Skip navigation
AI Security

Duo brings identity and authorization across AI agent gateways

Colin Medfisch headshot Headshot of Cindy Qu, Senior Product Manager
Colin Medfisch, and Cindy Qu
5 minute read

Your AI agents run everywhere. Your authorization should too.

At RSAC 2026, we introduced Duo Agentic Identity—identity, authorization and audit purposed for AI agents operating at machine speed across enterprise environments. The launch laid out three capabilities that together close the agent governance gap:

  • Discovery, built on Cisco Identity Intelligence, to surface every agent in your environment, including the shadow ones you didn't know existed.

  • Identity lifecycle, built on Duo Directory, to make every agent a first-class non-human identity tied to an accountable human owner.

  • Least-privilege authorization, enforced at every tool call through a gateway that intercepts agent requests and evaluates them against Duo's fine-grained authorization policy engine.

The first two capabilities are infrastructure-agnostic by design. Today, we're closing the loop on the third: per-tool-call authorization now works with different AI gateways you run.

The authorization gap in agentic AI

Since RSAC, the agent infrastructure landscape has only diversified. Enterprises aren't converging on a single gateway. Teams are choosing infrastructure based on their cloud provider, existing stack, and operational maturity. Some are deploying open-source gateways for new AI projects. Others are extending service mesh infrastructure they already run, or building on cloud-native platforms like AWS. And many are running Cisco Secure Access alongside the rest of their security fabric.

One question we kept hearing from customers: How do I get consistent identity and authorization controls when my agent infrastructure is diverse?

Without a consistent answer, organizations face a familiar set of risks amplified by machine speed: over-privileged agents accessing tools they shouldn't, no audit trail connecting agent actions to accountable humans, and inconsistent controls that vary gateway by gateway. The same compliance gap that plagued human access a decade ago is now emerging in the agent layer—except agents operate 24/7 and execute in milliseconds.

Gateways handle routing and enforcement well, but routing alone doesn't answer the critical question: who should be able to access which tools, and on whose behalf?

Duo: The universal identity engine for agentic AI

Duo Agentic Identity is expanding to serve as the authorization engine for any agent gateway. The architecture is simple: Duo decides; your gateway enforces. Regardless of which gateway sits between your agents and your tools, Duo provides the identity and authorization intelligence behind every decision. This means per-tool-call authorization; not just "can this agent connect to this server," but rather "can this user's agent invoke this specific tool on this specific server, right now." Authorization decisions are made in real time, based on Duo group membership and the fine-grained policies you define.

Further, every tool call produces an identity-correlated audit log: human → agent → tool → action. This complete chain of accountability maps every autonomous action back to a human identity. Built on OAuth 2.1 and OIDC, the integration is standards-based and works with the MCP clients your developers already use: VS Code, Cursor, Claude Code, and custom agents, alongside emerging protocols as the ecosystem evolves.

Duo is shipping an authorization connector that plugs directly into supported gateways. No proprietary lock-in required to get enterprise-grade authorization.

Meeting customers where they are

Not every organization is ready for a fully managed gateway, and they shouldn't have to be. Duo meets you where you are:

  • AgentGateway or Envoy: Deploying a new AI project from scratch? Install the Duo Authorization Connector and get per-tool-call access control in minutes.

  • AWS Bedrock AgentCore: Building on AWS? Duo integrates as the identity provider with gateway interceptors that enforce fine-grained policy on every tool call.

  • Arcade: A hosted MCP runtime with over 7,000 pre-built integrations. Duo SSO serves as Arcade's OAuth 2.1 provider, so agents authenticate users through Duo, and Duo-issued scopes determine which tools each user's agents can access. No self-managed gateway required.

  • Cisco Secure Access: Best for enterprise-grade security. Full managed gateway with network-level enforcement, deep traffic inspection, and enterprise resilience. The tightest integration and most complete experience in the Cisco portfolio.

One Duo Admin Panel manages policies across all of them. Same authorization logic, same audit logs, same group-based policies, regardless of the enforcement point.

Your policies travel with you. Start with whichever gateway fits today; your agents, identity mappings, and policies carry forward if your enforcement point changes tomorrow. For customers who want identity and network controls converged in a single managed plane, Duo paired with Cisco Secure Access delivers that integrated experience. For customers running other gateways, Duo brings the same authorization logic and audit fidelity to whatever enforcement point you've chosen.

Getting started: In the product today

You can start configuring least-privileged access for agents today. The Duo Admin Panel now includes a Getting started with agentic AI experience, a guided checklist that walks administrators through securing their agent infrastructure:

  1. Get Duo Premier. Start a 30-day free trial of Duo to unlock full agentic security capabilities.

  2. Connect a gateway. Choose between Cisco Secure Access, AgentGateway, AWS AgentCore or Envoy.

  3. Protect with Duo authentication. Configure OAuth 2.1 / OIDC for agent workflows.

  4. Add authorization. Create fine-grained, tool-level access policies for groups.

  5. Register agents. Control which agents can access which MCP tools and resources.

  6. Monitor activity. View agent activity with full identity correlation.

The Duo Admin Panel shows connected gateways, discovered MCP servers and their tools, active policies, and enforcement status, all in one place. Duo works with Cisco Secure Access, open-source AI/MCP gateways, and AWS Bedrock AgentCore Gateway today, with Cisco AI Defense integration coming soon.

Secure your AI agents, your way

Agentic AI governance shouldn't require ripping out your infrastructure or committing to a single vendor's gateway. Duo Agentic Identity provides the authorization layer with per-tool-call access control, identity-correlated audit, and unified policy management—on top of whatever gateway you're already running, and at the pace your organization is ready for.

For early access to Duo's gateway integrations and to help shape what comes next, reach out to your Cisco contact and work directly with our product and engineering team.

Learn more about Cisco's zero trust for agentic AI workforce at cisco.com/go/securing-agentic-ai