[{"content":"Walking the vendor floor at RSAC this year, the count was roughly 40% prompt injection detection products, maybe 5% anything resembling agentic identity. That ratio is inverted from where the risk actually sits — and the gap is widening as agents move from demos into systems that do things on people\u0026rsquo;s behalf.\nLet me try to explain why I think most of the industry is optimizing the wrong control.\nThe obvious part first Prompt injection is real. It is not going away. Detection has its place — as a sensor, alongside other sensors, feeding a decision layer. I am not arguing against building detectors. I am arguing against the implicit claim, encoded in how budgets are being spent, that detection is the decisive control for agentic systems.\nIt is not. It cannot be. And the reason has nothing to do with how good any particular classifier gets.\nReframe: injection only matters because of what comes next A prompt injection is a string. By itself it does nothing. It matters only because some agent, after reading it, can do something — call a tool, move money, send an email, write to a database, escalate to another agent. The injection is the trigger. The blast radius is the vulnerability.\nIf the agent has no standing privilege, no long-lived credentials, no inherited scope from the user, and every tool call requires fresh authorization bound to a declared intent — the injection has nowhere to land. The attacker can convince the model of anything they like. The model still cannot do anything it was not authorized to do at that moment, for that task, on behalf of that principal.\nThis is not theoretical. It is the same shift we made twenty years ago when we stopped trying to filter SQL injection at the input layer and started using parameterized queries. The fix was not better detection. The fix was a principal model that made the dangerous thing structurally impossible.\nWhat each control actually answers Control The question it answers Prompt injection detection \u0026ldquo;Is this input adversarial?\u0026rdquo; Agentic identity \u0026ldquo;What is this principal allowed to do, on whose behalf, right now?\u0026rdquo; The first is probabilistic and bypassable — any sufficiently determined attacker, given access to the model\u0026rsquo;s outputs, will find a phrasing the classifier misses. The second is enforceable and auditable. They are not substitutes. Treating them as such — building elaborate detection pipelines on top of a broken principal model — is treating a symptom while the disease compounds.\nOWASP\u0026rsquo;s Agentic AI Top 10 lists Privilege Compromise (ASI03) right near the top for a reason. It is the category that swallows the others. Compromised tool use, rogue actions, cascading failures — they all reduce to: the agent had more power than the situation justified.\nYou cannot filter your way out of an authorization problem The framing I keep coming back to: you don\u0026rsquo;t hand a temp worker your keycard and then install cameras to watch them. You give them a scoped badge that expires at 5pm. Detection is the cameras. Identity scoping is the badge.\nThe deeper point is about coverage. Detection is per-vector — a prompt injection detector catches prompt injections, with some false negative rate. It does nothing for model jailbreaks, supply chain compromise of a tool, a rogue agent in a multi-agent system, or the model simply being wrong in a way that produces a harmful action. Identity scoping is per-principal — it constrains what the agent can do regardless of how the compromise happened. One control, many threats.\nIf you only have budget for one of these — and most organizations effectively do, given attention is the scarce resource — the identity work has strictly broader coverage.\nWhat \u0026ldquo;agentic identity\u0026rdquo; means here, briefly I am using it the way the OWASP Agentic AI Detection \u0026amp; Sensors (AADS) project uses it: an ephemeral, delegation-aware identity assigned to an autonomous AI agent, distinct from the user who initiated the task, with explicit scope bound to the task and short-lived credentials issued per invocation. The plumbing exists — token exchange, workload identity federation, OBO flows. What is missing is the will to treat the agent as a first-class principal rather than a function call running with the user\u0026rsquo;s full privileges.\nIf you want the depth, the AADS work is where to look. This post is not about what agentic identity is. It is about why it matters more than the thing the vendor floor is selling you.\nThe punch Detection is downstream of decision. Identity is the decision.\nYou can buy a better sensor every quarter and the underlying risk does not move, because the agent still has the standing privilege to act on whatever instruction the sensor missed. Or you can do the harder, less marketable work of fixing the principal model — and the sensors become what they were always supposed to be: useful telemetry on a system that is safe by construction.\nI know which one I\u0026rsquo;d rather be defending in front of a board after the first real incident.\n","permalink":"https://hupfauer.one/posts/identity-is-the-control-plane/","summary":"\u003cp\u003eWalking the vendor floor at RSAC this year, the count was roughly 40% prompt injection detection products, maybe 5% anything resembling agentic identity. That ratio is inverted from where the risk actually sits — and the gap is widening as agents move from demos into systems that do things on people\u0026rsquo;s behalf.\u003c/p\u003e\n\u003cp\u003eLet me try to explain why I think most of the industry is optimizing the wrong control.\u003c/p\u003e\n\u003ch2 id=\"the-obvious-part-first\"\u003eThe obvious part first\u003c/h2\u003e\n\u003cp\u003ePrompt injection is real. It is not going away. Detection has its place — as a sensor, alongside other sensors, feeding a decision layer. I am not arguing against building detectors. I am arguing against the implicit claim, encoded in how budgets are being spent, that detection is the \u003cem\u003edecisive\u003c/em\u003e control for agentic systems.\u003c/p\u003e","title":"Identity is the control plane. Detection is a sensor."},{"content":"Angaben gemäß § 5 TMG Markus Hupfauer Am Plattenberg 2 86551 Aichach Germany\nKontakt E-Mail: markus@hupfauer.one\n","permalink":"https://hupfauer.one/imprint/","summary":"\u003ch2 id=\"angaben-gemäß--5-tmg\"\u003eAngaben gemäß § 5 TMG\u003c/h2\u003e\n\u003cp\u003eMarkus Hupfauer\nAm Plattenberg 2\n86551 Aichach\nGermany\u003c/p\u003e\n\u003ch2 id=\"kontakt\"\u003eKontakt\u003c/h2\u003e\n\u003cp\u003eE-Mail: \u003ca href=\"mailto:markus@hupfauer.one\"\u003emarkus@hupfauer.one\u003c/a\u003e\u003c/p\u003e","title":"Imprint"}]