|
| 1 | +# Notes |
| 2 | + |
| 3 | +* Reviewed last session’s meeting notes |
| 4 | +* Reviewed auditing requirements document |
| 5 | +* Privacy & Security |
| 6 | + * Compliance frameworks are interesting |
| 7 | +* We should focus on areas where no one is working |
| 8 | + * Identity & AuthZ |
| 9 | + * Biggest challenge at the conference was “acting on behalf-of” |
| 10 | + * Many are doing impersonation (hand your personal creds to the agent) |
| 11 | + * Delegation chains (agent inheriting two roles) |
| 12 | + * Example: order a new laptop |
| 13 | + * Finance agent needs to check budget and need to check the employee’s context |
| 14 | + * In the end, it’s still token exchange |
| 15 | + * Customer conversations? |
| 16 | + * Who is using MAS systems and can we ask about their use cases |
| 17 | + * Action Item: Julu + Chun set up conversation with users |
| 18 | + * Action Item: are there any customers worried about compliance with AI acts? |
| 19 | +* The rest of the meeting focused on a discussion of use cases and personas. Here's what the group came up with for personas: |
| 20 | + |
| 21 | +* Personas |
| 22 | + * Higher priority - Identity |
| 23 | + * Security Professionals |
| 24 | + * Cares about: |
| 25 | + * where did credentials come from, |
| 26 | + * what type of credentials are they (service account, impersonation, on behalf of), |
| 27 | + * which agent used it, |
| 28 | + * what access does it represent (resource, internal vs external), |
| 29 | + * what policies were enforced, and what was the verdict (both approved and rejected access) |
| 30 | + * who is responsible for the system(s) in question (agent, resource, credential, etc.) |
| 31 | + * audit logs are machine-readable, can be fed into agentic support systems |
| 32 | + * Support Teams (audit-logs-as-training-data) |
| 33 | + * Compliance Professionals |
| 34 | + * Cares about: |
| 35 | + * are the systems involved compliant with various frameworks |
| 36 | + * what are the boundaries between internal and external systems |
| 37 | + * how is data transferred and across what geographies / jurisdictions |
| 38 | + * how are privacy and security handled in the involved systems |
| 39 | + * data retention and destruction (log storage) |
| 40 | + * Lower priority (not a part of the identity working group) |
| 41 | + * Agent and Agentic Resource Developers |
| 42 | + |
| 43 | +# Action Items |
| 44 | + |
| 45 | +1. Continue nailing down persona / use cases |
| 46 | + 1. Ask Jim about the Support Team persona |
| 47 | + 2. Julu + Chun set up conversation with folks with Multi-Agent Systems |
| 48 | + 3. General call: are there any practitioners worried about compliance with AI acts? |
| 49 | +2. What are the data points that we need recorded |
| 50 | +3. Look at existing standards & frameworks, compare to 2. above |
| 51 | +4. Converge: pursue these tracks |
0 commit comments