At the RSA Conference (RSAC) in March 2026, Cisco did something the agent ecosystem sorely needed. It made Cisco Duo a first-class authorization authority for AI agents. Duo maps each agent to a human owner, checks policy on every tool call, and decides in real time against the groups and rules you already run. It is a future-facing, clarifying move, and it’s proof of what we build every day at Arcade.dev. Authorization for agents belongs at runtime.

Cisco Duo x Arcade sales-rep agent authorization flow: a sales rep asks an AI assistant, which makes a tool call to Arcade. Arcade adds a Duo token and calls the Duo-protected CRM API, where standard accounts return immediately and defense accounts require approval. Layer 1 handles login and per-tool scopes through Duo SSO/OIDC; Layer 2 adds contextual step-up MFA through the Duo Auth API and a Duo Push for the sensitive query "show defense-sector accounts". Approve runs the tool; deny or timeout blocks it. Cisco owns the decision, Arcade acts at runtime.

We agreed with this approach so wholeheartedly that we built on top of it. We put together a repo with an end-to-end implementation of a Cisco Duo decision becoming an action an agent takes on a user’s behalf, including the case that matters most: a real-time Duo Push triggered by what the agent is trying to do. Cisco Duo decides. Arcade acts.

Picture a sales rep’s assistant that can already read the customer relationship management (CRM) system. The rep asks it to pull up their customers, and it does, in seconds. Then they ask for the defence-sector accounts, the most sensitive records in the building. An agent that is merely logged in would hand them over. With Arcade, that request pauses, and a Duo Push notification lands on the right person’s phone showing them exactly what the agent is trying to do, and the records move only after someone approves. Deny it, and the agent is stopped.

Cisco owns the decision, Arcade enforces it

At the risk of sounding like we’re beating a dead horse, agent authorization is a runtime question. Can this agent, on behalf of this user, take this exact action, right now? Cisco’s launch answers that question at the policy layer, and putting it in Duo is the right move because identities, groups, scopes, and multi-factor authentication (MFA) already live there. Arcade developers contributed to the Model Context Protocol (MCP) authorization spec alongside Anthropic, Microsoft, Okta, Auth0, and others, and this integration is that thinking made concrete on top of Cisco Duo.

What Arcade adds comes one step later, at the tool call itself. Before the action runs, Arcade enforces the Duo decision on that call: it brokers the Duo login, injects the scoped token so it never reaches the model, and runs a pre-execution check that can require a fresh Duo approval when the request is sensitive. Cisco provides the authority, you can’t be in the bar after 2AM. Arcade is the runtime that enforces it, the bouncer that kicks people out.

Two layers, with Cisco Duo as the authority

The demo connects an agent to Arcade, and Arcade enforces Duo in two layers that sit at different points in the tool-calling lifecycle. The first runs up front, when the agent signs in and discovers the tools it is allowed to use. The second runs at each tool call and only escalates when the request is sensitive. They are related but rarely the same call, especially when you authorize a batch of tools at once.

The first layer is login and scope. Duo Single Sign-On acts as an OpenID Connect (OIDC) provider, so the first call runs the authorization code flow, including MFA at sign-in. Arcade brokers the token, and each tool requires a specific Duo-managed scope. You grant those scopes per user and group on Duo’s Access Policy tab, so an agent acts only within what Duo allows. Revoke a scope in Duo and the matching tool stops on the next call. The token never reaches the model or the client.

Right after that login, and still at discovery time, Arcade’s access hook decides which tools this client can even see. It runs your own logic against the caller’s Duo identity and groups, so a tool only shows up in the agent’s catalog when that user is allowed to use it. This is a separate decision from the step-up that happens later: it gates tool availability up front, before any tool call is made, rather than at pre-execution or post-execution.

Layer 1, login, scopes, and tool discovery: an AI agent (MCP client) signs in through Duo SSO/OIDC, which runs the authorization code flow with MFA and issues per-tool Duo-managed scopes. Arcade brokers the scoped token so it never reaches the model, then its access hook evaluates the caller's identity and groups at discovery time to decide which tools are exposed to this client, for example crm.read is allowed while crm.write requires a higher scope.

The second layer adds real-time, content-aware step-up at the moment a tool actually runs. An Arcade pre-execution hook inspects each tool call, and when the request looks sensitive (or via custom parameters) it calls the Duo Auth API and sends a Duo Push before the tool runs. The push carries context, so the approver sees the tool and the query on their phone rather than a blank prompt. Approve and the tool runs. Deny or let it time out, and Arcade blocks the call and the agent reports why. The repo runs this end to end and includes the live Duo Mobile screenshots.

Layer 2, real-time, content-aware step-up: at the tool call, an Arcade pre-execution hook inspects the request. Non-sensitive calls go straight to the Duo-protected crm_api, which validates the token and scope. When the request is sensitive, Arcade calls the Duo Auth API and sends a Duo Push that carries the tool and query as context to the approver's phone; approve and the tool runs, deny or time out and Arcade blocks the call.

Bring the Duo you already run

Nothing in this article asks you to build a new trust model for agents. The Duo identities, groups, scopes, and MFA your team already runs are the same controls that now govern what an agent does on your behalf, from the first login to a step-up on the most sensitive request. It is the first working example of a Duo decision becoming an agent action for a specific user, content-aware step-up included.

Cisco made the case at RSAC that agent authorization is a runtime problem and put Duo at the center of it. We couldn’t agree more, and we’re excited to build on Duo. Read the Cisco Duo provider guide, and clone the demo, to run the whole flow yourself.