VSvarunsingla.com

← All entries

Day 23· · 3 min read

Agent Security & Identity in the Economy 2.0

Governance & Safety Models & Frontier

Today we complete the Agent Economy 2.0 arc by answering the key question every security and engineering team must answer in 2026: how do you give an AI agent an identity, scope its spending, detect fraud, and kill it in under a second?

Viral app of the day

Project Glasswing by Anthropic — The World's First Autonomous Zero-Day Hunter

Project Glasswing is simultaneously the most impressive and most terrifying demonstration of agentic AI in 2026. Claude Mythos Preview operates as a fully autonomous security researcher: it reads codebases, reasons about attack vectors, crafts exploits, validates them, and generates patches -- without human guidance on each step. The fact that Anthropic restricted public access while deploying it offensively for defence is itself a governance blueprint: high-capability agents must operate within curated trust boundaries, not open-internet free-for-all. Why it matters for agent security learners: Glasswing is a live implementation of every principle we've covered -- SPIFFE identity, task-scoped OAuth, audit trails, kill switches, kill-switch-as-protocol not button. It also raises the bar: if Mythos can find 17-year-old OS vulnerabilities autonomously, so can adversarial agents. Your agent security stack needs to assume attacker-grade AI. Key Takeaways Identity first, governance follows n 63% of orgs can't stop their agents because they never gave them proper identity. Deploy SPIFFE/SPIRE before you deploy agents in production.

By the numbers
63%
orgs can't stop their own agent
33%
lack audit trails entirely
$600M+
x402 protocol transaction vol
40+
Project Glasswing partner orgs

1. The Agent Identity Crisis of 2026

Traditional identity was built for humans and static servers. AI agents are ephemeral, non-human, multi-hop -- they spawn, complete tasks, and vanish in seconds. That renders API keys and long-lived credentials dangerously obsolete.

Identity Maturity Ladder Stage 1 -- Static API Keys n Long-lived, shared, no context binding Stage 2 -- SPIFFE/SPIRE Workload Identity n Short-lived SVIDs, mTLS, NIST + EU AI Act compliant Stage 3 -- W3C DID Self-Sovereign (2027+) n ANP protocol, decentralised, open-internet agents

2. SPIFFE/SPIRE & IETF AIMS: Workload Identity for Paying Agents

SPIFFE (Secure Production Identity Framework For Everyone) is the dominant standard for agent-to-agent authentication in 2026, extended by the IETF AIMS framework (WIMSE + SPIFFE + OAuth 2.0) to cover multi-hop agent delegation chains.

StepDescription
1. BootSPIRE Agent on the host attests the workload (kernel, container hash, environment)
2. SVIDSPIFFE Verifiable Identity Document issued -- X.509 cert or JWT, TTL: 30-300 seconds
3. mTLSAgent presents SVID to MPP endpoint; mutual TLS confirms both sides are who they claim
4. ScopeOAuth 2.0 scope embedded in SVID: max spend $500, merchant category = travel, 15 min window
5. RotateOn TTL expiry SPIRE auto-rotates; stale SVIDs are cryptographically rejected

3. Agentic Wallet Security Stack & Programmable Constraints

Payment agents need a 6-layer wallet security stack. Programmable spending constraints include per-task transaction limits, merchant category (MCC) whitelists, time-windowed credentials, and velocity hard stops.

LayerDescription
Agentic Wallet Security Stack Layer 1 -- Identity: SPIFFE SVID per transaction Layer 2 -- Auth: OAuth 2.0 scoped token + biometric anchor Layer 3 -- Tokenisation: SPT (Shared Payment Token) -- never raw card Layer 4 -- Constraints: programmable spend limits + MCC whitelist Layer 5 -- Monitoring: KYA behavioural ML + velocity rules Layer 6 -- Kill Switch: Universal Logout revokes all tokens instantly

4. Agent-Native Fraud Detection & Know Your Agent (KYA)

Autonomous agent transactions are now entering regulated payment rails. Three frameworks are shaping what compliance looks like in 2026: EU PSD3 / PSR Political agreement Nov 27 2025; formal adoption early 2026; 18-24 month transposition. Agent Exemption Tightened: commercial agent exemption now only applies in very limited circumstances -- most agent payments must comply with full PSR. SCA for agents: strong customer authentication must be anchored to human principal, not the agent itself. EBA

8. Breaking: Project Glasswing & Claude Mythos Preview

Anthropic officially launched Project Glasswing (Apr 7 2026) using the preview of Claude Mythos as an autonomous cybersecurity agent to find and fix zero-day vulnerabilities at scale.

AspectDetail
Zero-Days FoundMythos Preview identified thousands of critical zero-days across every major OS and every major web browser autonomously -- including CVE-2026-4747: a 17-year-old FreeBSD RCE exploit allowing full root access via NFS.
Partner Network40+ partners including Amazon, Apple, Broadcom, Cisco, CrowdStrike, Linux Foundation, Microsoft, Palo Alto Networks receiving early access under strict safety controls.
Financial CommitmentAnthropic committed $100M in Mythos Preview usage credits + $4M direct donations to open-source security organisations.
Why RestrictedMythos is capable of identifying AND exploiting zero-days autonomously. Anthropic decided it is too dangerous for public release -- hence Project Glasswing's curated partnership model as a 'use for defence before attackers use for offence' strategy.
Agent Security RelevanceMythos Preview running autonomously = the highest-stakes agentic AI deployment in 2026. It operationalises SPIFFE identity, task-scoped permissions, kill switches, and full audit trails -- a live blueprint for agent security in the economy.
Practical takeaways
Payment agents need scoped, short-lived credentials SVI

Ds (30-300s TTL) + OAuth scopes + MCC whitelists = the minimum viable security stack for any agent that can spend money.

Fraud detection must be agent-native

Classic velocity rules and device fingerprinting don't apply. Use SVID mismatch, scope creep attempts, and delegation chain breaks as your fraud signals.

Regulators are catching up fast EU PSD3/PSR (2026), UK FCA A

I guidelines, and US AB 316 all make the human principal liable for agent actions -- know your compliance obligations now.

Kill switch = identity protocol Universal

Logout proves it: you can only kill what you can identify. T1→T4 kill switch works only if SPIFFE SVIDs and OAuth tokens are revocable in <1s.

Glasswing sets the new threat level

Mythos autonomously finds and exploits zero-days. Your agents will face adversarial AI in 2026 -- not just script kiddies.

VS
Varun Singla
Singapore · About · Learning in public