Promptfoo as Agent IAM
Promptfoo
Promptfoo is moving from finding AI bugs to deciding what AI agents are allowed to touch. The MCP Proxy sits in the path between an agent and the tools it can call, so it can block unapproved servers, log every tool request, and flag policy violations before an agent reaches a database, API, or internal system. That is the same job IAM platforms do for people and service accounts, just one layer closer to agent runtime behavior.
-
The practical similarity to IAM is least privilege. SailPoint, Microsoft Entra, and AWS style systems decide which identity can access which resource. Promptfoo applies that same logic to MCP servers and tool calls, which matters because an overprivileged agent can exfiltrate data or trigger actions even if its text output looks harmless.
-
The product wedge is different from pure identity vendors. Promptfoo starts in developer security workflows, testing agents for excessive permissions and unsafe tool use, then extends into enforcement with a proxy. Keycard and Defakto start closer to credential issuance and non human identity management, where the core job is minting short lived identities and governing access across systems.
-
Incumbents are already moving toward agent identity. SailPoint now governs agent identities inside its broader identity cloud, and Microsoft Entra has created agent identities, blueprints, and authorization controls. That means Promptfoo is entering a category with real enterprise demand, but also one where large identity platforms can bundle adjacent controls into existing contracts.
The next step is a full control plane for agent access. As MCP spreads, enterprise buyers will want one system that inventories every MCP server, maps which agents can reach it, approves those connections, and keeps an audit trail. If Promptfoo keeps expanding from testing into always on policy enforcement, it can capture budget that used to belong only to IAM and security operations tools.