The a16z Show - Keycard: 2026 is the Year of Agents
Episode Date: January 8, 2026In 2025, we saw the first glimpses of true AI agents. In 2026, every company will be rushing to get them into production, and they’ll need companies like Keycard to manage fleets of agents.In this c...onversation, a16z Partner Joel de la Garza sits down with Keycard Cofounder and CEO Ian Livingstone to discuss the continuum from copilots to agents, the security realities of tool-calling, why enterprises will adopt before consumers, and how to control your agents.Follow Joel on LinkedIn: https://www.linkedin.com/in/3448827723723234/Follow Ian on X: https://x.com/ianlivingstoneFollow Keycard on X: https://x.com/keycardlabsLearn more about Keycard: https://www.keycard.sh/ Stay Updated:Find a16z on YouTube: YouTubeFind a16z on XFind a16z on LinkedInListen to the a16z Show on SpotifyListen to the a16z Show on Apple PodcastsFollow our host: https://twitter.com/eriktorenberg Please note that the content here is for informational purposes only; should NOT be taken as legal, business, tax, or investment advice or be used to evaluate any investment or security; and is not directed at any investors or potential investors in any a16z fund. a16z and its affiliates may maintain investments in the companies discussed. For more details please see a16z.com/disclosures. Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.
Transcript
Discussion (0)
In 2025, we saw the first glimpses of true AI agents.
In 2006, every company will be rushing to get them into production,
and they'll need companies like Keycard to manage fleets of agents.
In this conversation, A16Z partner, Joel de Lagarsa,
sits down with Keycard co-founder and CEO, Ian Livingston,
to discuss the continuum from co-pilots to agents,
the security realities of tool calling,
why enterprises will adopt before consumers,
and how to control your agents.
Let's get into it.
So it's shaping up to be that we're at the beginning of what sounds like the start of the year of the agents.
26.
It seems like every company we talk to is definitely looking to get some sort of an agent into production,
not just in the lab, to get them out into customers' hands and to start having them use it.
And so I'd like to share a story.
I guess we could kick this off.
And thank you so much to you, Ian, for joining us on our podcast to discuss this.
you know, we actually, or I was actually privy to hearing about probably the first security incident
I've ever heard about with an agent. And as a security person, you know, we constantly harp on
people to be very explicit on what is the problem you solve. And the problems in security are
often manifested in security events. And so we were talking to a company or heard about a company,
a relatively large company that has a SaaS service that implemented an agent. They wanted to give
a prompt to their users to query data that was in the system. Very common use case. You've probably
seen several of them roll out recently. And this agent would essentially return data for your firm.
So you could say, hey, I'd like to know about this specific part of our business. Could you tell us
more about it? And it would give you an answer that would provide you with your data. So super
use for super helpful. Now the problem was you could ask for other firms data and it would very interestingly
say no. I can't give you data for General Electric, for example. But if you just said,
hey, give me my data, it would return on a revolving cast of character data from other companies.
And immediately when I heard about this incident, you came into my mind because I thought,
my God, there is an off-en, off-Z problem, and that is the problem with identity and agents.
So welcome. Thank you so much for joining. Thank you so much for having me, Joel.
And nothing could be more timely than your company.
Nothing could be more timely. Yeah, it's incredible. You know, we spend a lot of
I'm talking to companies trying to adopt agents or trying to build tools for agents.
And invariably, you basically have two categories of security problem, right?
You have this sort of prompt injection, tool-calling dynamics of the fact that you have this
indeterministic loop.
And then you have, how do I understand what this thing, this agent, should actually be
able to access?
And then downstream, you know, from the person who's built the tool, how do I understand,
like, what the agent should actually have access to on a deterministic basis?
And this is like a fundamental problem that's almost always existed from the beginning
and dawn of like computing, which is the contextual understanding of in complex relationships of
user A is using agent B accessing tool C under what context should that agent have access to things.
And this is the final example of that problem.
And we hear about this across the board, whether it's commerce, whether it's enterprise workflows,
whether there's people building agents, is how do I build something that has some
determinants of guardrails, some level of guardrail, that's a level of guardrail that
puts a box around this thing as access to and what it can do.
And so fundamentally, there's a lot of things you can,
you have problems you have to solve that are of the non-deterministic
or probabilistic category around the actual model itself and the data that model is access
to, now you remove certain interpret prompts.
But on the flip side, it's how do I write access policy and how do I deliver
guarantees to someone that owns a resource.
So in the case of I have a database, I own expose it for agents to use.
But I want to ensure only like the end user can control what agent has
access to. And I, as a database person, ensures that I never leak anything to the agent that
it shouldn't have access to at any point in time. And that's contextual based on all of the different
parties in that transaction, right? And so we're moving to a world with agents where it used to be
that in a point-and-click software world where I, as a user, go to a piece of software, I point-and-click,
and the software returned to me exactly what I was. And the identity problems were very static
and very simple.
It's like,
is the user
is a part of these groups.
It is a part of being these groups.
This is what you get access to,
and it didn't change.
But we're now moving to a world
where a user can pick up an agent.
The user's going to expose some tools.
Those tools represent downstream resources,
downstream data.
That tool access may be contextual based on what that person's actually trying to do.
So it may be acting,
you know,
maybe Jake from customer support,
working on using accessing customer B's data
through an agent that's then made
made available by MCP,
and you want to be able to scope exactly what that agent has access to
from that customer based on what Jake is actually explicitly trying to do.
So the agent never access to things that Jake wouldn't have access to,
and more importantly, the agent never has access to things
that Jake doesn't want the agent of access to.
And that security and the owners of all the different resources involved,
also ultimately at the end of the day,
need to have a voice in a way that they haven't before.
Yeah, and maybe let's,
and that's like a really wonderful overview where the conversation will go.
And I think it's great.
that maybe let's start from the beginning.
And not to like retread ground that's been like beaten to death.
Absolutely.
We don't have to go necessarily into a fundamental discussion of what is an agent.
But it might be helpful to start with maybe some brief up to the minute sort of update
as to what are agents now, right?
Because I think we saw the first wave of this technology, it was basically just some form
of model.
People were like, look, this is my agent.
And it's a large language model and you just throw stuff into it and get an output.
And now it seems like they've evolved.
And so maybe just really briefly touching on sort of like, you know, what are we considering agents like at the present?
Absolutely.
And I always think of this as a continuum.
Like it's sort of there's this continuum of agentic behavior.
And in truth, many of the times when I'm talking with customers, people in industry, I get into this long diatribe of like,
because we try to define agents.
And I think the way to think about this problem space is, you know, in the same way that we kind
of think about autonomous levels of driving, right?
You have like a level zero agent.
Well, that is probably software we are rebuilt.
It's rule.
It's, there's no little piece of indeterminism in the loop.
Yeah.
And it's not making decisions on its own.
It's someone else is making decisions.
And as you progress from like level zero to level one, which is, okay, there's now, you have,
it's still human driven, but there's AI assistance that's helping make some part of the
decisioning.
Like a copilot.
Like a copilot.
Exactly, right?
Like co-pilots are, you know, some people say that's an advanced auto-complete.
Well, that's true.
But in terms for it to be an advanced auto-complete, it has to make underlying assumptions decisions.
And part of making, that's going to be many tool calls and a lot of different things
over the hood to help automate part of that work.
And so we're well through co-pilots.
We're well through co-pilots, exactly.
And we're now getting the point where, okay, how do I, as a human, get to walk away, right?
So I say, hey, agent, please go do a task on my behalf.
I often love to use shopping because it's something we all do, which is, hey, agent, I'd love to hire you.
Can you go find me the best pair of jeans in my size?
Here's the detail that's about my jeans.
And can you make sure it's under $50 and then, you know, place a bid, right?
And what you want to do in that situation,
is the human wants to be able to walk away.
And when the agent's ready to purchase,
the agent has to either come back to the human for approval
because it's over some purchase limit,
or the agent can just do it.
It's like the old days where you would set a compile job
and walk away to get a pizza and come back out of it's done, right?
So that's stage three.
It's stage three.
And you can think of the transition is it goes from agents
are sort of like our best friends whispering at our ear,
telling us like, hey, you could do this to a world
where agents are now, they are now in the middle.
And increasingly, then over time,
is you get more autonomous to level five,
equivalent of like a Waymo. You know, these agents are off doing long-running tasks that are doing,
you know, operating within some decisioning model that we've given them. So they're human-controlled,
right? And they can operate around those bounds. But as a human, I don't have to look and be
aware of what they're doing. They can just go off and do those things. You know, every year follow my
taxes. Yeah. But make sure, you know, they've been approved by my account. So we're starting at the
stage of the waymo with the driver helping the car make sure it's the right. Exactly.
That's the next stage of agency. And in truth, many companies are actually struggling to make co-pilot
successful, right? Like, a lot of the next generation of, you know,
Kircher starts as like this beautiful little tab completion. And that was awesome. And the next
stage is, okay, now how do I involve like contacts and data, actionability when I,
for this agent where I'm still maybe semi in the loop, but more work is being done. And so
there is a continuum over time. But I would also say like anything that has a human is
abstracted from the core decision making that involves access to data. Yeah. Or involves any
action ability is a moment where you are entering the realm of now we're an agentic workforce.
Absolutely. Yeah. So these things can make decisions essentially on their own, although they are
micro decisions within the context of a larger process. Exactly. But they do have the ability to
insert their indeterminance into a lot of these processes, right? And so that's where, I guess,
the problem of identity and authorization and authentication come in. Exactly, exactly. Because you
basically come to this position. And so there's like all of these wonderful tool poisoning types
attacks where you can use, and Trillabit blog is a great website we can find, but they have,
they have things like pajamas, which is like really interesting. But you dig in and you basically
find, like, the minute that the model at the core of the agent is actually starting to do
more than one tool call before the, with a human nut in the loop, right under the hood,
is a point where you can have a lot of these attacks and these problems become, like,
actually an issue for gaining that use case adoption in the enterprise, right? Because you get to
this position where like an agent may go access like a production database, take that production
data and then makes a tool call with a web browser. Totally. And what happens in there's no like
right or update or delete that's occurred. They're very benign. But they use the web browser and take
some of that production data, which might have customer data and send it into the in the query
in the web browser because they're trying to like use the context that they have in production
from the prod data database to help them solve some problem the user gave them.
And this is where you start to come into like, okay, now we have an identity access problem,
which is, like, should that user be able to access,
should that agent actually be able to access that, like, production data, right?
The user, like the developer probably wants to be able to access to production data,
but do we want the agent to have access to that production data?
And do we then want the agent be able to use, you know, a web browser
or do something else with it after the fact.
You get into this complex world of identity and access, that's hypercontextual.
Absolutely.
And it reminds me, though, if you remember sort of early networking in cloud, right?
We had a lot of these same problems at the beginning of that journey.
Yeah.
which was sort of like, hey, we built this really cool service.
And it's a single factor login.
Or you just do it's open to anyone, right?
It's anonymous access.
And then you end up with kind of these issues where data gets over accessed.
You have these over.
But this time it feels very different, right?
Because you have the ability with these agents to synthesize a lot of understanding
across large sets of data that previously would require a human.
And so it seems like these edges are actually a lot sharper.
Yeah.
And you used to have to search for specific terms across a large data set, right?
And it was always what hackers would do, right?
Look for key pairs, look for this, look for something password, look for social security numbers.
But now you can just ask it a question, like, did the CEO cheat on their taxes, right?
And so this creates a lot of really interesting and interesting problems.
It creates tons of interesting problems.
I think the other thing that really changes the problem from just a pure data security standpoint
to like an identity and access problem that is that is deep and requires a completely
reinvention of this problem space, or rethink the problem space is that it's entirely contextual.
Yeah.
Right.
And so it's it used to be, you know, in the firewall world, it's like, okay, if you're
inside the perimeter, right, you can read, write, update, delete whatever you want.
Transit of trust, baby.
Right?
Right.
And then we moved to the cloud and we put in the VPC and we added, you know, adopted IAM.
Totally.
And we kind of reestablish a perimeter inside our little box.
And then what's occurred is, you know, we started unbundle it.
And so some of these problems became prevalent.
We had like, you know, 2012 Circle CI got popped.
And that gave a lot of people access to production data.
Like, that shouldn't have happened.
It was painful.
But these are all problems of like all similar issues.
What's new about agents is, one is in order for them to create a lot of value,
they need a lot of access to high value.
Absolutely.
Right.
And so the value creation of an agent, not on top of the model, the models create opportunity,
but it's the context at runtime and the things they have access to at runtime,
the actions they can afford runtime.
The naval agents actually create value versus them just being like a dumb thing that's,
you know, answering a question based on an old dataset.
And we've got like Samel, we've got Oath, we have all sorts of standards that are out there for a lot of this stuff.
And they don't seem to be working right.
And then like this seems like the classically like difficult problem to solve, right?
Because you have you have a blending in the enterprise of multiple different technologies.
You have this new use case that's radically different than anything we've seen before as we've established.
like, how are you thinking just from a product perspective?
Like, how do you actually solve this?
This is, like, incredibly hard.
Yeah, I mean, I think there's a, you made a couple of points on some key protocols
that have actually, you know, we're very successful in helping us solve user federation
and the adoption of SaaS and the, in the, then the enterprise SaaS and parts of the infrastructure
as a software market, right?
It was a reason we have a multi-trillion dollar cloud market in the first place.
The fundamental challenge is, you know, when we went and solved user federation,
we never had to solve what fundamentally under the hood problem this is,
which is now we have a piece of compute that we need to be able to federate across cloud
and across network and companies, right?
So we're basically saying, all right, not only we've already solved the user things,
we can understand who a user is, but how do we understand what an agent is
and how do we identify that agent?
Because in order for us to even start cracking open this product problem,
we have to first be able to establish the concept of an agent.
So we then can understand and control.
well, contextually, what should this agent be able to do?
And where do you land with that?
Is an agent just like a Joel V2 or is it sort of some other subset of that category?
I think broadly, you know, where we're seeing and what we're thinking about and our view
of what an agent is, is that an agent is going to be a thing used by multiple users.
Like most agents, there will be situations where I is the end, go build an agent,
just like I as you can go build a to-do app for my specific thing.
But when we're talking in, you know, in the enterprise context, we're talking in,
even a consumer context, let's say like chat GPT.
Like, I don't go build, it's not Ian's chat GPT.
It's chat GPT and increasing chat CPT is in gaining capabilities to be agentic and it
optimise my workflows.
And so in this context, chat GPT is an agent and Joel uses chat GPT.
Totally.
And many of the companies, I'm sure, Andrews is so does Bob and so does.
So agents are inherently multi-tenant, right?
And so we have all of the complexities of the multi-tenant world that we had in
SaaS.
Totally.
And then we have then the added complexity that,
these things now are taking increasing actionability and how do we understand and manage that
across world? And then how does that communicate between different compute boundaries as well?
So we're essentially going beyond the classic sort of access rights. It's no longer just read,
write and delete, right? Like it's, we're talking about step-up authentication. We're talking about
step-up authorization. Exactly. It's a crazy thing. By dynamically at runtime based on the task or intent of
the user, right? Like ultimately at the end of the day,
If we want to get to a point where we can, you know, really what is access control about?
Well, it's really about removing the worst-case scenarios and ensuring that the happy path is the right path, right?
So if you're taking an agent and you're thinking about the context window it has, the tools is available to it,
how do I ensure that that, you know, that context window, the data has and the tools actionableity can take is bounded by something that comes from an end user.
That's deterministic in nature.
And that's our view of where this is going.
is like we're going to need task-based intent-based policy that's enforced downstream.
Gotcha.
So like our rights model, your rights model essentially becomes a matrixe.
It is.
As opposed to sort of like this linear.
It's not, yeah, it's not linear and it's not static.
It's incredibly dynamic.
And I think the other component is because it's dynamic, it's actually hyper-emeral, right,
in the sense that no one task will probably look the same.
And in fact, that's like if we step back and think about,
what is the ultimate value that agents give to our organization?
And what is the fundamental delta here?
We're moving from a world where, like, if I wanted a piece of software to be able to do something that new,
a software developer I had to write it.
We're moving to a world where if I want a task to be done,
if I give the model, like you write context and right access to tools,
it can create a plan and execute on that plan and then complete that task.
dynamically based the data I give it at runtime.
So it's completely different in hyper-ephemeral world where you have this long-tail set of potential tasks.
And the net value of like adopting agent is the fact that it has this long-tail list of tasks
that are capable of being done dynamically.
Gotcha.
And we need to change our trust equation from one that's like based on static.
Hey, Joel is a partner at Andreessen.
And so that means these access to these companies' financials to world.
Well, Joel can say to an agent, hey, can you go analyze the financials of these two companies
and tell me the delta or the difference, right?
And that agent only gets access to the financials for those companies based on the task.
And you as an end user have some control over that.
And then as an enforcer on the downstream, you know, the company or the place you hold that data, can it also enforce that policy?
And across the board, both not only does Joel know, hey, I did in fact and have control over what this thing is doing on my behalf.
And I think that's a really important thing, right?
Is that we have to establish, like, who ultimately controls and takes accountability for this agent?
And this is increasingly important transactional payments.
And the other side is, on the other side is, how do I know Joel did, in fact,
tell this thing, it can do this action so that I can say, yeah, you can do it, I approve of it,
and how do we deal with that liability? Absolutely. Do you think eventually, I mean, it sounds like
you're almost devolving towards a model where there is going to be some sort of reasoning model
that's making these determinations. Is that kind of where you think the end of this journey lies?
I think, yeah, we do. And I think there's going to be this sort of pairing, because the only way
you'll get the scale is that is some formulation of a hybrid deterministic and non-determistic system.
My next question was, how do you scale that?
How do you scale it? Exactly.
How many tokens per second is that going to be?
Many tokens per seconds.
And I think you're going to have two sections, right?
On the user side, when you are using an agent, a part of writing a prompt or interacting
with an agent is going to be a level of access grant that's going to be bounded to the interaction.
And then you as a user are going to have some ability to understand and control that.
And I think that may be baked into the actual agent interface.
And then over time, the agent interface is going to decide, hey, this is different.
This is scary?
Like, is Joel okay with this?
Hey, Joel, are you sure you want this to happen?
And by the way, this is exactly what your agent's doing.
And here's the button that lets you, Joel, stop the action right now.
Revoke it, do whatever you want.
And I think depending on the sophistication of the action that the agent is going to do on your behalf,
you're going to say, not in every case, like the financial case,
maybe it's like this is a very common action, a very common pattern.
There's no point the prompt or tell Joel, whether they need to, like, give conditional consent.
But in the hood, what's happening is it's always conditional consent.
And that's being done on the agent UI phase.
because you're basically, as a user, saying,
I'm granting this agent the ability to do this thing on my behalf of runtime.
And the runtime part of that is really important from understanding a liability.
You can obviously integrate telemetry at that point where it's like,
hey, this agent looks like it's doing some kind of scammer thing, right?
Exactly.
And then on the downstream side, you know, the person that's enforcing the authorization policy,
which could be an MCP server, could be a credit card company,
it could be all of them because it gives the federated concern,
won't be able to say they're going to have their own adaptive policy about what they were
on top of your individual, like, grant, but what they allow agents to do. And if you look at
self-driving cars are like a really great analogy, it's actually like across the board, there's a
continuous adaptive system on both side that is like collecting and proving information. But in all
times, it's pretty, it's very clear, like, who has ultimate control? It's either in the case of
Waymo, we still have someone in ultimate control. They're not in the car, but they're still there.
And in the case of a Tesla, like I as a human, I'm still sitting in front of a wheel, even if I'm not the one
driving. Yeah. And you can take over.
And you can take over.
And that's the world we need.
And just in the world, it's going, but you also have two sides of that where at any point
that Tesla can, like, push a new version of self-driving or even come in and prevent, like,
revoke or say, hey, we can't do self-driving.
It's broken anymore.
And it can roll back into great gracefully.
Totally.
Yeah.
I mean, I think that's absolutely right.
Like, we're going to, I mean, I know people would love to believe that we're at a
level of sophistication where we don't need humans, right?
But like, for the foreseeable future, there's humans in the loop.
And when you task an agent to go out there and book your vacation.
to Hawaii, you're going to want to make sure it confirms with you before you actually buy the tickets, right?
And you're going to want an ability to roll up and understand, hey, what are agents doing on my behalf and where, right?
And I think the future of whether it's end user, enterprise end user perspective, it's going to be, you're going to have like a deterministic level of control and a real ability to understand what these things are doing.
In the same way that when I go to my bank, I can go on with all the transactions I've made.
Totally. I'm really curious, what do you think? First, I mean, there's a couple questions. I think.
that stem out of this. The first is like, do you think it's going to be consumers adopting agents
or enterprises adopting agents at scale first? You know, if you would have asked me this a year ago,
I would have said 100% consumers. It's going to take years for the enterprise. And I actually think
this wave is different for many different reasons. One is the net benefit and operating efficiency
of the internal workflow optimization of the enterprise is like absolutely massive. Like it's so clear
to at a board and executive level how this is like the next step in the company.
in terms of just like gaining the next level of earnings efficiency,
that and the tools are available today,
and we're at a point where, like,
their employees in their day-to-day life are actually using the tools,
and then they can figure out,
they can, like, transfer that knowledge of using, like,
making, using SORA or chat GPT or Claude,
and immediately take that to work and be like,
okay, here's how I can do this.
And we've never had that opportunity where before.
It was that the enterprise was very late an adopter of the cloud.
But now the enterprise is on the cloud.
Yeah.
And so we're in a, like, this wave is very fun.
different on that level.
And I think on the second level, so users are like pre-understanding the data is already there,
the axes already there, are already on the cloud.
And on the second level, we used to be in a position with the cloud adoption where security
could say, hold up a minute.
We have to, like, this cloud's not mature enough.
We don't have to control.
We need to build out all these things.
We don't have the scale.
We don't have the pieces to actually make our enterprise successful.
This is a different situation where they actually had the, because it wasn't a top-level
business driver that finally drove.
of something that was moving on the balance sheet,
it was more attached to like,
hey, how are we going to continue
and get developer efficiency?
It was a lot of the movement to the cloud.
Now it's a top level business objective,
which is like, if we can't get earnings efficient,
like our next year's growth is coming from this project.
And so we don't have the,
the security is not in the same position ahead,
was in the last generation where we could say,
hey, we should hold up.
It's now in, oh, we actually have to do something,
and that's going to drive adoption much faster.
And in fact, what we see in most organizations,
it's like shadow IT on steroids.
Yeah.
And the ability for security to say no isn't there because it's really like the CEO and
co.
They're saying, well, we have to, we have to adopt these.
The cloud made all the no-siso's roadkill on the information.
Exactly.
Exactly.
That was the end of the empire of no was cloud.
Yeah.
And now, I mean, every C-So you talk to is just like, how can I enable this safely
without like blowing up the firm, right?
And how do I enable?
And it's not just, you know, for the business, ignoring their independent roles
for the business.
It's not just about like, how do I gain earnings efficiency inside?
Like, we run the company.
It's how does my company become agentic?
How does my company become an agent?
Whether I'm like, how do I, you know, my interactions, interact with agents?
How do we be agents?
Totally.
It's a transformation top to bottom of like every business one way or the other.
And you can see business leaders getting a taste of this with the coding stuff, right?
Exactly.
It's like the first little hit of like, wow, okay, I can freeze head count and get more productivity out of people, right?
Exactly.
And so I just, I think that's exactly right.
Like there's just such a direct translation between adopting this stuff and driving better profitability
that it's insane.
And they can immediately see also like what,
where their company is going to fit into the new world
because like it's touched feel.
It's immediately actionable.
If you're not using an iPhone of chat,
TBT or Google, like you're not in business.
And so they immediately start thinking like,
well, how do we, what's our, what's our,
how do we maintain our remote?
So there's a business defensibility component,
which is like, how do we ensure that we don't get disintermediated
on a product level, right?
Like maybe we're a commerce platform.
You know, the future of shopping is probably through an agent.
How do we make sure agents can interact with us as a commerce platform?
or if you're building a SaaS software,
it's like, well, how do we actually become an agent
so that instead of someone displacing us,
we are the agent that they use.
And I mean, it's interesting.
So like I said, we're still pretty early on this journey.
Yes.
And like there's two sort of standards in the agent world
that have emerged.
MCP, obviously, which didn't really solve any of the problems
that set out to solve.
Probably the single source of late,
worries for most security professionals at the moment.
Absolutely. Absolutely.
And then A-to-A, which is sort of not really taken off yet?
Or it's sort of getting, I mean, kind of how are you thinking about this?
Absolutely.
You know, MCP, like, I think they both come from two different organizations looking at problems
differently.
And A-to-A just, you know, is the classic Google, oh, we got to get to scale.
Like, how do we scale and manage this thing?
And how do we scale and manage this thing across, like, networks a base.
Yeah, super elegant, really well thought out.
Super elegant.
It's like a PhD thesis.
Exactly.
And it's very focused on, like, well, what is an agent?
Totally.
Right?
And MCP's the other side, which is, well, it came out of the idea of, like, well, today,
Claude, like, really can't do much for you.
It doesn't have access to other stuff.
So how do we gain scale of access, right?
And how do we present that access and actionability, that set of tools to the model in a way
that it can, like, reasonable what I can do with these things?
It's sort of the, you know, the Google side is the ask for permission.
The other side is the beg for forgiveness, right?
Exactly. And from that perspective, you kind of have a framework for identifying an agent. You have a framework for something to call these tools. But there's no in between the core of what's missing on both sides is, okay, cool. I can understand what an agent says it should be able, says its task basis. And I can understand what these tools are. But how do I connect those two things? Identify those agents like cryptographically, enable users to like access those agents, control those agents to do. And then I as a tool provider, how do I actually like enable those tools to be provided?
it, but I get the ability to control, like, who can use it in what context and then have,
like, auditing.
And so, like, MCP is definitely here to say, A-to-A, let's find out.
I mean, it's solving some very interesting problems that we're all going to figure out,
which is, like, well, in a federated world of agents, like, how do I, like, know what this
agent can do and who uses it and how is it owned and what's its core identity?
Yeah. And then on the tool side, is, like, how can I use all that context to enforce this?
And so there's a missing bridge.
MCP definitely has the most adoption.
and it's definitely hitting that, like,
beginning to hit some of that trophages or losing
as people found, hey, it's not perfect, right?
They've got a lot of problems.
They realize that everybody's got a bunch of production credentials
on their local machines running MCP.
Exactly, running MCP, and they have no control over it,
and it took what they used to be, like,
you know, the secret sprawl problem of, like, the last four or five years,
and it's just secret sprawl on steroids.
And now you kind of have this problem where, like,
oh, actually, you know, we're giving Claude or Cursor,
production, admin access to our core thing through this MCP,
and I have no ability to control whether that's actually, you know, Ian or is it Ian's agent?
And that is a fundamental issue in any form of adoption.
And we consistently hear that from people we're working with is, you know,
my core challenge is I can't differentiate between these two things.
And this is unseen risk.
And so it's either like I continue to let that risk propagate.
And then we have really bad consequences like agents going and like dumping the database
or taking the data and dumping into a web browser.
Yeah, yeah, deleting that hard drive.
Yeah, yeah.
Or like, you know,
ransomware,
ransomware letting you worry someone else's stuff
because like multi-tenancy is really hard to reason about.
And then on the flip side of it is,
is like, how do I do it and how do I adopt it easily?
And fundamentally, you know,
this is very different from the last generation
of how we solve this problem
because you're dealing with, most importantly,
interactions, not between users and like some omnipresent service you bought.
It's between users,
agents that you've purchased, agents that you've built,
many of those agents interacting amongst themselves,
and then a tool-calling layer
that represent both your external things,
your SaaS products, your Salesforce, your CRMs,
and then your databases and your data lakes, snowflake,
but also your internal world.
Because ultimately what you want to do
in order to gain these operating efficiency
or for your product to be agetic
is to move a bunch of things
that used to be behind the firewall
up to the application layer,
so your agents can actually interact with it
and use it and gain utility from it.
Gotcha. Awesome. Yeah, so, so Ian, I mean, thanks so much for coming by.
Like, you know, we're super excited to be with you on the journey with KeyCard.
We think that this is a transformational company. This is going to be an important building block of the future of this, this agentic world.
That's going to dominate everything. And we'd love to maybe just in the few minutes we have left here a little bit about about KeyCard and what you guys are doing there.
Absolutely. I'm super excited to have Andreessen on the journey with us as well.
And, you know, this is something that we've been thinking about for the last 10 years and really saw this, you know,
machine agent revolution that we're going through,
like how do we actually take advantage of this incredible new technology
that deep learning and large language models have brought us?
And so the company today,
we're really focused on helping our customers get agents into production.
So how do we get them off the laptop?
How do we get them off the, like, you know, out of the lab
and get them into productions that are actually in utility for us.
And so what we're helping customers with today is,
hey, we're going to help you identify what agents you have.
We're going to help you identify what users are using
those agents, what users can use those agents, and what those agents are actually enabled to
access and allow you to put a bounding box around those things. And we're going to give you a set
of tools that you can use to build agents, like build tools for your agents, whether those tools
are agents that are internal, things you built for your internal workflow, or agents that are
operating with your product, or maybe a set of SDKs that allow you to build agents as well,
and then give you the enablement software so you can say, hey, organization, here's all of the
agents you can use, here's all the tools you could use.
who's, hey, here's how you can take those tools into different tools or different agents
and let those things have access to it.
And then as an energy security, you get the ability to govern it all, have complete audibility
and understand what the access profile of these things are and really start to get a bounding
box on what those things can do.
Awesome.
And just, you know, honestly, based on the amount of security incidents we're hearing popping
up in this space and the sore need for some sort of scalable way to manage identity
in this agentic world.
Exactly.
I think the world is going to be beating a path to your door any moment now.
And we're ready for it.
And one thing I'll add is we're completely standards and operable, right?
So we're not out implementing a bunch of like off-base things that are standalone,
key card only.
We're building things that interoperate with all existing standards.
We're working to drive those standards forward.
So we're really a federated solution.
And we're not tied to any specific vendor.
And that allows us to be a sort of a central pillar in your agent strategy moving forward.
All the great identity companies have been based on some sort of open standard.
Exactly.
And I'm glad to hear that that transition continues.
Thank you so much for coming by.
This has been incredibly awesome.
Thank you so much for having me.
Awesome.
Thanks for listening to the A16Z podcast.
If you enjoyed the episode, let us know by leaving a review at rate thispodcast.com
slash a 16Z.
We've got more great conversations coming your way.
See you next time.
As a reminder, the content here is for informational purposes only.
Should not be taken as legal business, tax, or investment advice,
or be used to evaluate any investment or security,
and is not directed at any investors or potential investors in any A16Z fund.
Please note that A16Z and its affiliates may also maintain investments in the companies discussed in this podcast.
For more details, including a link to our investments, please see A16Z.com forward slash disclosures.