Agent Security & Identity in the Economy 2.0
Today we complete the Agent Economy 2.0 arc by answering the key question every security and engineering team must answer in 2026: how do you give an AI agent an identity, scope its spending, detect fraud, and kill it in under a second?
Project Glasswing by Anthropic — The World's First Autonomous Zero-Day Hunter
Project Glasswing is simultaneously the most impressive and most terrifying demonstration of agentic AI in 2026. Claude Mythos Preview operates as a fully autonomous security researcher: it reads codebases, reasons about attack vectors, crafts exploits, validates them, and generates patches -- without human guidance on each step. The fact that Anthropic restricted public access while deploying it offensively for defence is itself a governance blueprint: high-capability agents must operate within curated trust boundaries, not open-internet free-for-all. Why it matters for agent security learners: Glasswing is a live implementation of every principle we've covered -- SPIFFE identity, task-scoped OAuth, audit trails, kill switches, kill-switch-as-protocol not button. It also raises the bar: if Mythos can find 17-year-old OS vulnerabilities autonomously, so can adversarial agents. Your agent security stack needs to assume attacker-grade AI. Key Takeaways Identity first, governance follows n 63% of orgs can't stop their agents because they never gave them proper identity. Deploy SPIFFE/SPIRE before you deploy agents in production.
- 40+ — Partner orgs (Apple, MSFT, Cisco…)
- 1000s — Zero-days found week 1
- $100M — Usage credits committed
- 17yrs — Oldest bug found (CVE-2026-4747)
1. The Agent Identity Crisis of 2026
Traditional identity was built for humans and static servers. AI agents are ephemeral, non-human, multi-hop -- they spawn, complete tasks, and vanish in seconds. That renders API keys and long-lived credentials dangerously obsolete.
Identity Maturity Ladder Stage 1 -- Static API Keys n Long-lived, shared, no context binding Stage 2 -- SPIFFE/SPIRE Workload Identity n Short-lived SVIDs, mTLS, NIST + EU AI Act compliant Stage 3 -- W3C DID Self-Sovereign (2027+) n ANP protocol, decentralised, open-internet agents
- 80% of orgs have seen risky agent behaviour: data exposure, privilege escalation
- 63% cannot enforce purpose limitations on agents
- 60% cannot terminate a misbehaving agent (kill switch gap)
- 33% lack any audit trail -- strongest predictor of governance immaturity
- An agent doesn't own credentials -- it holds verifiable identity
- Each task invocation should get a fresh, time-boxed credential (seconds-minutes)
- Multi-hop delegation chains: Orchestrator → Sub-agent → Tool -- each hop must attest
- 48% of cybersecurity professionals: agentic AI = #1 dangerous attack vector 2026
2. SPIFFE/SPIRE & IETF AIMS: Workload Identity for Paying Agents
SPIFFE (Secure Production Identity Framework For Everyone) is the dominant standard for agent-to-agent authentication in 2026, extended by the IETF AIMS framework (WIMSE + SPIFFE + OAuth 2.0) to cover multi-hop agent delegation chains.
- WIMSE identifier: URI uniquely identifying an agent workload
- SPIFFE SVID: most-deployed WIMSE implementation -- X.509
- OAuth 2.0: scoped authorisation tokens that travel with the
- AuthZEN (OpenID, Jan 2026 Final): any PEP can query any
| Step | Description |
|---|---|
| 1. Boot | SPIRE Agent on the host attests the workload (kernel, container hash, environment) |
| 2. SVID | SPIFFE Verifiable Identity Document issued -- X.509 cert or JWT, TTL: 30-300 seconds |
| 3. mTLS | Agent presents SVID to MPP endpoint; mutual TLS confirms both sides are who they claim |
| 4. Scope | OAuth 2.0 scope embedded in SVID: max spend $500, merchant category = travel, 15 min window |
| 5. Rotate | On TTL expiry SPIRE auto-rotates; stale SVIDs are cryptographically rejected |
3. Agentic Wallet Security Stack & Programmable Constraints
Payment agents need a 6-layer wallet security stack. Programmable spending constraints include per-task transaction limits, merchant category (MCC) whitelists, time-windowed credentials, and velocity hard stops.
- Max single transaction: configurable per task context (e.g. $500 for travel booking)
- Merchant category locks: whitelist only approved MCCs (Merchant Category Codes)
- Time windows: credential scoped to task duration, auto-revoke on completion
- Velocity limits: max N transactions/hour, max $X/day -- hard stops, not soft warnings Know Your Agent (KYA)
- Emerging standard replacing static KYC for autonomous entities
- Continuous behavioural monitoring: expected vs actual spending patterns
- ML algorithms distinguish legitimate agent bursts from malicious automation
- Traditional fraud systems flag machine-speed purchases as suspicious -- KYA fixes this
- Rule-based systems flag velocity (machine-speed = suspicious by old rules)
- Geolocation rules break: agents can book globally in milliseconds legitimately
- Device fingerprinting doesn't apply: agents have no browser/device
- Traditional MFA: humans can't approve each agent micro-transaction at scale Agent-Native Fraud Signals
- SVID mismatch: agent's workload identity doesn't match task context
- Scope creep attempt: agent requests wider OAuth scope than task declared
- Delegation chain break: sub-agent claims permissions not granted by orchestrator
- Merchant drift: MCC codes outside whitelisted categories for the task type
- Nonce replay: x402/MPP nonce presented more than once
| Layer | Description |
|---|---|
| Agentic Wallet Security Stack Layer 1 -- Identity: SPIFFE SVID per transaction Layer 2 -- Auth: OAuth 2.0 scoped token + biometric anchor Layer 3 -- Tokenisation: SPT (Shared Payment Token) -- never raw card Layer 4 -- Constraints: programmable spend limits + MCC whitelist Layer 5 -- Monitoring: KYA behavioural ML + velocity rules Layer 6 -- Kill Switch: Universal Logout revokes all tokens instantly |
4. Agent-Native Fraud Detection & Know Your Agent (KYA)
Autonomous agent transactions are now entering regulated payment rails. Three frameworks are shaping what compliance looks like in 2026: EU PSD3 / PSR Political agreement Nov 27 2025; formal adoption early 2026; 18-24 month transposition. Agent Exemption Tightened: commercial agent exemption now only applies in very limited circumstances -- most agent payments must comply with full PSR. SCA for agents: strong customer authentication must be anchored to human principal, not the agent itself. EBA
8. Breaking: Project Glasswing & Claude Mythos Preview
Anthropic officially launched Project Glasswing (Apr 7 2026) using the preview of Claude Mythos as an autonomous cybersecurity agent to find and fix zero-day vulnerabilities at scale.
| Aspect | Detail |
|---|---|
| Zero-Days Found | Mythos Preview identified thousands of critical zero-days across every major OS and every major web browser autonomously -- including CVE-2026-4747: a 17-year-old FreeBSD RCE exploit allowing full root access via NFS. |
| Partner Network | 40+ partners including Amazon, Apple, Broadcom, Cisco, CrowdStrike, Linux Foundation, Microsoft, Palo Alto Networks receiving early access under strict safety controls. |
| Financial Commitment | Anthropic committed $100M in Mythos Preview usage credits + $4M direct donations to open-source security organisations. |
| Why Restricted | Mythos is capable of identifying AND exploiting zero-days autonomously. Anthropic decided it is too dangerous for public release -- hence Project Glasswing's curated partnership model as a 'use for defence before attackers use for offence' strategy. |
| Agent Security Relevance | Mythos Preview running autonomously = the highest-stakes agentic AI deployment in 2026. It operationalises SPIFFE identity, task-scoped permissions, kill switches, and full audit trails -- a live blueprint for agent security in the economy. |
Ds (30-300s TTL) + OAuth scopes + MCC whitelists = the minimum viable security stack for any agent that can spend money.
Classic velocity rules and device fingerprinting don't apply. Use SVID mismatch, scope creep attempts, and delegation chain breaks as your fraud signals.
I guidelines, and US AB 316 all make the human principal liable for agent actions -- know your compliance obligations now.
Logout proves it: you can only kill what you can identify. T1→T4 kill switch works only if SPIFFE SVIDs and OAuth tokens are revocable in <1s.
Mythos autonomously finds and exploits zero-days. Your agents will face adversarial AI in 2026 -- not just script kiddies.