Teleport adds LLM Proxy and Delegated Identity to secure AI agent actions and access
Teleport has announced the debut of two foundational capabilities of its Agentic Identity Framework in the public beta of Beams: LLM Proxy and Delegated Identity. These capabilities address a critical gap in how organizations deploy AI agents: the lack of identity, access control, and auditability at the two most consequential points in an agentic workflow—what the agent is instructed to do and what it is permitted to access.
Much of AI innovation to date has centered on LLM gateways, tools that sit in front of model providers to route traffic, manage cost, and log or screen prompts. Controlling agent behavior when it is accessing production infrastructure, however, is largely outside their scope.
Teleport’s LLM Proxy, in contrast, brings an enforcement layer that is wired into the same identity and zero trust plane that governs privileges and infrastructure resources, such as production databases, cloud APIs, and internal services.
The LLM Proxy sits between an agent and its inference endpoint, giving teams visibility and enforcement at the point where agent behavior originates. Every request and response is inspected and written to Teleport’s audit log. This combines with a per-Beam allow list of resources to enforce controls that govern which agents can reach which inference endpoints and under what conditions. The result is enforcement before instructions are ever executed along with a precise, tamper-resistant record of what every agent was told to do.
Delegated Identity allows a human operator or an agent to define and assign the permissions an agent will carry, defining exactly what infrastructure it is authorized to reach. Rather than inheriting broad credentials or running with standing access, each agent receives a delegated identity with scoped privileges to accomplish a specific task delegated by human or another agent. All activity is recorded, analyzed by peer agents and tied to the identity and task.
This makes least-privilege access a runtime property of every agent. If an agent is compromised or behaves unexpectedly, the blast radius is bounded. Delegated Identity implements zero trust and JIT for agents.