Your next privileged user is an agent, one the customer authorizes to act on their behalf. Consumer apps are rapidly adding agentic copilots that can navigate accounts and complete tasks like refunds, address changes, plan upgrades, or money movement. That’s a UX win, and a fraud magnet; prompt injection, malicious browser extensions, and token replay can turn delegated convenience into account takeover and unauthorized transactions across web, mobile, and OBO channels.

This session presents a governance model for customer authorized agents using zero standing privilege (ZSP). Agents hold no persistent account access; they receive intent scoped, short lived permissions bound to the runtime (sender constrained / proof‑of‑possession) and to explicit customer consent. We’ll cover patterns for agent registration and attestation, delegated authorization (OAuth/OIDC), step‑up and transaction confirmation for high risk actions, optional wallet/VC signals for higher assurance, continuous risk evaluation using behavioral telemetry, and rapid revocation with audit ready evidence of who authorized what.

Attendees will leave with CIAM control objectives, policy patterns, and an implementation checklist to enable secure in-app agents and “bring your own agent” experiences without sacrificing conversion or support outcomes.