惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
V
V2EX
V
Visual Studio Blog
博客园_首页
Last Week in AI
Last Week in AI
Apple Machine Learning Research
Apple Machine Learning Research
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
S
SegmentFault 最新的问题
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
Martin Fowler
Martin Fowler
Recent Announcements
Recent Announcements
J
Java Code Geeks
月光博客
月光博客
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
F
Fortinet All Blogs
P
Privacy & Cybersecurity Law Blog
C
CERT Recently Published Vulnerability Notes
C
CXSECURITY Database RSS Feed - CXSecurity.com
B
Blog RSS Feed
S
Schneier on Security
酷 壳 – CoolShell
酷 壳 – CoolShell
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
W
WeLiveSecurity
A
Arctic Wolf
U
Unit 42
博客园 - 司徒正美
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
有赞技术团队
有赞技术团队
Recorded Future
Recorded Future
Engineering at Meta
Engineering at Meta
Google DeepMind News
Google DeepMind News
大猫的无限游戏
大猫的无限游戏
Microsoft Security Blog
Microsoft Security Blog
Hacker News: Ask HN
Hacker News: Ask HN
量子位
B
Blog
T
The Exploit Database - CXSecurity.com
C
Cisco Blogs
博客园 - 三生石上(FineUI控件)
H
Help Net Security
博客园 - 叶小钗
C
Cyber Attacks, Cyber Crime and Cyber Security
L
LINUX DO - 热门话题
Hugging Face - Blog
Hugging Face - Blog
Google DeepMind News
Google DeepMind News
小众软件
小众软件
雷峰网
雷峰网
TaoSecurity Blog
TaoSecurity Blog
Schneier on Security
Schneier on Security

Cloud Security Alliance

SearchLeak: Copilot Data Exfiltration Exploited | CSA Zero-Trust AI Governance for Multi-Agent Systems | CSA Dangling CNAMEs: Hidden Cloud Risk | CSA Agentic Payments in Financial Services | CSA Mythos and the Future of Cybersecurity | CSA AI-Driven Cloud Risk: Defenders Lose Ground | CSA Financial Services Industry Shifts from AI Adoption to | CSA CSAI Foundation Announces RiskRubric V2 as the Next Key | CSA RiskRubric Updates: AI Risk Assessment | CSA Over 80% of Organizations that Miss 24-Hour Patch Window Report | CSA ORCHIDEAS & MAESTRO: Secure AI Design | CSA Top 6 Claude Security Risks to Watch | CSA Cloud Cost Optimization in 2026 | CSA HIPAA Rule Overhaul in 2026 | CSA AI-Driven Exploits Outsmart Detection | CSA MCP Risks CISOs Should Prepare For | CSA AI Governance for Trust and Compliance | CSA MTTP: Patch Cycles Too Slow | CSA Cloud Security Evolution: Security Teams Lead | CSA Misconfigurations Break Customer Trust in Apps | CSA Taming Shadow AI: C-Suite Strategies | CSA Agentic AI Threats: Five Powers | CSA AIUC-1: Agentic AI Governance | CSA 2026 Threat Report for CISOs | CSA Securing AI in AWS: Runtime Detection & Response | CSA SLMs, LLMs, and the DSPM Difference | CSA OT Security Timeline: Mythos and Patch Pace | CSA Blast Radius and Cloud Threat Detection | CSA State of AI Cybersecurity 2026: 92% Concerned | CSA AI in MDR for Franchise & Multi-Location Ops | CSA AI Regulation: Identity and Authorization Gap | CSA MITRE ATT&CK for Cloud: Detection Coverage Guide | CSA Shadow AI Agents: The Insider Threat | CSA Medical Device Breaches Reveal Cloud Security Gaps | CSA AISMM: AI Security Maturity Model for Cloud | CSA Globee® Awards for Artificial Intelligence (AI) Honors Cloud | CSA Patching Smarter for Mythos Security | CSA SDP v3: Identity-First Zero Trust for AI | CSA AI-Ready Security Documents Beyond STIX, OSCAL, and SARIF | CSA Penetration Testing for ISO 42001 & Trust | CSA AI Agent Posture: Data-First Security Guardrails | CSA AI Agents Go Beyond Output: Enterprise Security | CSA AI Agent Security Starts with Scope Control | CSA Identity Spoofing vs. Identity Abuse | CSA AARM: Securing the Agentic Runtime | CSA Securing the Agentic Control Plane | CSA CSAI Foundation Announces Key Milestones to Secure the Agentic | CSA Catastrophic AI Risk Controls | CSA Cloud to AI: Building Secure Programs | CSA Identity in AI Era: Zero Trust's First Pillar | CSA SDLC Visibility: Securing Multi-Cloud Development Lifecycles | CSA Cloud Risk: Top 3 Threats & AI Tools | CSA 8 Truths About Cloud Privilege Risk | CSA AI Governance: Mature Programs | CSA Agent Access Management: Data-First Security | CSA Glasswing: AI-Driven Security for Safer Software | CSA Runtime Security: Detection & Real-Time Cloud | CSA Identity as the OS for AI Security | CSA Cloud Misconfigurations Drive Attacks at Scale | CSA Sensing AI Behavior with the WBSC Probe Library | CSA An Actionable Guide to GDPR Compliance for Startups | CSA Cloud Security LIVE 2026: AI Risk & Trust | CSA Shadow AI Agents: Enterprise Governance | CSA Rethinking Non-Human Identity Security | CSA New Cloud Security Alliance Survey Reveals 82% of Enterprises Have Unknown AI Agents in Their Environments More Than Half of Organizations Experience AI Agent Scope | CSA SANS Institute, Cloud Security Alliance, [un]prompted, and OWASP | CSA AI Agents Are Talking: Are You Listening? | CSA Software Supply Chain Security Needs an Upgrade Choosing the Right AI Standard: 7-Point Guide | CSA Audience-Driven Authorization for AI Agents | CSA A CISO's Guide to Cloud Security Architecture | CSA Who’s Behind That Action? The AI Agent Identity Crisis SSCF Adoption for SaaS Security | CSA Mythos and the Vulnpocalypse: Cloud Defenses | CSA AI Security Risks and Data Visibility | CSA From Compliance to Credibility with CAIQ/CCM | CSA The State of Cybersecurity in the Finance Sector: Six Trends to Watch EU AI Act Compliance with prEN 18286 & ISO 42001 | CSA AI Security in the Cloud: Exposure Management | CSA Rethinking Incident Response as Engineering System | CSA Defense Depends on the Creator: AI Security | CSA ATF: Zero Trust for AI Agents | CSA Cybersecurity Needs a New Data Architecture | CSA CSA STAR v4.1 Updates for Cloud Security | CSA Unstructured Data Surges as Enterprises Struggle to Maintain | CSA SC Media Names Cloud Security Alliance’s Trusted AI Safety | CSA Exposed AWS Key Leads to Full Account Takeover | CSA Post-Quantum Cloud Migration for CSA Members | CSA AI Identity Security Compliance Checklist | CSA The Agentic Trust Deficit: MCP's Authentication Vacuum | CSA More Than Two-Thirds of Organizations Cannot Clearly Distinguish | CSA AI Cybersecurity 2026: Insights from 1,500 Leaders | CSA Three-Body Security: Data, AI & Identity | CSA IAM as Safety for AI-Controlled Systems | CSA Kubernetes Cost Savings and Security Debt | CSA Code to Cloud Security: Unified Exposure Management | CSA Retail Misconfigurations Attackers Exploit | CSA Rethinking Authorization for the Age of Agentic AI | CSA Enterprise AI: Guardrails to Governance | CSA
AI Agent Identity Is Solved Backwards | CSA
2026-04-22 · via Cloud Security Alliance

Written by T. Devon Artis.

AI agents are processing transactions, analyzing medical records, and orchestrating enterprise workflows today, at scale. CSA, OWASP, and NIST have all formally recognized that traditional IAM is inadequate for these workloads. The problem has been named but the solutions being deployed are solving it backwards.

The Credential Problem Nobody Designed For

Every credential system in enterprise security was built on one assumption: you know what the workload will do before it runs. A traditional service is deterministic. A developer wrote its logic. You can scope its credentials at deploy time because its behavior is predictable.

An LLM-driven agent breaks that assumption completely. The same agent, given the same task, can take entirely different execution paths on consecutive runs: querying a database first or calling an API first, spawning a sub-agent or not, accessing different resources depending on how the model reasons through the problem. That non-determinism is the entire point. It is what makes agents useful.

It is also what makes every static credential model fail. If you cannot predict what an agent will do, you cannot scope its credentials before it runs. So organizations do one of two things: assign broad credentials to cover every possible path, or track and govern the entitlements agents accumulate over time. The first is risk acceptance dressed as convenience. The second is a cleanup operation dressed as a strategy.

If Agents Decide at Runtime, Credentials Must Be Issued at Runtime

The only model that matches how LLM agents actually work is one where credentials are issued at the moment of execution, scoped to what this agent needs for this task, on this run, right now.

This is the ephemeral credential broker model. When an orchestrator spawns an agent for a task, it requests a credential from the broker, specifying what the agent needs. The broker validates that request against the application's permission ceiling (the maximum scope the app was ever allowed to grant) and issues a token scoped to exactly that task. No broader. No longer than necessary.

Each agent instance receives a unique cryptographic identity at spawn. The token is bound to that identity and to a private key the agent holds, so stealing the JWT without the key is useless. If the task takes longer than expected, the agent can renew the token before it expires. Renewal cannot expand scope. Each renewal is a logged audit event, and a maximum renewal limit prevents indefinite extension. The agent can extend its time. It can never expand its permissions.

The exposure math makes the alternative indefensible. In a system with 100 concurrent agents completing tasks in 2 minutes while holding standard 15-minute OAuth tokens across 1,000 daily cycles, that is 21,666 agent-hours per day where a stolen credential remains valid for work that finished long ago. Task-scoped, key-bound credentials that expire at completion collapse that window to near zero.

Eight Components That Make This Work

The Ephemeral Agent Credentialing pattern (v1.3) defines eight components that together eliminate the structural vulnerabilities of static and over-scoped credentials for AI agents:

Ephemeral identity issuance. Every agent instance gets a unique, cryptographically-verifiable SPIFFE identity at spawn, encoding which orchestrator created it, which task it serves, and which specific instance it is. One identity per agent instance. When the task ends, the identity is never reused.

Task-scoped tokens. JWTs scoped to exactly the resource and action this task requires. The requesting orchestrator declares the scope; the broker enforces it against the application's permission ceiling. Default TTL is 5 minutes. For long-running tasks, agents renew before expiration: same identity, fresh TTL, same or narrower scope, with a renewal limit to prevent indefinite extension.

Key-bound credentials. Tokens are tied to a private key held by the agent. Without the key, a stolen JWT is useless. This eliminates the replay attack surface that bearer tokens create.

Zero-trust enforcement. Mutual TLS at the transport layer, JWT validation at the application layer, on every request. No implicit trust from network location or prior authentication.

Four-level revocation. Revoke a single token, all tokens for an agent, all tokens for a task, or all tokens across an entire delegation chain, with propagation in under 30 seconds. Automatic expiration handles the normal case; revocation handles the incident.

Immutable audit logging. Every credential operation is recorded in hash-chained, tamper-evident storage. Metadata and content hashes are logged, never raw prompts, model outputs, or PII.

Agent-to-agent mutual authentication. In multi-agent workflows, both agents present and verify credentials before any data exchange. No agent can insert itself into a workflow by claiming to be a legitimate component.

Delegation chain verification. When agents delegate to sub-agents, each hop carries a signed cryptographic record of the delegation act: who authorized whom, when, with what scope. Permissions can only narrow, never expand. Any resource server can verify the complete authorization lineage offline, without a registry lookup.

The Window Is Now

Agent identity has been a recognized problem for less than 18 months. Most organizations are in their first year of serious agentic deployment. The technical debt in AI agent credentials has not been fully written yet.

That is the window. Organizations building agentic stacks today can design the credential model to match how agents actually work (non-deterministic, ephemeral, runtime-scoped) rather than forcing agents into an identity model built for a fundamentally different kind of workload.

The standards bodies have named the problem. The framework exists. The right time to get this correct is before the mess has been made.

T. Devon Artis is the author of the Ephemeral Agent Credentialing security pattern (v1.3, Production-Ready), aligned with OWASP Agentic Top 10, NIST IR 8596, and IETF WIMSE. The pattern is published open at the AI Security Blueprints repository.