or handle privilege escalation. It addresses &amp;ldquo;is this an AI?&amp;rdquo; but not &amp;ldquo;what can this AI access?&amp;rdquo; That gap will force supplementary regulation as autonomous agents proliferate.&lt;/p&gt;
&lt;hr&gt;
&lt;h2 id=&#34;recommendations-for-security-and-risk-management-leaders&#34;&gt;Recommendations for Security and Risk Management Leaders&lt;/h2&gt;
&lt;ol&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Inventory first, tool second.&lt;/strong&gt; Before evaluating NHI vendors, run a discovery sprint using cloud-native tools (AWS IAM Access Analyzer, Azure Entra Workload ID, GCP Policy Analyzer) and open-source scanners (GitGuardian, TruffleHog) to establish baseline counts of service accounts, API keys, OAuth tokens, and certificates. You cannot govern what you have not counted. Set a 90-day deadline for initial inventory. Do not let it become a permanent project.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Map NHI controls to the audit frameworks you face now.&lt;/strong&gt; PCI DSS 4.0.1 Requirements 7.2.5.1 and 8.6.1 through 8.6.3 are enforceable today. CIS Safeguard 5.5 requires quarterly reviews. DORA requires service account inventories with owners. Build the compliance artifact first, then automate it. If your organization is subject to DORA, treat the service account inventory as a regulatory deliverable with a named executive owner and a board-reportable status.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Adopt a federated ownership model, not a centralized one.&lt;/strong&gt; IAM or GRC sets policy and defines standards. Platform engineering implements controls in CI/CD pipelines and manages cloud-native NHIs. Application teams own their application-specific NHIs with documented accountability. A central governance function (within the CISO organization) provides visibility, risk scoring, and audit coordination. No single team can own NHI governance at scale. The question is not who owns it but whether the accountability chain is documented and enforceable.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Separate the AI agent identity problem from the NHI backlog.&lt;/strong&gt; Agent identity governance requires different controls: human sponsors, runtime behavioral monitoring, delegation chain tracking, and scope enforcement. Do not wait for the NHI backlog to be clean before addressing agent identity. Stand up an agent identity working group now that includes IAM, data science, platform engineering, and legal. Align to CSA&amp;rsquo;s AI Controls Matrix (July 2025) and NIST IR 8596 (draft) as provisional frameworks until NIST CAISI publishes finalized standards.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Evaluate pure-play NHI vendors for discovery and posture management only.&lt;/strong&gt; That is where production-validated value exists today. Lifecycle management, threat detection, and agent governance are emerging capabilities without meaningful practitioner validation. Run a 90-day proof of value focused on discovery accuracy, ownership attribution, and secrets exposure detection. Do not sign multiyear platform commitments for capabilities that are still roadmap.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Begin SPIFFE/SPIRE evaluation for net-new workloads; do not attempt a legacy migration simultaneously.&lt;/strong&gt; Workload identity federation eliminates long-lived secrets within a single cloud, but legacy systems that cannot speak mTLS remain a hard blocker. Apply secretless architectures to new Kubernetes-native and cloud-native workloads first. Use vaulted credentials with automated rotation for legacy systems. Accept that the transition will take 24 months or more and plan accordingly.&lt;/p&gt;
&lt;/li&gt;
&lt;/ol&gt;
&lt;hr&gt;
&lt;h2 id=&#34;market-outlook&#34;&gt;Market Outlook&lt;/h2&gt;
&lt;p&gt;The NHI governance market sits at a crossroads familiar to anyone who watched CASB, CSPM, or CIEM develop. There is genuine enterprise demand, validated by real audit pressure and breach history. There is real funding, with over $200 million in verified pure-play rounds through 2025. And there is significant risk of premature consolidation and vendor overreach.&lt;/p&gt;
&lt;p&gt;The cloud hyperscalers are building native workload identity capabilities that will commoditize intra-cloud NHI authentication over the next three years. Microsoft&amp;rsquo;s Entra Agent ID, if it reaches general availability, could redefine expectations for agent identity governance within the Microsoft ecosystem. AWS AgentCore Identity is already GA. But none of the hyperscalers will solve cross-cloud NHI governance, secrets posture management, or multicloud lifecycle orchestration. That is the defensible wedge for pure-play vendors, and the ones that focus there will survive consolidation.&lt;/p&gt;
&lt;p&gt;PAM vendors are rebranding around identity security. The Palo Alto Networks acquisition of CyberArk for $25 billion, combined with the prior CyberArk acquisition of Venafi for $1.54 billion, creates the largest identity security portfolio in the market. BeyondTrust exceeded $400 million ARR in June 2025 and acquired Entitle for CIEM. Delinea acquired Authomize and Fastpath. These are platform plays, not feature additions. But platform integration takes years, and CISOs should not confuse acquisition announcements with product delivery.&lt;/p&gt;
&lt;p&gt;The honest assessment is this: we are in the first inning of NHI governance as a discipline. The compliance drivers are real and accelerating. The breach history validates the risk. The tooling is early but improving. The AI agent dimension adds urgency and complexity that the market has not yet absorbed. Organizations that start now, with inventory, ownership, and framework alignment, will be positioned to adopt better tooling as it matures. Organizations that wait for the market to settle will find themselves explaining to auditors, regulators, and boards why they treated machine identities as an afterthought while those identities outnumbered their employees 82 to 1.&lt;/p&gt;
&lt;hr&gt;
&lt;h2 id=&#34;key-sources&#34;&gt;Key Sources&lt;/h2&gt;
&lt;p&gt;&lt;strong&gt;Compliance frameworks:&lt;/strong&gt; PCI DSS 4.0.1 (PCI SSC, 2024); CIS Controls v8.1 Assessment Specification (CIS, 2024); NIST SP 800-53 Rev 5 (NIST, 2020); ISO 27001:2022 (ISO/IEC, 2022); DORA RTS on ICT Risk Management (ESAs, 2024); NYDFS 23 NYCRR 500 (NYDFS, amended 2023); FFIEC Authentication and Access Guidance (2021).&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Data sources:&lt;/strong&gt; Datadog State of Cloud Security 2024; CSA/Oasis Security State of NHI Security Survey (January 2026, n=383); CSA/Astrix State of NHI Security Report (September 2024, n=818); CyberArk Identity Security Landscape 2025 (n=2,600); Keeper Security RSAC 2026 Survey (n=109); Ponemon/Keyfactor State of Machine Identity Management 2021 (n=1,162); SailPoint AI Agent Survey 2025.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Vendor and analyst sources:&lt;/strong&gt; Gartner 2025 Hype Cycle for Digital Identity; KuppingerCole Leadership Compass: Non-Human Identity Management 2025; Gartner IAM Summit December 2025 (Sayers coverage); Astrix Security, Oasis Security, Entro Security, Clutch Security, Token Security, Defakto funding announcements; CyberArk Q1 FY2025 earnings; Palo Alto Networks/CyberArk acquisition filings; Doppler NHI Platform Comparison (August 2025).&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Incident and enforcement sources:&lt;/strong&gt; Cloudflare R2 Outage Post-Incident Report (March 2025); OCC Major Information Security Incident Disclosure (April 2025); SEC v. Unisys, Avaya, Check Point, Mimecast enforcement actions (October 2024); FTC v. Drizly consent order (January 2023); Harvard Law School Forum on Corporate Governance analysis of SEC cybersecurity enforcement (October 2024).&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Standards and frameworks:&lt;/strong&gt; OWASP NHI Top 10 (2025); OWASP Top 10 for Agentic Applications (December 2025); NIST CAISI Initiative RFI (February 2026); CSA AI Controls Matrix (July 2025); NIST IR 8596 draft; ServiceNow IAM Capability Map 2025.&lt;/p&gt;
</description>
    </item>
    
    <item>
      <title>Contributing to Open Source Again, With AI</title>
      <link>https://www.20-100.net/log/contributing-to-open-source-again-with-ai/</link>
      <pubDate>Sat, 21 Mar 2026 00:00:00 &#43;0000</pubDate>
      <guid>https://www.20-100.net/log/contributing-to-open-source-again-with-ai/</guid>
      <description>&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Heads up:&lt;/strong&gt; Much of the prose and code here are AI-assisted, but the ideas are my own.&lt;/p&gt;&lt;/blockquote&gt;
&lt;h2 id=&#34;back-at-it&#34;&gt;Back at it&lt;/h2&gt;
&lt;p&gt;I used to be active in several open source projects. Life happened, priorities shifted, and at some point I just drifted away from it. No dramatic reason.&lt;/p&gt;
&lt;p&gt;The new AI coding tools made me want to try again. The hard part of contributing to open source was never the coding itself, it was the ramp-up: understanding a new codebase, learning its conventions, figuring out which layer to hook into. That&amp;rsquo;s exactly what tools like Claude Code are good at, so I picked something small for a project run by a friend to see how it would go.&lt;/p&gt;
&lt;h2 id=&#34;the-project-tiki-wiki&#34;&gt;The project: Tiki Wiki&lt;/h2&gt;
&lt;p&gt;&lt;a href=&#34;https://tiki.org&#34;&gt;Tiki Wiki CMS Groupware&lt;/a&gt; is a PHP wiki/CMS/groupware app that&amp;rsquo;s been around since 2002. Big, old codebase, the kind where you&amp;rsquo;d normally spend days reading code before writing any.&lt;/p&gt;
&lt;p&gt;I wanted to add &lt;a href=&#34;https://modelcontextprotocol.io&#34;&gt;Model Context Protocol&lt;/a&gt; (MCP) support. MCP is the open standard that lets AI assistants interact with external tools. WordPress has an MCP integration, Notion has one, Confluence has one. Tiki didn&amp;rsquo;t. The idea is that instead of opening a browser, logging in, navigating to a page, clicking edit, making changes and saving, you just tell your AI assistant &amp;ldquo;update the homepage&amp;rdquo; and it handles it over MCP. Read, create, search, edit, delete, view history, all through conversation.&lt;/p&gt;
&lt;h2 id=&#34;the-process&#34;&gt;The process&lt;/h2&gt;
&lt;h3 id=&#34;planning&#34;&gt;Planning&lt;/h3&gt;
&lt;p&gt;I described what I wanted, an MCP server that exposes Tiki&amp;rsquo;s wiki operations over HTTP, and Claude Code explored the codebase by reading the important files (&lt;code&gt;tikilib.php&lt;/code&gt;, &lt;code&gt;console.php&lt;/code&gt;, the wiki service controllers). We put together a plan that identified which Tiki service layer methods to wrap (&lt;code&gt;create_page&lt;/code&gt;, &lt;code&gt;update_page&lt;/code&gt;, &lt;code&gt;get_page_info&lt;/code&gt;, &lt;code&gt;list_pages&lt;/code&gt;, &lt;code&gt;remove_all_versions&lt;/code&gt;), the bootstrap pattern to replicate from &lt;code&gt;console.php&lt;/code&gt;, the PHP MCP SDK to use (&lt;code&gt;mcp/sdk&lt;/code&gt; by PHP Foundation and Symfony), and 7 tools to implement across read and write operations.&lt;/p&gt;
&lt;h3 id=&#34;implementation&#34;&gt;Implementation&lt;/h3&gt;
&lt;p&gt;I don&amp;rsquo;t have PHP installed locally so we set up a Docker environment with MariaDB and PHP 8.1 Apache to develop against. Claude Code wrote the PHP files: an HTTP entry point (&lt;code&gt;mcp.php&lt;/code&gt;) using Streamable HTTP transport, a server wrapper that builds the MCP server from tool classes using PHP 8 attributes, the 7 wiki tools each calling TikiLib&amp;rsquo;s service layer directly, a Bearer token auth provider using Tiki&amp;rsquo;s existing &lt;code&gt;tiki_api_tokens&lt;/code&gt; table, and an output buffering context to prevent TikiLib from corrupting the JSON-RPC stream.&lt;/p&gt;
&lt;p&gt;One thing worth explaining is that the tools call Tiki&amp;rsquo;s PHP service layer in-process rather than going through HTTP. &lt;code&gt;TikiLib::lib(&#39;tiki&#39;)-&amp;gt;create_page(...)&lt;/code&gt; is a direct function call because the MCP server runs inside the same PHP process as Tiki. Permission checks via &lt;code&gt;Perms_Context&lt;/code&gt; just work, so whatever the authenticated user can do in the Tiki UI, they can do via MCP and nothing more.&lt;/p&gt;
&lt;p&gt;Here&amp;rsquo;s how the pieces fit together:&lt;/p&gt;
&lt;pre tabindex=&#34;0&#34;&gt;&lt;code&gt;MCP Client (Claude Code, etc.)
  │
  │  HTTP POST + Authorization: Bearer &amp;lt;token&amp;gt;
  ▼
Apache / Nginx
  │
  ▼
mcp.php
  ├── ApiTokenAuthProvider ──► tiki_api_tokens (validate + track hits)
  ├── Perms_Context (enforce user permissions)
  └── MCP SDK (StreamableHttpTransport)
        │
        ▼
      WikiTools (7 tools)
        ├── wiki_list_pages
        ├── wiki_get_page
        ├── wiki_get_page_history
        ├── wiki_search
        ├── wiki_create_page
        ├── wiki_update_page
        └── wiki_delete_page
              │
              │  in-process calls
              ▼
          TikiLib / WikiLib / HistLib
              │
              ▼
          MariaDB / MySQL
&lt;/code&gt;&lt;/pre&gt;&lt;h3 id=&#34;the-bugs&#34;&gt;The bugs&lt;/h3&gt;
&lt;p&gt;A few things broke along the way. After calling &lt;code&gt;update_page()&lt;/code&gt;, the next &lt;code&gt;get_page_info()&lt;/code&gt; returned the old version because Tiki caches page info in memory and the cache wasn&amp;rsquo;t getting invalidated. The fix was passing &lt;code&gt;skipCache=true&lt;/code&gt; after write operations. This is the kind of thing buried deep in a 10,000-line file that you find by staring at code for hours, or by having an AI trace the execution path in seconds.&lt;/p&gt;
&lt;p&gt;The search was also broken because &lt;code&gt;list_pages()&lt;/code&gt; defaults to &lt;code&gt;exact_match=true&lt;/code&gt;, so searching for &amp;ldquo;MCP&amp;rdquo; wouldn&amp;rsquo;t find a page called &amp;ldquo;MCP Test Page&amp;rdquo; until we passed &lt;code&gt;false&lt;/code&gt; explicitly. And the MCP SDK turned out to expect &lt;code&gt;[ClassName::class, &#39;methodName&#39;]&lt;/code&gt; as two strings for tool registration rather than an object and a string, so we had to register tool instances in the SDK&amp;rsquo;s PSR-11 container first.&lt;/p&gt;
&lt;h3 id=&#34;security&#34;&gt;Security&lt;/h3&gt;
&lt;p&gt;After the initial implementation I asked Claude Code to do a security audit of everything we wrote. It found 14 issues, some minor and some not minor at all.&lt;/p&gt;
&lt;p&gt;The worst one was that the auth layer fell back to a default admin user when no token was provided. So if you didn&amp;rsquo;t send an Authorization header, you got full admin access. We ripped out the fallback entirely so every request needs a valid Bearer token or gets a 401. MCP sessions were stored in Tiki&amp;rsquo;s &lt;code&gt;temp/&lt;/code&gt; directory which is inside the web root, so we moved them outside the document root with restricted permissions. The token generation used &lt;code&gt;uniqid()&lt;/code&gt; which is time-based and predictable, so we replaced it with &lt;code&gt;random_bytes(32)&lt;/code&gt;. Write operations were logging the IP as &lt;code&gt;0.0.0.0&lt;/code&gt; instead of the actual client IP. A 403 error response included the username from the token when it should have been a generic message. And Apache CGI/FastCGI strips the Authorization header in some configs, which made token auth silently fail without handling the &lt;code&gt;REDIRECT_HTTP_AUTHORIZATION&lt;/code&gt; fallback.&lt;/p&gt;
&lt;p&gt;The auth fallback one really got to me. That was a &amp;ldquo;make it work first&amp;rdquo; shortcut that would have given unauthenticated admin access to anyone who could reach the endpoint. I caught it during review, but it&amp;rsquo;s the kind of thing that easily ships if you&amp;rsquo;re moving fast and not thinking about it.&lt;/p&gt;
&lt;h3 id=&#34;testing&#34;&gt;Testing&lt;/h3&gt;
&lt;p&gt;We wrote 27 PHPUnit integration tests covering all 7 tools and the auth layer, running against a real database rather than mocks so they exercise the full path from tool method to TikiLib to MariaDB and back. The suite covers the full CRUD lifecycle from create through delete, error handling for things like duplicate pages and missing pages, input validation with pagination limits and sort mode allowlists, and the full range of auth scenarios including valid tokens, invalid tokens, expired tokens, missing tokens, and hit tracking.&lt;/p&gt;
&lt;h3 id=&#34;the-result&#34;&gt;The result&lt;/h3&gt;
&lt;p&gt;Once everything was working I connected Claude Code to the MCP server and could manage wiki content through conversation. &amp;ldquo;What&amp;rsquo;s on the main page?&amp;rdquo; reads the page, &amp;ldquo;create a new policy document&amp;rdquo; creates it with wiki syntax. The tools show up in Claude Code&amp;rsquo;s tool list and work like any other MCP integration. We packaged it as a single commit following Tiki&amp;rsquo;s conventions and submitted a draft merge request on GitLab with a &lt;code&gt;Co-Authored-By: Claude&lt;/code&gt; trailer for transparency.&lt;/p&gt;
&lt;h2 id=&#34;what-i-learned&#34;&gt;What I learned&lt;/h2&gt;
&lt;p&gt;The AI absolutely cuts through the ramp-up problem. Tiki&amp;rsquo;s codebase is 20+ years old with legacy procedural code sitting next to modern Symfony stuff, and understanding the bootstrap sequence, the service layer, the permission system and the caching behavior is the kind of thing that takes days of exploration normally. Claude Code did it by reading the source and what would have taken me most of a week took minutes.&lt;/p&gt;
&lt;p&gt;But you can&amp;rsquo;t just let it run. The AI wrote code that fell back to unauthenticated admin access, stored sessions in the web root, and used a predictable token generator. I caught the auth issue during review and the others came out in a dedicated security audit pass that we did as a separate phase after implementation. Not &amp;ldquo;let&amp;rsquo;s hope we catch things during dev&amp;rdquo; but &amp;ldquo;stop, read every file, look for problems.&amp;rdquo; That&amp;rsquo;s when the real issues surfaced and I think doing it that way is important.&lt;/p&gt;
&lt;h2 id=&#34;whats-next&#34;&gt;What&amp;rsquo;s next&lt;/h2&gt;
&lt;p&gt;This only covers wiki pages. Tiki has trackers, file galleries, calendars, forums, blogs and a lot more, and each could get its own set of MCP tools following the same pattern. The architecture is there, it&amp;rsquo;s just a matter of adding more tool classes.&lt;/p&gt;
&lt;p&gt;If you&amp;rsquo;ve been thinking about contributing to open source but the ramp-up keeps stopping you, try it with AI tooling. Pick something small, be upfront about the AI assistance, and review everything before you submit because the AI will absolutely ship security holes if you let it.&lt;/p&gt;
</description>
    </item>
    
    <item>
      <title>Scaling OpenClaw&#39;s Agentic AI to Multi-User Environments with OpenFGA Authorization</title>
      <link>https://www.20-100.net/log/scaling-openclaws-agentic-ai-to-multi-user-environments-with-openfga-authorization/</link>
      <pubDate>Tue, 10 Mar 2026 00:00:00 &#43;0000</pubDate>
      <guid>https://www.20-100.net/log/scaling-openclaws-agentic-ai-to-multi-user-environments-with-openfga-authorization/</guid>
      <description>&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Heads up:&lt;/strong&gt; Much of the prose and code here are AI-assisted, but the ideas are my own.&lt;/p&gt;&lt;/blockquote&gt;
&lt;h2 id=&#34;the-problem&#34;&gt;The problem&lt;/h2&gt;
&lt;p&gt;Last week, CodeWall&amp;rsquo;s security agent &lt;a href=&#34;https://codewall.ai/blog/how-we-hacked-mckinseys-ai-platform&#34;&gt;broke into McKinsey&amp;rsquo;s AI platform Lilli&lt;/a&gt; in two hours. No credentials. A SQL injection on an unauthenticated endpoint gave them read/write access to 46.5 million chat messages, 57,000 employee accounts, and the system prompts controlling the AI&amp;rsquo;s behavior. One SQL UPDATE could have silently rewritten those prompts with no audit trail. The authorization layer around the AI was nonexistent.&lt;/p&gt;
&lt;p&gt;That got me thinking about OpenClaw, which I use to run my own AI agents. Its security model is simple: one operator per gateway. If you&amp;rsquo;re the only person using it, that&amp;rsquo;s all you need.&lt;/p&gt;
&lt;p&gt;But if three people want to share a gateway, you can&amp;rsquo;t give them different permission levels. Alice should have full control, Bob should be able to use agents but not change settings, Charlie should only be able to watch. Right now? You&amp;rsquo;d run three gateways. That&amp;rsquo;s not really a solution.&lt;/p&gt;
&lt;p&gt;Same problem with community skills. If someone publishes a skill on ClawHub, you either trust it completely or you don&amp;rsquo;t install it. There&amp;rsquo;s no middle ground where an operator reviews it and unlocks it for specific users. And if you want agent A to call agent B&amp;rsquo;s tools, there&amp;rsquo;s no way to say &amp;ldquo;yes, but only these tools, and only if someone approved it.&amp;rdquo;&lt;/p&gt;
&lt;p&gt;The missing piece is that these are all relationship questions. &amp;ldquo;Can this user invoke this tool via this agent?&amp;rdquo; depends on who, what, and whether there&amp;rsquo;s a delegation chain. You can&amp;rsquo;t answer that with a boolean config flag.&lt;/p&gt;
&lt;h2 id=&#34;why-openfga&#34;&gt;Why OpenFGA&lt;/h2&gt;
&lt;p&gt;I&amp;rsquo;ve been wanting to try OpenFGA on a real project for a while, and OpenClaw&amp;rsquo;s multi-user problem seemed like a good fit. It&amp;rsquo;s based on Google&amp;rsquo;s Zanzibar (the system behind Google Drive sharing, YouTube permissions, etc.), it&amp;rsquo;s CNCF-incubating, and it does exactly one thing well: relationship-based access checks.&lt;/p&gt;
&lt;p&gt;OpenFGA stores relationships as tuples. &amp;ldquo;Alice is an operator of the main gateway&amp;rdquo; is a tuple. &amp;ldquo;The orchestrator agent can delegate to the researcher agent&amp;rdquo; is a tuple. You write tuples, then ask questions like &amp;ldquo;can Alice invoke the deploy tool?&amp;rdquo; and OpenFGA walks the relationship graph to figure it out. The transitive logic that turns into spaghetti if-else chains in application code becomes declarative.&lt;/p&gt;
&lt;h2 id=&#34;the-authorization-model&#34;&gt;The authorization model&lt;/h2&gt;
&lt;p&gt;This is the full model in OpenFGA&amp;rsquo;s DSL. It gets written to the OpenFGA store when the gateway boots:&lt;/p&gt;
&lt;pre tabindex=&#34;0&#34;&gt;&lt;code&gt;model
  schema 1.1

type user
  relations
    define exists: [user]

type team
  relations
    define member: [user]

type gateway
  relations
    define operator: [user]
    define admin: [user]
    define user: [user]
    define viewer: [user]
    define can_admin: operator or admin
    define can_use: can_admin or user
    define can_view: can_use or viewer

type agent
  relations
    define exists: [agent]
    define parent_gateway: [gateway]
    define operator: operator from parent_gateway
    define allowed_user: [user, team#member]
    define can_delegate: [agent]
    define can_use: operator or allowed_user

type tool
  relations
    define parent_agent: [agent]
    define allowed_user: [user, team#member]
    define denied_user: [user, team#member]
    define can_invoke: can_use from parent_agent but not denied_user

type skill
  relations
    define publisher: [user]
    define allowed_gateway: [gateway]
    define trusted: [user]
    define can_use: [user]
    define can_install: allowed_gateway

type session
  relations
    define owner: [user]
    define participant: [user]
    define parent_agent: [agent]
    define can_read: owner or participant
    define can_write: owner or participant

type agent_delegation
  relations
    define source_agent: [agent]
    define target_agent: [agent]
    define approver: [user]
    define allowed_tool: [tool]
    define can_delegate: approver
&lt;/code&gt;&lt;/pre&gt;&lt;p&gt;A few things worth calling out:&lt;/p&gt;
&lt;p&gt;Gateway privileges form a chain: &lt;code&gt;operator &amp;gt; admin &amp;gt; user &amp;gt; viewer&lt;/code&gt;. Each level includes the permissions of the levels below it through computed relations. A viewer can read. A user can read and invoke tools. An operator can do everything.&lt;/p&gt;
&lt;p&gt;Tool access uses a &lt;code&gt;difference&lt;/code&gt; userset. &lt;code&gt;can_invoke&lt;/code&gt; grants access to anyone who can use the parent agent, minus anyone on the deny list. So you can block Bob from the &lt;code&gt;rm -rf&lt;/code&gt; tool without revoking his access to the agent itself.&lt;/p&gt;
&lt;p&gt;Tools inherit from their parent agent via &lt;code&gt;tupleToUserset&lt;/code&gt;. If you can use the agent, you can use its tools, unless someone explicitly denied you.&lt;/p&gt;
&lt;h2 id=&#34;what-it-looks-like-in-practice&#34;&gt;What it looks like in practice&lt;/h2&gt;
&lt;p&gt;I built three things on top of this model, with Claude Code doing most of the heavy lifting on implementation. Here&amp;rsquo;s each one with the actual tuples and what users see.&lt;/p&gt;
&lt;h3 id=&#34;multi-user-teams&#34;&gt;Multi-user teams&lt;/h3&gt;
&lt;p&gt;Say Alice is the operator, Bob is a regular user, Charlie can only watch, and Dave is some random who wandered into the channel. They&amp;rsquo;re all on Slack.&lt;/p&gt;
&lt;p&gt;On boot, the gateway reads &lt;code&gt;openclaw.json&lt;/code&gt; and writes these tuples:&lt;/p&gt;
&lt;pre tabindex=&#34;0&#34;&gt;&lt;code&gt;user:alice   | operator | gateway:main
user:bob     | user     | gateway:main
user:charlie | viewer   | gateway:main
&lt;/code&gt;&lt;/pre&gt;&lt;p&gt;Alice asks the agent to change how deep research runs:&lt;/p&gt;
&lt;pre tabindex=&#34;0&#34;&gt;&lt;code&gt;[Alice -&amp;gt; Slack] set the deep research thinking budget to high
[MyAgent -&amp;gt; Slack] Done. Deep research will now use extended thinking.
&lt;/code&gt;&lt;/pre&gt;&lt;p&gt;She&amp;rsquo;s an operator. The &lt;code&gt;can_use&lt;/code&gt; check resolves through &lt;code&gt;operator -&amp;gt; can_admin -&amp;gt; can_use&lt;/code&gt;. She can invoke tools and change agent configuration.&lt;/p&gt;
&lt;p&gt;Bob asks the agent to run a deep research task:&lt;/p&gt;
&lt;pre tabindex=&#34;0&#34;&gt;&lt;code&gt;[Bob -&amp;gt; Slack] deep research: there are thousands of passwordless
MFA vendors out there, why are new ones still popping up every
month, and why are we all still using passwords?
[MyAgent -&amp;gt; Slack] Starting deep research... Searched 31 sources.
Summary: adoption is blocked by legacy system integration costs,
not technology. New vendors keep launching because enterprise
procurement cycles create recurring market windows. Full report
attached.
&lt;/code&gt;&lt;/pre&gt;&lt;p&gt;He&amp;rsquo;s a &lt;code&gt;user&lt;/code&gt;, which feeds directly into &lt;code&gt;can_use&lt;/code&gt;. He can invoke tools normally, but admin operations (like changing agent configuration) would be denied.&lt;/p&gt;
&lt;p&gt;Charlie tries to launch his own research:&lt;/p&gt;
&lt;pre tabindex=&#34;0&#34;&gt;&lt;code&gt;[Charlie -&amp;gt; Slack] deep research on passkey adoption rates
[MyAgent -&amp;gt; Slack] Authorization denied: you do not have permission
to use the &amp;#34;deep_research&amp;#34; tool on this agent. Contact an agent
admin to request access.
&lt;/code&gt;&lt;/pre&gt;&lt;p&gt;But Charlie can still read Bob&amp;rsquo;s research output:&lt;/p&gt;
&lt;pre tabindex=&#34;0&#34;&gt;&lt;code&gt;[Charlie -&amp;gt; Slack] what did Bob&amp;#39;s MFA research find?
[MyAgent -&amp;gt; Slack] Bob&amp;#39;s research found that passwordless adoption
is mostly blocked by legacy integration costs, not the technology
itself. New vendors keep appearing because enterprise procurement
cycles create recurring windows. Full report is in the thread above.
&lt;/code&gt;&lt;/pre&gt;&lt;p&gt;Charlie is a &lt;code&gt;viewer&lt;/code&gt;. He has &lt;code&gt;can_view&lt;/code&gt; but not &lt;code&gt;can_use&lt;/code&gt;, so the agent won&amp;rsquo;t launch tools for him. But he can read results and ask follow-up questions based on what&amp;rsquo;s already in context.&lt;/p&gt;
&lt;p&gt;Dave, who has no tuples at all:&lt;/p&gt;
&lt;pre tabindex=&#34;0&#34;&gt;&lt;code&gt;[Dave -&amp;gt; Slack] hey can you help me
[MyAgent -&amp;gt; Slack] You are not authorized to use this gateway.
&lt;/code&gt;&lt;/pre&gt;&lt;p&gt;The &lt;code&gt;unknownSenderPolicy&lt;/code&gt; config controls whether unknown senders get blocked or allowed with minimal permissions.&lt;/p&gt;
&lt;p&gt;Identity resolution maps platform accounts to canonical users:&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; class=&#34;chroma&#34;&gt;&lt;code class=&#34;language-json&#34; data-lang=&#34;json&#34;&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;p&#34;&gt;{&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;  &lt;span class=&#34;nt&#34;&gt;&amp;#34;session&amp;#34;&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;:&lt;/span&gt; &lt;span class=&#34;p&#34;&gt;{&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;    &lt;span class=&#34;nt&#34;&gt;&amp;#34;identityLinks&amp;#34;&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;:&lt;/span&gt; &lt;span class=&#34;p&#34;&gt;{&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;      &lt;span class=&#34;nt&#34;&gt;&amp;#34;alice&amp;#34;&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;:&lt;/span&gt; &lt;span class=&#34;p&#34;&gt;[&lt;/span&gt;&lt;span class=&#34;s2&#34;&gt;&amp;#34;slack:U04ABC123&amp;#34;&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;],&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;      &lt;span class=&#34;nt&#34;&gt;&amp;#34;bob&amp;#34;&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;:&lt;/span&gt; &lt;span class=&#34;p&#34;&gt;[&lt;/span&gt;&lt;span class=&#34;s2&#34;&gt;&amp;#34;slack:U04DEF456&amp;#34;&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;],&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;      &lt;span class=&#34;nt&#34;&gt;&amp;#34;charlie&amp;#34;&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;:&lt;/span&gt; &lt;span class=&#34;p&#34;&gt;[&lt;/span&gt;&lt;span class=&#34;s2&#34;&gt;&amp;#34;slack:U04GHI789&amp;#34;&lt;/span&gt;&lt;span class=&#34;p&#34;&gt;]&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;    &lt;span class=&#34;p&#34;&gt;}&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;  &lt;span class=&#34;p&#34;&gt;}&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;p&#34;&gt;}&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;All three are on Slack, each mapped to their canonical user ID. The same identity resolution works across channels if someone is on multiple platforms.&lt;/p&gt;
&lt;h3 id=&#34;skill-trust-tiers&#34;&gt;Skill trust tiers&lt;/h3&gt;
&lt;p&gt;Skills get a trust level based on their source:&lt;/p&gt;
&lt;table&gt;
  &lt;thead&gt;
      &lt;tr&gt;
          &lt;th&gt;Source&lt;/th&gt;
          &lt;th&gt;Trust level&lt;/th&gt;
          &lt;th&gt;Default&lt;/th&gt;
      &lt;/tr&gt;
  &lt;/thead&gt;
  &lt;tbody&gt;
      &lt;tr&gt;
          &lt;td&gt;&lt;code&gt;openclaw-extra&lt;/code&gt;, &lt;code&gt;openclaw-bundled&lt;/code&gt;&lt;/td&gt;
          &lt;td&gt;untrusted&lt;/td&gt;
          &lt;td&gt;Blocked until explicitly granted&lt;/td&gt;
      &lt;/tr&gt;
      &lt;tr&gt;
          &lt;td&gt;&lt;code&gt;openclaw-managed&lt;/code&gt;, &lt;code&gt;agents-skills-personal&lt;/code&gt;, &lt;code&gt;agents-skills-project&lt;/code&gt;&lt;/td&gt;
          &lt;td&gt;verified&lt;/td&gt;
          &lt;td&gt;Allowed&lt;/td&gt;
      &lt;/tr&gt;
      &lt;tr&gt;
          &lt;td&gt;&lt;code&gt;openclaw-workspace&lt;/code&gt;&lt;/td&gt;
          &lt;td&gt;privileged&lt;/td&gt;
          &lt;td&gt;Blocked until operator approves&lt;/td&gt;
      &lt;/tr&gt;
  &lt;/tbody&gt;
&lt;/table&gt;
&lt;p&gt;Alice tries to run &lt;code&gt;curl-fetch&lt;/code&gt;, a community skill from &lt;code&gt;openclaw-extra&lt;/code&gt;:&lt;/p&gt;
&lt;pre tabindex=&#34;0&#34;&gt;&lt;code&gt;[Alice -&amp;gt; Discord] /skill curl-fetch https://example.com
[MyAgent -&amp;gt; Discord] The &amp;#34;curl-fetch&amp;#34; skill is from an untrusted
source. Ask an agent admin to grant access.
&lt;/code&gt;&lt;/pre&gt;&lt;p&gt;An operator reviews the skill and decides it&amp;rsquo;s fine:&lt;/p&gt;
&lt;pre tabindex=&#34;0&#34;&gt;&lt;code&gt;[Operator -&amp;gt; Discord] /auth grant user:alice can_use skill:untrusted/curl-fetch
[MyAgent -&amp;gt; Discord] Granted can_use on skill:untrusted/curl-fetch for user:alice
&lt;/code&gt;&lt;/pre&gt;&lt;p&gt;That writes one tuple:&lt;/p&gt;
&lt;pre tabindex=&#34;0&#34;&gt;&lt;code&gt;user:alice | can_use | skill:untrusted/curl-fetch
&lt;/code&gt;&lt;/pre&gt;&lt;p&gt;Now it works:&lt;/p&gt;
&lt;pre tabindex=&#34;0&#34;&gt;&lt;code&gt;[Alice -&amp;gt; Discord] /skill curl-fetch https://example.com
[MyAgent -&amp;gt; Discord] Fetching https://example.com... (200 OK, 12.4KB)
&lt;/code&gt;&lt;/pre&gt;&lt;p&gt;Privileged skills (workspace tier) fail closed. If OpenFGA is down, privileged skills get denied rather than allowed. Better to block a privileged operation by accident than to allow one.&lt;/p&gt;
&lt;h3 id=&#34;cross-agent-delegation&#34;&gt;Cross-agent delegation&lt;/h3&gt;
&lt;p&gt;Say you have an &lt;code&gt;orchestrator&lt;/code&gt; agent that coordinates work and a &lt;code&gt;researcher&lt;/code&gt; agent that searches the web. The orchestrator wants to send tasks to the researcher.&lt;/p&gt;
&lt;p&gt;Without approval:&lt;/p&gt;
&lt;pre tabindex=&#34;0&#34;&gt;&lt;code&gt;[orchestrator attempting sessions_send to researcher]
Agent &amp;#34;orchestrator&amp;#34; is not approved to delegate to agent &amp;#34;researcher&amp;#34;.
Request approval from a gateway operator.
&lt;/code&gt;&lt;/pre&gt;&lt;p&gt;Grant it:&lt;/p&gt;
&lt;pre tabindex=&#34;0&#34;&gt;&lt;code&gt;[Operator -&amp;gt; Discord] /auth grant agent:orchestrator can_delegate agent:researcher
[MyAgent -&amp;gt; Discord] Granted delegation: orchestrator -&amp;gt; researcher
&lt;/code&gt;&lt;/pre&gt;&lt;p&gt;Tuple:&lt;/p&gt;
&lt;pre tabindex=&#34;0&#34;&gt;&lt;code&gt;agent:orchestrator | can_delegate | agent:researcher
&lt;/code&gt;&lt;/pre&gt;&lt;p&gt;Now the orchestrator can send tasks:&lt;/p&gt;
&lt;pre tabindex=&#34;0&#34;&gt;&lt;code&gt;[orchestrator -&amp;gt; researcher session] Research the latest OpenFGA release
[researcher] Searching... Found: OpenFGA v1.11.6 released Feb 2026...
&lt;/code&gt;&lt;/pre&gt;&lt;p&gt;This is one-directional. The researcher can&amp;rsquo;t delegate back to the orchestrator unless that&amp;rsquo;s explicitly granted too. Neither can delegate to a &lt;code&gt;coder&lt;/code&gt; agent without a separate tuple.&lt;/p&gt;
&lt;h2 id=&#34;conclusion&#34;&gt;Conclusion&lt;/h2&gt;
&lt;p&gt;This started as a &amp;ldquo;let me see if OpenFGA even works for this&amp;rdquo; experiment. It went better than I expected. The authorization model maps cleanly to the problems agentic AI platforms actually have: who can use what, which agents can talk to each other, and which community-contributed skills are safe to run. The relationship-based approach fits naturally. I didn&amp;rsquo;t have to fight the model to express what I needed.&lt;/p&gt;
&lt;p&gt;The McKinsey/Lilli breach is a reminder that AI platforms are becoming high-value targets, and the authorization layer is often the weakest part. As agents get more capable and start operating in shared environments, the question of &amp;ldquo;who is allowed to do what&amp;rdquo; stops being optional. Relationship-based authorization systems like OpenFGA give you a way to answer that question without building a mess of ad-hoc checks.&lt;/p&gt;
&lt;p&gt;This is a proof of concept, not production code. There&amp;rsquo;s a detailed breakdown of what&amp;rsquo;s enforced at the code level, what&amp;rsquo;s modeled but not yet wired in, and what&amp;rsquo;s left to build in the &lt;a href=&#34;https://github.com/VnceB/openclaw/blob/feature/openfga-authorization/src/auth/README.md&#34;&gt;project README&lt;/a&gt;. 126 unit tests and 16 e2e tests against a live OpenFGA instance.&lt;/p&gt;
&lt;h2 id=&#34;whats-next-the-minecraft-test&#34;&gt;What&amp;rsquo;s next: the Minecraft test&lt;/h2&gt;
&lt;p&gt;My next step is to put this in front of real users. I run OpenClaw at home where my kids use it to manage our family Minecraft servers. Right now they all have the same access, which means my youngest discovered he can kick his older brothers off the server whenever he feels like it. He thinks it&amp;rsquo;s hilarious. His brothers do not.&lt;/p&gt;
&lt;p&gt;This is exactly the kind of problem the authorization model should solve. The oldest should have full server admin access: install plugins, change game rules, manage players. The middle one knows enough to handle day-to-day stuff like installing trusted plugins and tweaking game rules, but shouldn&amp;rsquo;t be kicking anyone. The youngest should only be able to do low-risk things like changing the weather or time of day. And any new tools added later should be blocked for him by default, so there are no more surprise kicks.&lt;/p&gt;
&lt;p&gt;That&amp;rsquo;s probably the real test of whether this architecture holds up: not a synthetic Alice/Bob/Charlie scenario, but an actual household where one kid will absolutely find every edge case in your permissions model and exploit it for laughs.&lt;/p&gt;
&lt;p&gt;If you&amp;rsquo;re building multi-user agents or thinking about authorization for AI platforms, I&amp;rsquo;d be interested to hear how you&amp;rsquo;re approaching it.&lt;/p&gt;
</description>
    </item>
    
    <item>
      <title>My Son&#39;s Spring Break Linux Experiment (and the WiFi Rabbit Hole That Almost Killed It)</title>
      <link>https://www.20-100.net/log/my-sons-spring-break-linux-experiment-and-the-wifi-rabbit-hole-that-almost-killed-it/</link>
      <pubDate>Wed, 04 Mar 2026 00:00:00 &#43;0000</pubDate>
      <guid>https://www.20-100.net/log/my-sons-spring-break-linux-experiment-and-the-wifi-rabbit-hole-that-almost-killed-it/</guid>
      <description>&lt;p&gt;My son wanted to try Linux over spring break. His theory: ditching Windows would get him better FPS out of his GPU. I knew it probably wouldn&amp;rsquo;t make a difference, but he was excited, and I was happy he wanted to give it a shot.&lt;/p&gt;
&lt;p&gt;We installed Fedora 43 on his desktop and the WiFi didn&amp;rsquo;t work. The MT7902 chipset on his motherboard doesn&amp;rsquo;t have a supported driver in Fedora 43&amp;rsquo;s kernel. Freshly installed OS, no internet. He was already losing interest.&lt;/p&gt;
&lt;p&gt;I fired up Claude Code in the terminal and described the problem. It found an experimental MT7902 driver built for the same kernel version that Fedora 43 ships. But it didn&amp;rsquo;t compile. The firmware installer was pointing at the wrong files, and Secure Boot was rejecting the unsigned module.&lt;/p&gt;
&lt;p&gt;So Claude Code patched the Makefile to handle MOK signing, fixed the firmware paths, and wrote a DKMS config so the driver would rebuild itself on kernel updates. I enjoy digging into this kind of stuff, but my son would have been long gone by that point.&lt;/p&gt;
&lt;p&gt;WiFi came up. We were finally online.&lt;/p&gt;
&lt;p&gt;We pushed the fix to GitHub so nobody else has to deal with this: &lt;a href=&#34;https://github.com/VnceB/mt7902_temp&#34;&gt;github.com/VnceB/mt7902_temp&lt;/a&gt;. Figured it was a good chance to show my son how open source works. Someone else&amp;rsquo;s code got us out of a jam, so we put our fix out there too.&lt;/p&gt;
&lt;p&gt;Without Claude Code we just wouldn&amp;rsquo;t have done it. I don&amp;rsquo;t have hours to dig through kernel mailing lists and debug module builds, and a kid on spring break has zero patience for any of that. We got it working in one sitting and moved on. The FPS never improved, and his favorite game kept crashing mid-match during competitive play, which got him banned for a few hours. Without the FPS gain, he wasn&amp;rsquo;t about to gamble his profile&amp;rsquo;s reputation on more debugging sessions with dad. He&amp;rsquo;s back on Windows.&lt;/p&gt;
</description>
    </item>
    
  </channel>
</rss>
