Agent Identity

The missing primitive in agent infrastructure.

This page is the detailed case for agent identity as the foundational missing layer in agent infrastructure. For the broader argument about why agents need fundamentally different primitives from humans, see the vision page.

The problem

As AI agents move from chat interfaces into production systems — running asynchronously, using tools, acting on behalf of users — a new class of infrastructure problem emerges. It is not a capability problem. The models are capable enough. It is an authority problem.

When an agent calls an API, writes to a database, sends a message, or triggers a workflow, the systems receiving those actions need to know:

Who is this agent?
Whose authority is it acting under?
What is it allowed to do?
Where did that permission come from?
Can it be revoked?

Today, most agent systems cannot answer these questions reliably. Tokens get passed around. Credentials get embedded in prompts. Permissions are granted at setup time and never revisited. There is no audit trail that captures the full chain of delegation.

Credentials vs. identity

There is a critical distinction that most tooling conflates: credentials are how access is exercised; identity is how authority is modeled.

An OAuth token proves that access was granted. It does not tell you which agent is acting, what task it was delegated to complete, whether that task is still in scope, or whether the user who originally granted access intended it to cover this specific action.

Tokens without identity context are powerful and unaccountable — exactly the wrong combination for autonomous systems acting in the world.

What operational identity means for agents

Operational identity is not about naming agents or giving them personalities. It is the data layer that answers, at runtime:

Who — a stable, non-human actor identifier that persists across sessions and tasks
On whose behalf — the user, team, or system that delegated authority
With what authority — the specific permissions and scopes that apply to this execution
Under what constraints — rate limits, data boundaries, escalation thresholds
Until when — expiration and revocation conditions
With what audit trail — a record of every action taken, against what system, under what claimed authority

Why everything else depends on it

Agent identity is not one primitive among many. It is the substrate the others run on.

Scheduling requires durable identity context. "Run this at 9am tomorrow" is only meaningful if the system knows: as whom, with what credentials, against which accounts.
Observability requires identity in the audit trail. Logs that capture tool calls but not the identity context of who made them — and under what delegation — are incomplete for any serious governance or debugging use case.
Tool use requires runtime authorization. When an agent calls a tool, the tool needs to evaluate not just whether access was ever granted, but whether this agent, for this task, has authority to take this specific action right now.
Orchestration requires identity propagation. In multi-agent systems — orchestrators spawning subagents, agents calling other agents — user identity, task scope, and permission boundaries must flow through every link in the delegation chain. Without this, permission escalation happens by default.

The missing abstraction

Production agent systems require a complete, legible chain:

user → agent → runtime → tool → action

Each arrow in that chain represents a delegation — an authority transfer that needs to be modeled, constrained, auditable, and revocable. Most tooling today models fragments of this chain. Auth providers handle the first link. Secret managers handle credentials. MCP gateways handle tool access. But no layer currently owns the full chain: who is this agent, what was it delegated to do, and does this action fall within that scope?

That abstraction is missing. It is the gap that makes agent systems harder to trust, audit, and safely deploy at scale.

The reframe

The agent primitive stack, reframed with identity at the base:

Memory stores context.
Tooling exposes capability.
Observability records behavior.
Schedulers carry intent across time.
Identity stores authority.

You can build agents without solving identity. Developers do it every day. But those agents cannot be safely deployed in production, cannot be audited after the fact, cannot have their authority reliably revoked, and cannot participate in multi-agent systems without assuming permissions they were never explicitly granted.

Identity is not a feature to add later. It is the layer everything else is built on.

The scope of the problem

The identity gap is not a niche concern. It sits at the intersection of rapid adoption and unresolved infrastructure.

Gartner projected that by 2028, 33% of enterprise software applications will include agentic AI, up from less than 1% in 2024. That growth curve means millions of agent deployments operating across enterprise systems — each one making authorization decisions, accumulating credentials, and taking actions that need to be auditable. The identity layer is not optional at that scale; it is the precondition for safe deployment.

The OWASP Top 10 for LLM Applications lists Excessive Agency (LLM08) as a top risk: agents performing actions with broader permissions than the task required. This is not a model alignment failure — it is an identity and authorization failure. The agent was never given a mechanism to know what it was actually authorized to do for this specific task.

The framework landscape confirms the gap. As of 2026, none of the major open-source agent frameworks — LangChain, CrewAI, AutoGPT, Semantic Kernel — ship a first-class agent identity primitive. Credentials are passed through environment variables at agent startup. CrewAI's agent definition includes role, goal, and backstory fields — personality identity, not operational identity. There is no task-scoped delegation model in any of them.

The Model Context Protocol (MCP) authorization specification defines an OAuth 2.1-based flow for MCP clients to authenticate with MCP servers. This authenticates the MCP client application — not the specific agent making the request, and not the task it is performing. The spec explicitly defers agent-level identity to the host application. The protocol that is becoming the standard for agent tool access has no task-scoped delegation primitive.

The non-human identity problem predates agents. CyberArk's 2024 Identity Security Threat Landscape Report found that non-human identities — service accounts, API keys, bots — already outnumber human identities in enterprise environments by a ratio of 45:1. Agents are the next order-of-magnitude expansion of non-human identities, with the added complexity that they act autonomously and across system boundaries.

IBM's Cost of a Data Breach 2024 report found that compromised credentials remain the most common initial attack vector, accounting for 16% of breaches. As agents multiply the number of active credentials in enterprise environments — and as those credentials are embedded in prompts, passed through orchestrators, and inherited across delegation chains — this attack surface grows proportionally.

Concrete failure modes

The absence of agent identity is not a theoretical risk. It produces specific, reproducible failure patterns in production systems today.

Credential embedding in prompts. Developers embed API keys and tokens directly in system prompts or tool definitions to get agents working quickly. Those credentials are visible to the model, logged by any observability system that captures prompt content, and cannot be rotated without editing the prompt. There is no isolation between what the model sees and what the agent uses.
Persistent overpermissioning. Agents are granted permissions at setup time covering the maximum anticipated scope of operations. Because there is no runtime identity layer to express task-scoped authority, permissions do not narrow as tasks change. An agent configured to manage a calendar retains those permissions when summarizing emails — and every other task it is given.
Silent permission escalation in orchestration. When an orchestrator agent spawns a subagent, the subagent typically inherits the orchestrator's credentials in full. There is no protocol for expressing "this subagent is delegated only read access." The delegation chain widens permissions by default rather than narrowing them.
Irrevocable delegations. When a user wants to stop an agent's access to a specific resource, they must revoke the entire OAuth grant — which terminates the agent's access to everything that grant covered. Fine-grained revocation of a single delegated task is not supported by any current agent framework.
Audit trails without attribution. Observability tools capture what tools were called, what inputs were given, and what outputs were returned. They rarely capture which specific agent identity made the call, under what delegation from which user, in the context of which task, against what authorization policy. The log is a record of behavior, not of authority.
Multi-tenant credential confusion. Platforms running agents on behalf of multiple users must scope credentials per user. Without a first-class identity layer, this scoping happens in application code — a brittle pattern that has caused data leaks in multi-tenant SaaS systems. The agent has no mechanism to self-enforce its tenant boundary.

How analogous problems were solved

The agent identity problem is not novel. It is a new instance of a class of problems that the infrastructure industry has solved before — for services, for workloads, and for delegated human access. The prior art is directly applicable.

SPIFFE / SPIRE: workload identity for microservices. Between 2015 and 2018, distributed systems faced an identical problem: how does service A prove to service B what it is, what it is authorized to do, and that it has not been compromised — without embedding static credentials? The answer was workload identity: each service receives a cryptographically attested, short-lived identity certificate at runtime, issued by a trusted identity provider. SPIFFE (Secure Production Identity Framework for Everyone) is the CNCF standard. SPIRE is the reference implementation. Agents need the equivalent — identity issued per task execution, not per agent deployment.
PKI and mTLS: replacing static credentials with dynamic trust. Before service mesh, the web solved server authentication with PKI — a chain of certificates with explicit issuance, expiration, and revocation. Mutual TLS (mTLS) extended this to two-way verification. The core insight: static long-lived credentials were replaced by dynamic, short-lived certificates bound to explicit chains of trust. Agent identity should follow the same model: short-lived, cryptographically attested tokens, bound to a specific task scope, with explicit expiration and revocability.
RFC 8693: OAuth 2.0 Token Exchange: scoped delegation across service boundaries. The IETF's token exchange standard defines how a service can exchange one security token for another with equal or narrower scope — preserving delegation semantics as authority passes across system boundaries. This is directly applicable to the orchestrator-to-subagent delegation problem: each hop in the delegation chain should produce a token with equal or narrower permissions than the parent, cryptographically linked to the original grant.
W3C Decentralized Identifiers (DIDs): portable identity across platforms. For scenarios where agent identity needs to be portable across organizations or platforms — multi-agent systems that span deployment boundaries — W3C DIDs offer a model: globally resolvable, cryptographically verifiable identifiers that are not dependent on any single authority. This becomes relevant as agent ecosystems move from single-vendor deployments to cross-platform agent networks.

The standards landscape

The standards work relevant to agent identity is nascent but real. No single specification addresses the full problem. Several address important pieces.

The closest existing token format is defined by RFC 9068: JSON Web Token Profile for OAuth 2.0 Access Tokens. It standardizes JWT claims for access tokens, including sub (subject), azp (authorized party), and the act (actor) claim defined in OpenID Connect for representing impersonation and delegation chains. These claims are the raw material for agent identity tokens — but no framework currently populates them with agent-specific semantics.

RFC 8693 (OAuth 2.0 Token Exchange) is the most directly applicable standard for the delegation narrowing problem. It defines how a client can exchange one token for a narrower-scoped token, with the exchange recorded in the token's act claim chain. Applied to agents: each time an orchestrator delegates to a subagent, it exchanges its token for a narrower one. The subagent can only act within the scope of that exchange. This is the mechanism the ecosystem needs — it exists as a standard, but no agent framework implements it.

The MCP authorization specification (March 2025 revision) defines an OAuth 2.1-based flow for MCP clients to authenticate with MCP servers. This is a meaningful step: it gives MCP deployments a standard authentication handshake. But it authenticates the MCP client application, not the agent running within it, and not the specific task being performed. The spec explicitly defers authorization policy to the host. Task-scoped agent identity is out of scope for the current MCP auth model.

The SPIFFE Workload API demonstrates how cryptographically attested workload identity can be delivered to processes without static secrets — each workload proves its identity through its execution context, not through a credential it stores. Extending this model to agents running as ephemeral tasks rather than persistent services is the next engineering problem.

Large cloud providers have moved toward dynamic workload identity for compute resources. Google's Workload Identity Federation and Microsoft's Entra Managed Identity both eliminate long-lived credentials for compute workloads by issuing short-lived tokens at runtime. These are the right model — but they target persistent compute resources, not the ephemeral, user-delegated, potentially nested execution model of agents.

What a solution looks like

A complete agent identity layer has three required properties. These are not design preferences — they are the minimum required to close the failure modes above.

Cryptographically attested, task-scoped identity at runtime. An agent's identity token should be issued dynamically for each task execution — not configured once at agent setup. The token must carry: the agent's stable identifier, the user or system on whose behalf it is acting, the specific scopes authorized for this task, an expiration time, and a chain showing how authority flowed from user to agent. Static API keys and environment-variable credentials cannot satisfy this requirement.
Delegation that narrows, never widens. When authority passes from orchestrator to subagent, the subagent's token must have equal or narrower scope than the parent — implemented as a token exchange (RFC 8693 semantics) where each hop is recorded and cryptographically linked. A subagent cannot inherit permissions the orchestrator was never granted. An orchestrator cannot escalate a subagent's scope beyond its own.
Revocation granularity matching delegation granularity. A user should be able to revoke a specific agent task without revoking all other delegations. An organization should be able to revoke all agents acting on behalf of a user in one operation. The granularity of revocation must match the granularity of delegation — not be coarser. This requires the delegation chain to be stored and queryable, not just embedded in tokens.

These properties are not novel. They are what PKI, OAuth, and service mesh already provide for other actor types. The missing work is applying them specifically to agents: ephemeral, delegated, potentially nested, operating across tool boundaries on behalf of users who expect to remain in control.

Reading

References spanning the core argument, relevant standards, security research, framework gaps, and analogous solved problems:

Agent Identity: Core Agent Primitive — Manoj Bajaj, April 2026. The market is solving auth, credential management, and MCP access in isolation. The missing piece is a unified identity model that spans the full user-to-action delegation chain.
The Infrastructure for an Agent-to-Agent Economy — TrueFoundry, February 2026. The agent economy is not blocked by intelligence — it is blocked by infrastructure. Identity and authorization are central to that gap.
The Agentic AI Infrastructure Landscape in 2025–2026 — Sri Srujan Mandava, February 2026. Trust, evaluation, and governance infrastructure are the durable bets in the agent infrastructure stack.
SPIFFE: Secure Production Identity Framework for Everyone — CNCF. The workload identity standard that solved the service-to-service authentication problem in microservices. The closest prior art for agent identity.
SPIRE: SPIFFE Runtime Environment — CNCF. The reference implementation of SPIFFE. Demonstrates how workload identity can be cryptographically attested without static credentials.
RFC 8693: OAuth 2.0 Token Exchange — IETF, 2020. Defines how a service can exchange one security token for another with equal or narrower scope. Directly applicable to the orchestrator-to-subagent delegation problem.
RFC 9068: JSON Web Token Profile for OAuth 2.0 Access Tokens — IETF, 2021. Defines structured JWT claims for access tokens, including act and may_act claims relevant to agent delegation chains.
W3C Decentralized Identifiers (DIDs) v1.0 — W3C, 2022. A cryptographically verifiable, decentralized identifier model. Relevant for cross-platform and cross-organization agent identity scenarios.
OpenID Connect Core 1.0 — OpenID Foundation, 2014. The identity layer on top of OAuth 2.0. The sub, azp, and act claims are directly relevant to agent identity token modeling.
MCP Authorization Specification — Anthropic/MCP, March 2025. Defines OAuth 2.1-based authentication for MCP clients. Authenticates the client application, not the agent or task. Task-scoped identity is explicitly deferred to the host.
OWASP Top 10 for LLM Applications 2025 — OWASP. Lists Excessive Agency (LLM08) as a top risk. Both this and Sensitive Information Disclosure stem directly from absent identity and authorization primitives.
Identity Security Threat Landscape Report 2024 — CyberArk. Non-human identities outnumber human identities 45:1 in enterprise environments. Agents are the next expansion of this attack surface.
Cost of a Data Breach 2024 — IBM Security. Compromised credentials are the leading initial attack vector. Agent proliferation multiplies active credential count proportionally.
Building Effective Agents — Anthropic, December 2024. Includes a section on trust hierarchies in multi-agent systems: why subagents should not inherit full orchestrator permissions, and how to think about trust levels across agent boundaries.
Workload Identity Federation — Google Cloud. How Google solved dynamic identity for workloads without long-lived credentials. The model agents need, applied to compute processes.
Managed Identity for Azure Resources — Microsoft Entra. Azure's approach to workload identity: automatically managed credentials, no static secrets. Points toward what agent-managed identity could look like.
LangChain Tools — Concepts — LangChain. The framework's tool-calling abstraction: credentials passed via environment variables, no task-scoped delegation model.
CrewAI Agent Concepts — CrewAI. Agent definition includes role, goal, backstory. Personality identity, not operational identity. No delegation chain modeled.
The Missing Infrastructure Layer for AI Agents — Limits, January 2026. The argument for a deterministic execution control layer between reasoning and tool execution. Frames the same infrastructure gap from an execution perspective.
Why Agent Infrastructure Matters — LangChain, July 2025. The case for treating agent infrastructure as a distinct discipline from model capability.
SPIFFE Overview — CNCF. How SPIFFE workload identity works: cryptographic attestation of workload identity at runtime, without static secrets or manual credential distribution.
For Agents: Vision — for-agents.com. Why agents need fundamentally different primitives from humans — and why the entire web was built for the wrong actor type.