**Bringing Strong Authentication and Granular Authorization to GenAI**

As we continue to push the boundaries of artificial intelligence, one crucial aspect that requires attention is security – specifically, strong authentication and granular authorization. This is a critical discussion in the context of Agents and Model Context Protocols (MCPs), but what's even more intriguing is where this authn/z story should unfold, how it gets implemented, and who bears the responsibility.

Dan Moore recently shared valuable insights on this topic, drawing parallels from securing APIs that can be applied to the world of MCPs. His observation highlights a critical point: many entities interacting with APIs are still relying on outdated authentication and authorization methods – a trend we should avoid replicating in GenAI.

**Lessons from Securing APIs**

Moore's experience in securing APIs has provided valuable lessons that can be applied to MCPs. One key takeaway is the importance of granular authorization, which ensures that only authorized entities have access to specific resources or actions. This approach helps prevent over-authorization and under-authorization issues that can lead to security breaches.

Another important aspect is implementing authentication mechanisms at multiple points in the system, similar to how API gateways provide an additional layer of security before requests reach the backend. By doing so, we can significantly reduce the attack surface and improve overall security posture.

**Parallels for a More Secure GenAI**

The parallels drawn by Moore are particularly relevant given the increasing reliance on APIs in MCPs. By applying these lessons to the world of GenAI, we can create more secure systems that prevent unauthorized access and ensure only authenticated entities interact with sensitive data or resources.

Visit our website at https://www.securityweekly.com/asw for all the latest episodes and show notes. Don't miss out on this valuable discussion – join us in exploring the future of GenAI security and learn how to build a more robust authentication and authorization framework.

**Recommended Reading**

* Is That Allowed? Authentication and Authorization in Model Context Protocol * Authorization Models

**Show Notes**

* Visit our website at https://securityweekly.com/asw-369 for all the latest episodes and show notes.