Keycard: 2026 is the Year of Agents

The podcast Keycard: 2026 is the Year of Agents, featuring A16Z partner Joel de la Garza in conversation with KeyCard co-founder and CEO Ian Livingston, presents a compelling and urgent thesis: 2026 will mark the inflection point for enterprise adoption of AI agents—autonomous systems capable of performing tasks on behalf of users with minimal human intervention. While 2025 offered only “the first glimpses of true AI agents,” the coming year will see organizations rush to deploy them into production environments, moving beyond experimental labs and into customer-facing and internal operational workflows. However, this rapid deployment introduces profound security, identity, and access control challenges that existing infrastructure is ill-equipped to handle. Central to the discussion is the recognition that agents fundamentally disrupt traditional models of authorization and authentication, shifting from static, role-based permissions to dynamic, context-aware, task-specific policies that must account for multi-tenancy, tool calling, and ephemeral execution contexts.

The conversation identifies two primary categories of security risk inherent in agentic systems: (1) prompt injection and indeterministic behavior stemming from the probabilistic nature of large language models, and (2) the far more critical issue of identity and access management—specifically, how to ensure that an agent acting on a user’s behalf only accesses data and performs actions explicitly permitted by that user within a specific task context. A real-world incident is cited where a SaaS company’s agent inadvertently exposed other customers’ data due to flawed authorization logic, illustrating the acute vulnerability of current implementations. The speakers argue that enterprises—not consumers—will lead agent adoption due to clear ROI in operational efficiency, executive-level urgency around earnings growth, and the pre-existing cloud infrastructure that enables rapid integration. Critically, the podcast positions KeyCard as a foundational solution designed to manage “fleets of agents” by providing cryptographic identity for agents, granular access policy enforcement, auditability, and interoperability with emerging standards like MCP and A2A, all while operating as a vendor-agnostic, federated layer essential for safe and scalable agent deployment.

The podcast opens with a definitive declaration that 2026 will be universally recognized as the year AI agents transition from theoretical prototypes to production-grade tools deployed across industries. This prediction is grounded in observable market momentum: “every company we talk to is definitely looking to get some sort of an agent into production, not just in the lab, to get them out into customers' hands.” This shift represents a maturation beyond the initial wave of copilot-style assistants—tools that augment human decision-making but remain firmly under direct user control—toward systems capable of autonomous task execution. The distinction is crucial: while copilots function as “advanced autocomplete” that may involve multiple tool calls under the hood, true agents enable users to delegate end-to-end tasks and “walk away,” trusting the system to plan, execute, and only seek human approval at critical junctures (e.g., exceeding a purchase limit). This evolution mirrors the progression in autonomous driving, from Level 1 driver assistance to Level 3 conditional automation, where the human remains accountable but is not continuously engaged. As Livingston articulates, the value of agents lies not in the underlying model alone but in their runtime context and actionable access: “the models create opportunity, but it's the context at runtime and the things they have access to at runtime... that enable agents actually create value.”

This anticipated surge in agent deployment creates an immediate and pressing need for specialized infrastructure to manage what the speakers term “fleets of agents.” Companies like KeyCard are positioned as essential enablers, providing the governance, security, and operational frameworks necessary to move agents from individual developer laptops into secure, auditable, enterprise-scale environments. The urgency is underscored by the fact that many organizations are already struggling to operationalize even basic copilot functionality, indicating that the leap to full agency will require entirely new paradigms for control and oversight. The podcast thus frames 2026 not merely as a year of technological advancement but as a pivotal moment of infrastructural necessity, where the ability to safely manage agent fleets will become a core competitive differentiator.

"In 2025, we saw the first glimpses of true AI agents. In 2026, every company will be rushing to get them into production, and they'll need companies like KeyCard to manage fleets of agents."

Perhaps the most striking element of the discussion is the recounting of what is described as “probably the first security incident I’ve ever heard about with an agent,” a case study that crystallizes the novel risks introduced by agentic systems. The incident involved a relatively large SaaS company that implemented an agent allowing users to query their own business data through natural language prompts—a common and seemingly benign use case. The agent was correctly configured to reject explicit requests for other firms’ data, responding with “I can't give you data for General Electric.” However, when users issued the generic command “Hey, give me my data,” the system failed to properly scope the request to the authenticated user’s tenant, instead returning data from a “revolving cast of characters”—i.e., other companies. This flaw reveals a fundamental breakdown in authorization logic, where the agent’s understanding of “my data” was not securely bound to the user’s identity and tenant context.

This example serves as a powerful illustration of the core security problem: agents introduce a new layer of indirection between the user and the data or action being performed, and traditional identity and access management (IAM) systems are not designed to govern this intermediary. As de la Garza immediately recognized upon hearing the story, “There is an AuthN AuthZ problem, and that is the problem with identity and agents.” The issue transcends simple data leakage; it represents a systemic failure in contextual access control. In a world where agents can chain multiple tool calls—accessing a production database, extracting sensitive customer information, and then using a web browser to send that data to an external service—the attack surface expands dramatically. Unlike traditional breaches that often rely on searching for specific keywords (e.g., “password,” “SSN”), agents can synthesize insights across vast datasets by asking high-level questions like “Did the CEO cheat on their taxes?”, making data exfiltration both easier and more insidious.

The speakers emphasize that this is not merely a data security issue but a deep, contextual identity problem that requires a complete reinvention of access control. The old perimeter-based model of “if you’re inside the firewall, you can read/write/delete” is obsolete in an agentic world. Instead, access must be granted dynamically based on the specific task intent, the user’s explicit consent for that task, and the downstream resource owner’s policies. This creates a complex, multi-party trust equation involving the end user, the agent, the tool provider, and the data custodian—all of whom need a “voice” in the access decision in a way they never did before. The stakes are high, with potential consequences ranging from accidental data exposure to deliberate malicious actions like database dumping, ransomware deployment, or hard drive deletion, all executed autonomously by an agent operating with excessive privileges.

"EXAMPLE, BUT IF YOU JUST SAID HEY, GIVE ME MY DATA, IT WOULD RETURN ON A REVOLVING CAST OF CHARACTERS, DATA FROM OTHER COMPANIES... THERE IS AN AUTH N AUTH Z PROBLEM, AND THAT IS THE PROBLEM WITH IDENTITY AND AGENTS."

To frame the discussion, Livingston introduces a nuanced “continuum of agentic behavior,” drawing an analogy to the levels of autonomous driving to clarify the spectrum of AI assistance. At Level 0, we have traditional deterministic software—rule-based systems with no indeterminism, where all decisions are made by humans. Level 1 corresponds to today’s copilots: human-driven workflows augmented by AI that makes underlying assumptions and performs tool calls to automate parts of a task (e.g., GitHub Copilot or Cursor). While often dismissed as “advanced autocomplete,” these systems already embed significant decision-making logic beneath the surface. The critical transition occurs as we move toward Level 3 and beyond, where the human can delegate a complete task and disengage—issuing a command like “find me the best pair of jeans in my size under fifty dollars” and allowing the agent to research, compare, and potentially purchase without further input. This stage, likened to setting a compile job and walking away for pizza, represents the threshold of true agency.

The value proposition of agents at this higher level is transformative: they enable a shift from a world where new software capabilities require developer intervention to one where “if I want a task to be done... it can create a plan and execute on that plan... dynamically based on the data I give it at runtime.” This unlocks a “long tail set of potential tasks” that can be performed on-demand, creating immense operational flexibility. However, this very dynamism introduces the security challenges discussed earlier. Because each task is unique and ephemeral (“hyper ephemeral,” in the speakers’ words), access control cannot rely on static roles or group memberships. Instead, it must be task-based and intent-based, granting the agent only the precise permissions needed to fulfill the specific request at hand. For instance, if a user asks an agent to “analyze the financials of these two companies,” the agent should gain temporary, scoped access only to those specific datasets—not to the entire financial database. This requires a complete overhaul of the “trust equation,” moving from static assertions like “Joel is a partner at Andreessen Horowitz, so he has access to company financials” to dynamic, contextual grants tied to a particular action.

"We're moving from a world where like if I wanted a piece of software to be able to do something that new, a software developer had to write it... We're moving to a world where if I want a task to be done... it can create a plan and execute on that plan... So it's completely different in hyper ephemeral world where you have this long tail set of potential tasks."

Contrary to initial expectations that consumer applications would drive agent adoption, the speakers argue that enterprises will be the primary early adopters at scale, for several interconnected reasons. First, the business case for internal workflow optimization is exceptionally clear and quantifiable at the executive level. Agents promise direct improvements in “earnings efficiency” by automating complex, knowledge-intensive tasks, effectively allowing companies to “freeze headcount and get more productivity out of people.” This tangible link to profitability makes agent adoption a top-level business objective rather than a peripheral IT experiment. Second, the enterprise workforce is already primed for this transition. Employees routinely use consumer AI tools like ChatGPT, Sora, or Claude in their personal lives and can immediately transfer that familiarity to work contexts, accelerating adoption. This stands in stark contrast to the cloud era, where enterprises were late adopters; today, they are already “on the cloud,” with data and infrastructure in place to support agentic workflows.

Third, and perhaps most critically, the security and compliance functions are no longer in a position to block innovation. During the cloud migration, CISOs could legitimately raise concerns about immaturity and lack of controls, slowing adoption. In the agent era, however, the business imperative is too strong. As de la Garza notes, “the CEO and co. They're saying, well, we have to, we have to adopt,” leaving security teams with the mandate not to prevent but to “enable this safely without like blowing up the firm.” This has created a phenomenon of “shadow IT on steroids,” where employees deploy agents with production credentials on their local machines, bypassing governance entirely. The result is an urgent need for solutions that allow secure adoption rather than outright prohibition. Finally, there is a strategic defensibility component: businesses recognize that the future of interaction—whether in commerce (“the future of shopping is probably through an agent”) or SaaS—will be mediated by agents. Companies must therefore either ensure their platforms are agent-friendly or risk being disintermediated, or better yet, transform their own products into agents to maintain their competitive moat. This top-to-bottom transformational pressure ensures that enterprise adoption will be both rapid and comprehensive.

"This wave is different for many different reasons. One is the net benefit and operating efficiency of the internal workflow optimization, the enterprise is like absolutely massive. Like it's so clear to at a board and executive level how this is like... the next step in the company, in terms of just like gaining the next level of earnings efficiency."

The podcast delves into the nascent but critical landscape of agent interoperability standards, focusing on two emerging frameworks: MCP (Model Context Protocol) and A2A (Agent-to-Agent). MCP, which has seen the most adoption to date, originated from the practical need to grant models access to external tools and data, addressing the limitation that models like Claude “can’t do much for you” in isolation. It provides a mechanism for presenting a set of tools to an agent, enabling actionability. However, MCP is criticized for embodying a “beg for forgiveness” approach—it facilitates access but offers little in the way of security, governance, or identity. This has led to widespread “secret sprawl on steroids,” where developers run MCP servers locally with production credentials, creating massive, uncontrolled attack surfaces. As Livingston observes, organizations “have no ability to control whether that's actually... Ian or is it Ian's agent,” highlighting the fundamental identity gap.

In contrast, A2A, associated with Google’s approach, is described as a more elegant, “PhD piece” that focuses on the theoretical question of “what is an agent?” and how agents can discover and interact with each other in a federated network. It represents an “ask for permission” philosophy, prioritizing scale and manageability across boundaries. However, A2A has not yet gained significant traction in the market. The core insight from the discussion is that both standards are incomplete on their own. MCP solves the problem of tool access but ignores identity and policy enforcement, while A2A addresses agent discovery and federation but lacks practical mechanisms for runtime access control. What is missing is a “bridge” that connects these worlds: a system that can cryptographically identify agents, enable users to grant fine-grained, task-scoped permissions, allow tool providers to enforce contextual policies, and provide comprehensive auditing. This gap is precisely where KeyCard aims to operate, positioning itself not as a competing standard but as a federated layer that interoperates with and enhances both MCP and A2A, ensuring that the promise of agent interoperability does not come at the cost of security and control.

"MCP is definitely here to stay. A to A, let's find out... And so there's a missing, missing bridge. MCP definitely has the most adoption, and it's definitely hitting that... trough of disillusionment as people found, hey, it's not perfect... They realize that everybody's got a bunch of production credentials on their local machines running... MCP, and they have no control over it."

In the closing segment, Livingston outlines KeyCard’s mission and product strategy in direct response to the challenges articulated throughout the conversation. The company’s primary focus is to help customers move agents “off the laptop” and “out of the lab” into secure, governed production environments where they can deliver real utility. KeyCard’s platform is designed to address the core identity and access problem by providing a comprehensive suite of capabilities centered on three pillars: discovery, control, and auditability.

First, KeyCard helps organizations identify and inventory their agent fleet: “what agents you have, what users are using those agents, what users can use those agents, and what those agents are actually enabled to access.” This visibility is the foundational step in managing risk. Second, the platform provides the tools to build and govern agent capabilities. This includes SDKs for developing internal workflow agents or product-integrated agents, along with an enablement layer that allows organizations to define a catalog of approved agents and tools. Crucially, KeyCard enables the creation of “deterministic guide rails” that “put a bounding box around this thing as access to and what it can do,” ensuring that agents operate only within explicitly permitted boundaries. Third, the system delivers complete audibility and governance, allowing security teams and end users alike to understand the access profile of every agent and monitor its activities in real time.

A key differentiator emphasized by Livingston is KeyCard’s commitment to open standards and interoperability. Rather than creating a proprietary silo, the company is “building things that INTEROPERATE WITH ALL EXISTING STANDARDS” and actively working to “drive those standards forward.” This federated, vendor-agnostic approach ensures that KeyCard can serve as a “central pillar in your agent strategy,” integrating seamlessly with existing cloud infrastructure, SaaS applications (like Salesforce and Snowflake), and emerging agent protocols. By anchoring its solution in open standards—a tradition that has defined successful identity companies—KeyCard positions itself not just as a point product but as essential infrastructure for the agentic era, ready to meet the “sore need for some sort of scalable way to manage identity in this agentic world.”

"We're going to help you identify what agents you have... and allow you to put a bounding box around those things... And we're going to give you a set of tools that you can use to build... agents... and then as a end user secured you get the ability to govern it all have complete audibility... WE'RE COMPLETELY STANDARDS AND OPERABLE... INTEROPERATE WITH ALL EXISTING STANDARDS."