Ahead of Platform Summit 2025, we check in with speaker Michał Trojanowski to discover what it takes to secure agents with API access.

Michał Trojanowski from Curity will present at Platform Summit 2025 in our MCP security track.

As the agentic AI space has blossomed, the security implications have risen with just the same intensity. AI agents are gaining autonomous power to conduct multi-step actions, call external APIs, and mutate backend data. If authorization isn’t well-thought-out for this newfound power, it could lead to some potentially disastrous consequences.

Someone who knows the realities of API security in the AI era all too well is Michał Trojanowski, a product marketing engineer at Curity. At Platform Summit 2025, Trojanowski will be exploring how we should treat Model Context Protocol (MCP) in his talk, MCP Client — Just Another OAuth Client?.

According to Trojanowski, we shouldn’t be backsliding from well-established security standards in the rush to adopt agentic AI and trendy protocols like MCP. Read the full interview with him below, and definitely consider registering for Platform Summit 2025 and the API Security UnConference for more on these topics!

Interview with Michał Trojanowski

You’ve been following both the API security and AI spaces closely in recent years. What issues have emerged that made you stop and say “yikes”?

I had that reaction when we made steps backwards with some implementations of AI agents and MCP. For example, I’ve seen an agentic SDK that allowed you to post messages to Twitter using support from a large language model (LLM). All you had to do was provide the SDK with your Twitter username and password. OAuth was created well over a decade ago to fix exactly this issue — providing credentials of service A directly to service B. Apart from being insecure, this also limits how you secure your account these days — MFA or passkeys. We should be wary of not reversing the security we gained over the years, only because we want to innovate quickly.

When it comes to MCP, what are the latest developments around authorization? Is the picture looking more secure?

The good thing about MCP is that the community started to think about baking in authorization and security very early. The specification, also in the areas around authorization, is actively worked on. There are still some things missing, like the ability to ask an MCP client to step up permissions, but the community is working on adding these pieces, so you can see improvements in this space.

Without giving too much away from your upcoming talk, how do you view MCP — simply as another OAuth client, or does it require more planning around security and authorization?

As with any such question, the answer is not that straightforward. It depends on the capabilities the MCP server provides. In the talk, I will show how there are two security planes on which we operate, and how the specification addresses them.

What role does IAM play in securing AI agents’ access to APIs and underlying data? How can organizations protect sensitive data from exposure when working with autonomous agents?

Here, the answer is a bit more straightforward. You need pretty much the same security best practices as you implement for any API. For example, make sure to protect all endpoints, apply zero-trust principles, and least privilege. Use fine-grained authorization techniques to be able to properly apply authorization policies.

What best practices are emerging for sequestering and monitoring MCP traffic?

When you have traffic to the MCP server secured with OAuth and tokens, you can use claims that will identify MCP clients. These claims can later be used by API gateways and APIs to properly differentiate and monitor traffic from AI agents. Data about this traffic can later be used to monitor the behavior of AI agents.

You’ll also be at the API Security UnConference the day before the Platform Summit. What topics do you expect to surface there that deserve more attention?

There is a lot of activity right now around properly authorizing traffic in highly distributed systems, like when a lot of microservices are used to process one request. The IETF Workload Identity in Multi System Environments (WIMSE) working group is currently working on specifications that address these scenarios. I hope we will have interesting discussions that touch on these topics that join business-level authorization with infrastructure-level security.

What are you most looking forward to in Stockholm this year? Are there any themes, topics, or speakers you’re particularly excited to learn from at this year’s Summit?

I always enjoy talks that share real-life experiences, so I’m looking forward to Andrzej Jarzyna‘s talk about API governance in a large (and very old) insurance company. I also hope to see talks from Arnaud Lauret and David Brossard, as they are excellent speakers.

Finally, what keeps you coming back to Stockholm?

October is a very good time to visit Stockholm and enjoy it in the mild autumn weather, while the days are still relatively long. I like that there is so much water in the city. I like it when, in just a few minutes, you can be at the waterside, have a nice walk, or even enjoy a meal or coffee. I always look forward to that when travelling to Stockholm.