VSvarunsingla.com

← All entries

Day 58· · 4 min read

Agent Identity 3.0 -- SPIFFE Hits Prod, KYA

Governance & Safety Foundations & Protocols
By the numbers
63%
orgs that cannot stop their own agents (Salesforce, 2026)
Anthropic enterprise share growth vs May 2025

1. Why agent identity is the layer that breaks first

Every other layer of the agentic stack -- orchestration (LangGraph, MS Agent Framework), memory (MemOS, pgvector + Cassandra), observability (Phoenix, Galileo, LangSmith), payments (x402, MPP, SPTs) -- already assumes identity. They all answer the same question implicitly: which agent did this, on whose behalf, with what authority, and is there a tamper-evident log of it? Today, in most production deployments, that question gets answered with a static API key in an env var. That breaks the moment an agent is allowed to call another agent, spend money, write to a shared workspace, or persist memory across sessions -- which is exactly what Claude for Small Business, AgentCore Payments, Notion External Agent API, and Microsoft Agent 365 all assume. Static keys cannot revoke fast enough, cannot scope per-task, cannot bind to a human principal, and cannot survive a SOC 2 / ISO 42001 / EU AI Act audit. The Salesforce 2026 survey put a number on it: 63% of orgs admit they cannot stop an agent they deployed. That is a kill-switch problem dressed up as an identity

2. The Identity Maturity Ladder -- three stages

Stage 1 is where most teams are today: static API keys in vaults, rotated quarterly if at all, shared across agents and environments. Blast radius unbounded. Stage 2 is SPIFFE / SPIRE workload identity -- every agent boots and is issued a short-lived SVID (SPIFFE Verifiable Identity Document, typically a 30-300 second X.509 cert or JWT). The SVID is cryptographically bound to the agent's workload attributes (image hash, namespace, task, parent agent), used as mTLS client cert for all downstream calls, and rotated automatically. Stage 3 is W3C DID self-sovereign identity -- the agent owns its identity cryptographically, can prove provenance across organisations, and supports revocation via online revocation lists. NIST's March 2026 concept paper explicitly adopts this ladder: adapt OAuth + OIDC + SPIFFE today, layer DID on top by 2027. IETF AIMS (draft-klrc-aiagent-auth) composes WIMSE + SPIFFE + OAuth 2.0 + AuthZEN (Jan 2026 Final Spec) into a single profile. This is the substrate every other 2026 standard now references.

Stage Identity primitive What it solves Production examples (2026)
1 -- StaticAPI keys, long-lived secrets in vaultsBootstrapping. Nothing else.Most early agents; OpenAI Assistants v1; most LangChain demos
2 -- Dynamic workload (SPIFFE/SPIRE)Short-lived SVID (X.509/JWT), 30-300s TTL, mTLS-bound, attested at bootPer-task scope, fast revocation, NIST CAISI audit trail, EU AI Act Annex III evidenceAWS IRSA, GCP Workload Identity, HashiCorp Vault Agent Injector, Microsoft Agent 365 (Entra workload identity)
3 -- Self-sovereign (W3C DID)did:wba or did:web, agent-controlled keys, JSON-LD agent metadata cards, online revocation listsCross-org provenance, agent-to-agent trust without central authority, open-internet agent commerceEarly ANP (Agent Network Protocol) deployments; Skyfire pilots; expected mainstream 2027-28

5. The Kill Switch as Identity Protocol

The breakthrough framing this quarter is that kill switch is not a button -- it is the inverse of identity issuance. Okta Universal Logout, Entra Continuous Access Evaluation, and SPIRE bundle revocation all do the same thing: invalidate the SVID, fail the next mTLS handshake, force the agent to a halt. Kill switches stop working only when identity stops working -- which is why every 2026 enterprise control plane (Agent 365, IBM watsonx Orchestrate, Cognizant Secure AI Services launched May 7) is now structured as: identity provider (Entra / SPIRE / Vault) fi policy engine (AuthZEN / OPA) fi tool gateway (MCP gateway, Databricks Unity AI Gateway) fi audit lake (NIST CAISI, WORM). Pull the SVID and the agent cannot make a single downstream call. Target latency: under one second from kill-switch trigger to last possible request blocked at the network edge.

Layer What it controls How identity revocation lands
T1 -- ApplicationOAuth scopes, task freeze inside the agent processOAuth token introspection fails → agent loops on retry → graceful halt
T2 -- NetworkEgress filtering, MCP gateway close, sidecar mTLS rejectSPIRE bundle rotation → next mTLS handshake fails → all outbound calls blocked
T3 -- InfrastructureContainer drained or evicted, SVID revoked at SPIRE serverSPIRE marks SVID revoked → no new SVIDs issued → workload dies on next attestation cycle
T4 -- MemoryEpisodic memory frozen, vector DB snapshots taken for forensicsMemory IDs hard-deleted (GDPR cascade); WORM audit preserved separately

6. What to do this week

Step 1 -- Inventory every agent in production and answer two questions: what identity does it use today, and who can revoke it in under one second? If the answer to either is 'long-lived API key' or 'no-one', you have a Stage-1 deployment that fails Annex III evidence on Aug 2. Step 2 -- Pilot SPIRE on one non-critical agent fleet. Helm chart available, takes a weekend. Wire it to issue SVIDs with 120s TTL. Replace static keys for downstream MCP servers with mTLS using the SVID. Step 3 -- Add the four KYA pillars to your existing OTEL gen_ai spans: agent_identity (SVID hash), authority (OAuth scope), behavioural (anomaly score from Galileo Signals or Phoenix), audit (NIST CAISI WORM log pointer). Step 4 -- Make your kill switch identity-based, not button-based. Wire Microsoft Agent 365 or your equivalent to revoke the SVID via SPIRE API; verify end-to-end revocation latency in a chaos drill (Day 49 pattern). Step 5 -- Generate one Annex III audit pack from the WORM log to confirm reconstructability of every agent decision, including alternatives considered. Aug 2 is 78 days away. Stage 2 identity is the cheapest path through.

Story Why it matters
Claude for Small Business GA (May 13)Anthropic puts Claude Cowork inside QuickBooks, PayPal, HubSpot, Canva, DocuSign, Google Workspace, M365 -- 15 ready-to-run workflows (payroll, invoices, tax prep, HR, customer service). Free US tour starts May 14 across 10 cities. Each workflow is an autonomous agent acting on the SMB's behalf with payment authority -- making per-agent SPIFFE identity a small-business requirement, not just an enterprise one.
Cognizant Secure AI Services launches (May 7)Strategic positioning of governance + identity + runtime policy as a managed SI play -- Cognizant is the first big SI to package Snyk Evo + SPIRE-style identity + NIST CAISI audit into a single bundle. Signals that AI Identity is becoming a $1B+ services line, not just a vendor product.
AWS Bedrock AgentCore Payments preview (May 7)x402 + USDC on Base + Coinbase + Stripe Privy wallet. ~200ms settlement, per-session spend caps, user must pre-authorise wallet. Hyperscaler-blessed KYA pattern -- explicit principal, scoped authority, audited transaction trail. The Day-28 stack is now AWS-native.
Anthropic Agent SDK adds Cowork credits (May 13)Paid Claude accounts now receive $20-$200/month in Agent SDK credits -- directly monetising third-party agent deployments. Forces SPIFFE-style identity onto third-party developers because Anthropic must attribute compute and cost back to a verifiable principal.
Sweet Security launches Sweet Attack (May 13)Continuous agentic red-teaming -- runs autonomous attack-chain discovery against your own agents. Backed by Evolution Equity / Munich Re / Glilot / CyberArk Ventures. Pairs with KYA: red team validates that your identity + scope enforcement actually holds under adversarial pressure.
EU AI Act Omnibus political agreement (May 7)Legislative package adopted Nov 19, 2025; political agreement reached May 7, 2026. Aug 2 enforcement date for high-risk agent systems CONFIRMED. AI Office gets centralised oversight of GPAI. Penalties up to €35M / 7% global turnover. Annex III evidence requirements unchanged -- agent identity + audit trail mandatory.

7. Breaking this week (May 13-16, 2026)

Story Why it matters
Claude for Small Business GA (May 13)Anthropic puts Claude Cowork inside QuickBooks, PayPal, HubSpot, Canva, DocuSign, Google Workspace, M365 -- 15 ready-to-run workflows (payroll, invoices, tax prep, HR, customer service). Free US tour starts May 14 across 10 cities. Each workflow is an autonomous agent acting on the SMB's behalf with payment authority -- making per-agent SPIFFE identity a small-business requirement, not just an enterprise one.
Cognizant Secure AI Services launches (May 7)Strategic positioning of governance + identity + runtime policy as a managed SI play -- Cognizant is the first big SI to package Snyk Evo + SPIRE-style identity + NIST CAISI audit into a single bundle. Signals that AI Identity is becoming a $1B+ services line, not just a vendor product.
AWS Bedrock AgentCore Payments preview (May 7)x402 + USDC on Base + Coinbase + Stripe Privy wallet. ~200ms settlement, per-session spend caps, user must pre-authorise wallet. Hyperscaler-blessed KYA pattern -- explicit principal, scoped authority, audited transaction trail. The Day-28 stack is now AWS-native.
Anthropic Agent SDK adds Cowork credits (May 13)Paid Claude accounts now receive $20-$200/month in Agent SDK credits -- directly monetising third-party agent deployments. Forces SPIFFE-style identity onto third-party developers because Anthropic must attribute compute and cost back to a verifiable principal.
Sweet Security launches Sweet Attack (May 13)Continuous agentic red-teaming -- runs autonomous attack-chain discovery against your own agents. Backed by Evolution Equity / Munich Re / Glilot / CyberArk Ventures. Pairs with KYA: red team validates that your identity + scope enforcement actually holds under adversarial pressure.
EU AI Act Omnibus political agreement (May 7)Legislative package adopted Nov 19, 2025; political agreement reached May 7, 2026. Aug 2 enforcement date for high-risk agent systems CONFIRMED. AI Office gets centralised oversight of GPAI. Penalties up to €35M / 7% global turnover. Annex III evidence requirements unchanged -- agent identity + audit trail mandatory.

8. Viral AI app of the week -- OwlPay Agent Wallet

OwlTing's OwlPay Agent Wallet launched May 4 and went viral across the agent-economy crowd this week -- the first stablecoin wallet purpose-built for autonomous AI agents rather than humans. Unlike a regular wallet retrofitted for agents, OwlPay was designed from day one around the agent identity model: every agent gets a scoped sub-wallet tied to its workload identity (SPIFFE-ready), spending caps enforced at the wallet layer not just the application layer, every transaction signed with the agent's SVID hash for replayable audit, and nonce-based replay protection baked into the protocol. It interoperates with x402 (so it works with AWS Bedrock AgentCore Payments out of the box), with Stripe's Privy wallet, and with the Linux Foundation x402 governance stack. The viral hook: a developer can issue 100 sub-wallets in a single API call, each bound to a different agent persona with its own spend rules -- making it the first wallet that treats fleets of agents as first-class economic actors. Most concrete sign yet that the agent economy is moving from 'one wallet shared across all agents' to 'one identity, one wallet, one audit trail per agent.' Tomorrow (Day 55): Agent-Native Data Infrastructure -- Confluent, RisingWave, Databricks Genie, and the rise of event-driven agentic

Inventory identity by FridayEvery agent in production needs to be classified Stage 1 / Stage 2 / Stage 3. Anything Stage 1 with payment authority or memory writes is an Aug 2 audit failure waiting to happen.
Pilot SPIRE this weekendHelm chart, 120s SVID TTL, one non-critical fleet. The hardest part is killing the static API key -- the tech itself is mature.
Wire kill switch to identity revocationIf your kill switch is a button in a dashboard, it is not a kill switch. Wire it to revoke the SVID via SPIRE API and prove sub-second propagation in a chaos drill.
Add the four KYA pillars to your OTEL spansagent_identity (SVID hash), authority (OAuth scope), behavioural (anomaly score), audit (WORM log pointer). These are the Annex III evidence fields regulators will ask for.
Practical takeaways
Tomorrow: Day 55: Agent-Native Data Infrastructure -- Conflu

Tomorrow: Day 55: Agent-Native Data Infrastructure -- Confluent, RisingWave, Databricks Genie, and event-driven agentic pipelines replacing batch ETL.

VS
Varun Singla
Singapore · About · Learning in public