The Agent Identity Gap

In the week of March 17-24, 2026, every major identity vendor announced agent authentication. Okta, Yubico+Delinea, Microsoft, Astrix, and Geordie AI all shipped solutions for the same narrow question: can this agent prove it is allowed to be here right now?

Authentication Is Not Identity

The distinction matters because it determines what is provable after the fact. Authentication answers a narrow question: was this entity permitted to access this resource at this moment? The answer is binary and ephemeral. A valid token grants access. An expired token denies it. After the session ends, the authentication event is a log entry in the identity provider's database.

Identity answers a different question: who is this entity, independent of any particular system's directory? A cryptographic identity, an Ed25519 key pair generated at agent instantiation, is not derived from a human's credentials, not stored in a vendor's directory, and not dependent on a session remaining active. The agent's public key is its identity. Its authority derives from a signed delegation chain, not from an inherited token. Its operational history is attributable to its specific key, not to the human whose OAuth token it borrowed.

This distinction has a concrete operational consequence. When an agent authenticated via OAuth takes an action, the audit trail records: “an entity holding token X accessed resource Y.” If three agents share the same service account token, the audit trail cannot distinguish which agent acted. The token identifies the authorization context, not the actor.

When an agent with its own Ed25519 key pair takes an action and the action produces a signed receipt, the audit trail records something far more specific: “agent with public key Z, operating under delegation artifact D signed by authority A with scope S and TTL T, performed action Y at time T, and the receipt is cryptographically attributable to key Z alone.” No other agent can produce that signature. The receipt is evidence, not a log entry.

How Current Systems Handle Agent Identity

The products announced in March 2026 represent several approaches to agent identity.^[1][2][3] Each solves real problems at the human-to-agent boundary. Each leaves the agent-to-agent delegation boundary unaddressed.

Only AGA satisfies all six requirements for portable, verifiable agent identity.

Okta for AI Agents^[1] extends directory-based identity to non-human entities. For organizations running fewer than ten agents with continuous human oversight, this is a reasonable approach. The limitation is structural: Okta's identity model is bound to the organizational directory. Agents that operate across organizational boundaries, or that need to prove their identity to parties outside the Okta tenant, cannot do so with a directory entry alone.

Yubico and Delinea's Runtime Delegation Token^[2] anchors agent authorization to hardware-attested human approval. This is the right model for deployment gates, where a human must approve before an agent acts. It is not designed for continuous autonomous operation, where agents must act within delegated scope without per-action human intervention.

RSAC 2026 brought additional announcements. Microsoft previewed Entra Agent ID for managing non-human identities in Azure.^[5] Astrix Security launched discovery tooling for shadow agent accounts.^[6] Geordie won the Innovation Sandbox for AI-powered security operations.^[7] Each addresses a real segment of the agent lifecycle. None produces portable cryptographic identity that an agent can carry across systems, organizations, and air-gapped environments.

What Agent Identity Requires

Portable, verifiable agent identity requires four independent properties. Each is necessary. None is sufficient alone.

Identity from Key Pairs, Not Inherited Credentials

The agent's Ed25519 public key is its identity. The key pair is generated at agent instantiation, not derived from a human's credentials and not issued by a directory service. The public key can be shared, verified, and attributed without revealing anything about the human or organization that authorized the agent. Patent coverage: Section M of the AGA specification.

Authority from Signed Delegation, Not Role Inheritance

A Delegation Artifact encodes the child agent's scope as a strict subset of the parent's authority. Every delegation is cryptographically signed by the delegating entity, creating a verifiable chain back to the original authority. A child agent cannot grant itself permissions that its parent did not possess. Patent coverage: constrained delegation claims.

Temporal Bounds from TTL, Not Session Cookies

Authority expires on a schedule encoded in the sealed artifact. The Portal enforces expiration. The agent cannot extend its own TTL, request a renewal, or bypass the temporal boundary. When the TTL elapses, authority ceases. Patent coverage: Claim 6.

Revocation from Key Invalidation, Not Token Expiration

Revoking an agent means invalidating its key. When a key is invalidated, every Delegation Artifact in the chain that depends on that key becomes unverifiable. Revocation cascades automatically through the delegation hierarchy without requiring individual token revocation for each downstream agent. Patent coverage: Claim 10.

The Delegation Chain Failure

Consider a concrete scenario. An enterprise deploys Agent A as a research orchestrator. Agent A delegates to Agent B for data retrieval. Agent B delegates to Agent C for formatting and delivery. Three agents, operating as a coordinated pipeline, each with access to enterprise resources.

At 3:47 PM, the security team revokes Agent A's authorization.

Without cryptographic delegation chains: Agent B and Agent C continue operating with cached credentials. The audit trail shows the human's service account credentials, not individual agent identities. When the incident review begins, the security team cannot answer a basic question: which agent accessed the customer database after the revocation order was issued? The credentials are shared. The log entries are indistinguishable.

With AGA: Agent A's key is invalidated. Agent B's Delegation Artifact references Agent A's key as the delegating authority. The Portal detects the broken chain and enforces quarantine on Agent B. Agent C's delegation depends on Agent B, which depends on Agent A. Cascading enforcement terminates the entire pipeline. Every action taken before revocation has a signed receipt attributable to the specific agent that performed it. Every action attempted after revocation is blocked and recorded.

Identity, Evidence, and Zero Trust

This is the fifth article in a series on provable AI governance. The previous articles established that logs are not proof, that enforcement must be cryptographic, and that evidence must be portable. This article addresses the prerequisite that makes all of those properties meaningful: identity.

A signed receipt is only as meaningful as the identity that signed it. If the signing key belongs to a shared OAuth token, the receipt proves that “an entity holding this token” acted. If the signing key is an agent-specific Ed25519 key pair bound to a delegation chain, the receipt proves that “this specific agent, authorized through this specific delegation path, with this specific scope and TTL” acted. The cryptographic strength of the receipt is identical in both cases. The attributability is not.

Cryptographic agent identity makes governance receipts attributable. Evidence without identity is unattributable. Identity without evidence is unverifiable. The two capabilities are complementary, and neither is complete alone.

NIST's NCCoE AI Agent Identity initiative^[4] recognizes the need for standardized agent identity in multi-agent systems. SP 800-207, the Zero Trust Architecture, establishes the principle that trust is never granted implicitly and must be continuously verified. AGA extends zero trust to the agent layer: every agent action requires a valid key, a valid delegation chain, and a valid TTL. Trust is not inherited from the human who deployed the agent. Trust is earned per-action and proven per-receipt.

Tradeoffs

This architecture is not free. Every agent needs its own key pair. Every delegation requires a signed artifact. Every action produces a receipt that must be stored and made available for verification. The overhead is real, and for simple deployments it may be unnecessary.

For a single agent operating under continuous human oversight within a single organization, Okta's directory-based identity or Yubico's hardware-attested delegation is appropriate and sufficient. These products solve the problem they were designed to solve, and they solve it well.

For multi-agent orchestration that crosses organizational boundaries, operates in air-gapped environments, or requires post-hoc forensic attribution, directory-based identity is structurally insufficient. The identity is bound to the directory. The directory is bound to the organization. The organization is one party in a multi-party interaction. A portable cryptographic identity, anchored to a key pair rather than a directory entry, is the only mechanism that remains verifiable when the directory is unreachable.

The Agent Identity Gap is not theoretical. It is the measurable distance between what shipped this month and what governance requires.

The architecture described in this article is implemented, tested, and independently verifiable.

Explore the technical architecture, try the online verifier, review the evaluation framework, or read our NIST NCCoE public comment on AI agent identity.

References

1. Okta. “Every Agent Needs an Identity: Introducing Okta for AI Agents.” March 2026.
2. Yubico and Delinea. “Yubico and Delinea Close the Agentic AI Accountability Gap.” March 19, 2026.
3. Luiz Neto. “4 New AI Agent Security Models That Shipped This Week.” March 2026.
4. Attested Intelligence. Public comment on NIST NCCoE AI Agent Identity. Filed March 4, 2026.
5. Microsoft. “Microsoft Entra innovations announced at RSAC 2026.” March 2026.
6. Astrix Security. “What We're Announcing at RSAC 2026.” March 2026.
7. RSAC. Innovation Sandbox 2026.