The short version: On July 15, 2026, a startup called Oak came out of stealth with a $60M seed round — co-led by Accel, CRV, and Greylock — to build what it calls an AI-native identity operating system: one control plane that governs every identity in an organization, human, machine, and AI agent. TechCrunch's framing was blunt — it's there to fix "the identity mess that AI agents are making worse." The same week, MCP's 2026-07-28 spec made scoped agent authorization mandatory. When a $60M seed and a protocol standard point at the same problem in the same seven days, that's not two press releases. That's a signal: agent identity is moving from afterthought to table stakes, and the question it forces is uncomfortable — what, exactly, are your agents allowed to do?
An agent is only as safe as the smallest thing it's allowed to touch. Most agents ship allowed to touch everything.
Why a seed round is the tell#
Fundraises are noise until you read the pedigree. Oak is led by Shai Morag, whose previous cloud-identity company, Ermetic, was acquired by Tenable for $265M in 2023. Serial identity operators plus three top-tier funds don't converge on a "feature." They converge when they believe a category is forming — and they're betting the category is identity and access for agents, sitting alongside the identity stack you already run for people and machines. Oak also says the product is already generally available with enterprise customers, which means this isn't a research bet; it's a market that's paying.
You don't have to buy Oak to take the point. The point is the diagnosis.
The problem both the money and the standard are answering#
Most agents ship with borrowed authority. You wire an agent to your inbox, your files, and a couple of internal APIs, and — because it was the fast way to build — it runs on your credentials or a broad service token. So it can do anything you can do. That's fine right up until the agent reads something it shouldn't trust.
That's the prompt-injection problem, and it's why scope is the whole game: instructions hidden in a web page, an email, or a document the agent processes can redirect it, and an over-scoped agent turns that redirect into real actions with your full access behind them. Narrow the scope and the same injection hits a wall. This is the containment layer the market is now pricing — and it's exactly the permission problem this publication has been circling for months.
This is not only an enterprise concern#
The consumer version of the same idea is already in your hands. Claude Cowork's main security boundary is the folder you explicitly share — its effective reach is the union of those folders, its connected integrations, and any logged-in browser session it can use. Same question, smaller blast radius: what's it allowed to touch, and can that be abused? Whether you're a team of one handing tasks to a hosted agent or a platform team shipping your own, the design question is identical.
What to actually do — with primitives that already exist#
You don't need to wait for an identity platform to catch up. Three moves, all available today:
- Give each agent its own identity. Not your login, not a shared service account — a distinct identity you can scope, rotate, and revoke. (How to authenticate an agent identity; for workloads, SPIFFE/SPIRE.)
- Scope tokens to the resource, not the org. Mint a token for the one thing the task needs, not a blanket key that opens everything. This is fine-grained authorization, and it's the difference between a contained incident and a breach report.
- Put a hard boundary on reach. Directory scoping, allow-lists, or a proxy that enforces least privilege in front of every tool call — the enforcement point that a prompt injection can't argue its way past.
If you build on MCP, the 2026-07-28 spec turns move #2 into required behavior: servers MUST implement OAuth 2.0 Protected Resource Metadata (RFC 9728) so clients can discover the right authorization server, and clients MUST send Resource Indicators (RFC 8707) so a token minted for one server can't be replayed against another. Aligning to it now isn't just good hygiene — it's getting ahead of the migration that lands July 28.
The read#
Two data points don't make a trend — but a funded category and a mandatory standard, in the same week, pointing at the same gap, is more than coincidence. Agent identity and authorization are graduating from "we'll add it later" to "you ship it or you don't ship." The teams scoping their agents this quarter won't be the ones writing the incident post-mortem next quarter. The cheapest time to answer what is this agent allowed to do? is before something else answers it for you.



