At the RSA Conference (RSAC) in March 2026, Cisco did something the agent ecosystem sorely needed. It made Cisco Duo a first-class authorization authority for AI agents. Duo maps each agent to a human owner, checks policy on every tool call, and decides in real time against the groups and rules you already run. It is a future-facing, clarifying move, and it’s proof of what we build every day at Arcade.dev. Authorization for agents belongs at runtime.

We agreed with this approach so wholeheartedly that we built on top of it. We put together a repo with an end-to-end implementation of a Cisco Duo decision becoming an action an agent takes on a user’s behalf, including the case that matters most: a real-time Duo Push triggered by what the agent is trying to do. Cisco Duo decides. Arcade acts.
Picture a sales rep’s assistant that can already read the customer relationship management (CRM) system. The rep asks it to pull up their customers, and it does, in seconds. Then they ask for the defence-sector accounts, the most sensitive records in the building. An agent that is merely logged in would hand them over. With Arcade, that request pauses, and a Duo Push notification lands on the right person’s phone showing them exactly what the agent is trying to do, and the records move only after someone approves. Deny it, and the agent is stopped.
Cisco owns the decision, Arcade enforces it
At the risk of sounding like we’re beating a dead horse, agent authorization is a runtime question. Can this agent, on behalf of this user, take this exact action, right now? Cisco’s launch answers that question at the policy layer, and putting it in Duo is the right move because identities, groups, scopes, and multi-factor authentication (MFA) already live there. Arcade developers contributed to the Model Context Protocol (MCP) authorization spec alongside Anthropic, Microsoft, Okta, Auth0, and others, and this integration is that thinking made concrete on top of Cisco Duo.
What Arcade adds comes one step later, at the tool call itself. Before the action runs, Arcade enforces the Duo decision on that call: it brokers the Duo login, injects the scoped token so it never reaches the model, and runs a pre-execution check that can require a fresh Duo approval when the request is sensitive. Cisco provides the authority, you can’t be in the bar after 2AM. Arcade is the runtime that enforces it, the bouncer that kicks people out.
Two layers, with Cisco Duo as the authority
The demo connects an agent to Arcade, and Arcade enforces Duo in two layers that sit at different points in the tool-calling lifecycle. The first runs up front, when the agent signs in and discovers the tools it is allowed to use. The second runs at each tool call and only escalates when the request is sensitive. They are related but rarely the same call, especially when you authorize a batch of tools at once.
The first layer is login and scope. Duo Single Sign-On acts as an OpenID Connect (OIDC) provider, so the first call runs the authorization code flow, including MFA at sign-in. Arcade brokers the token, and each tool requires a specific Duo-managed scope. You grant those scopes per user and group on Duo’s Access Policy tab, so an agent acts only within what Duo allows. Revoke a scope in Duo and the matching tool stops on the next call. The token never reaches the model or the client.
Right after that login, and still at discovery time, Arcade’s access hook decides which tools this client can even see. It runs your own logic against the caller’s Duo identity and groups, so a tool only shows up in the agent’s catalog when that user is allowed to use it. This is a separate decision from the step-up that happens later: it gates tool availability up front, before any tool call is made, rather than at pre-execution or post-execution.

The second layer adds real-time, content-aware step-up at the moment a tool actually runs. An Arcade pre-execution hook inspects each tool call, and when the request looks sensitive (or via custom parameters) it calls the Duo Auth API and sends a Duo Push before the tool runs. The push carries context, so the approver sees the tool and the query on their phone rather than a blank prompt. Approve and the tool runs. Deny or let it time out, and Arcade blocks the call and the agent reports why. The repo runs this end to end and includes the live Duo Mobile screenshots.

Bring the Duo you already run
Nothing in this article asks you to build a new trust model for agents. The Duo identities, groups, scopes, and MFA your team already runs are the same controls that now govern what an agent does on your behalf, from the first login to a step-up on the most sensitive request. It is the first working example of a Duo decision becoming an agent action for a specific user, content-aware step-up included.
Cisco made the case at RSAC that agent authorization is a runtime problem and put Duo at the center of it. We couldn’t agree more, and we’re excited to build on Duo. Read the Cisco Duo provider guide, and clone the demo, to run the whole flow yourself.


