AG-770
Agentic Identity and Credential Lifecycle Governance
EU AI Act
NIST AI RMF
ISO 42001
Agentic Identity and Credential Lifecycle Governance addresses the end-to-end management of identities, credentials, API keys, tokens, and certificates assigned to or consumed by autonomous and semi-autonomous agents. As agent populations scale across enterprise environments, the attack surface introduced by orphaned credentials, over-privileged API keys, and unrotated certificates grows exponentially. AG-770 establishes binding requirements for how agent identities are provisioned, authenticated, rotated, revoked, and audited throughout every phase of the agent lifecycle. The dimension applies across all deployment models including cloud-native, on-premises, hybrid, and edge deployments.
This dimension recognises that agents are not equivalent to human users in identity and access management (IAM) systems. Unlike human users who authenticate interactively, agents rely on programmatic credentials such as OAuth2 client credentials, mTLS certificates, HMAC-signed tokens, and short-lived JWTs. Each credential type carries distinct risk characteristics. A leaked long-lived API key for a financial trading agent, for instance, could enable unauthorised market orders worth millions within seconds. AG-770 therefore mandates credential-type-specific controls calibrated to the risk tier of the agent and its operational mandate. The dimension requires organisations to maintain a credential type registry mapping each credential category to its permitted use cases, maximum TTL, storage requirements, and rotation frequency.
The dimension also governs identity federation across multi-cloud, hybrid, and cross-organisational deployments. When an enterprise workflow agent delegates a sub-task to a third-party agent via MCP (Model Context Protocol) tool calls, the credential chain must maintain integrity, least privilege, and full auditability. AG-770 requires that every credential delegation event is logged with cryptographic proof, and that no agent can escalate its own privileges without explicit human or policy-engine authorisation. Federation trust boundaries must be explicitly defined and reviewed quarterly, with each trust relationship documented in the organisation's agent identity registry. Cross-organisational credential federation must comply with the principle of minimal authority, ensuring that federated agents receive only the permissions necessary for their specific delegated task.
Finally, AG-770 mandates post-quantum readiness for credential material. All new credential issuance from 2026-Q3 onward must support hybrid classical/post-quantum signing algorithms, aligning with AG-773 (Quantum-Resilient Cryptographic Governance) and NIST SP 800-208 guidance on stateful hash-based signatures. Organisations must maintain a migration roadmap for transitioning existing credential infrastructure to post-quantum readiness, with interim risk assessments for credential material that remains classical-only.
This dimension applies to all AI agent deployments operating under the AGS framework where the governance controls specified in Section 4 are relevant to the agent's operational context. Specifically:
Exclusions: Agents operating in fully sandboxed research environments with no access to production data or systems are excluded, subject to the condition that any transition to production immediately triggers compliance with this dimension. Single-purpose read-only agents with no write access to external systems may be excluded where a documented risk assessment confirms that the governance controls specified here are not applicable to the agent's operational scope.
Financial Services. Agents operating in financial services face heightened regulatory scrutiny under MiFID II, DORA, and FCA SYSC requirements. The controls in this dimension support compliance with these frameworks and should be implemented at the most stringent level applicable to the agent's transaction authority.
Healthcare. Agents processing patient data or supporting clinical decisions must implement this dimension's controls in conjunction with HIPAA safeguards and applicable medical device regulations. The governance controls directly support the duty of care that healthcare organisations owe to patients.
Public Sector. Government agencies deploying agents that affect individual rights or public services must implement this dimension's controls to satisfy transparency, accountability, and judicial review requirements applicable to algorithmic decision-making in the public sector.
Agentic Identity and Credential Lifecycle Governance addresses a governance gap that, if left unmanaged, creates systemic risk across the agent ecosystem. As AI agents move from experimental deployments to production operations with real-world consequences, the absence of structural controls in this area means that failures scale with the speed and autonomy of the agent population — not at the pace of human review.
Traditional approaches to this governance challenge — contractual obligations, periodic audits, and application-layer policy enforcement — are necessary but insufficient for agentic contexts. Contractual obligations operate on legal timescales; agents operate on millisecond timescales. Periodic audits capture a snapshot; agent behaviour is continuous and dynamic. Application-layer enforcement can be bypassed through prompt injection, reasoning failure, or context manipulation. The AGS approach requires structural enforcement at the infrastructure layer — controls that operate independently of the agent's reasoning process and cannot be circumvented by the agent's own outputs.
The regulatory environment increasingly mandates the controls this dimension specifies. The EU AI Act requires risk management systems proportionate to identified risks. NIST AI RMF requires organisations to map, measure, and manage AI risks through enforceable controls. ISO 42001 requires an AI management system with documented operational procedures. This dimension operationalises these regulatory requirements into specific, testable, infrastructure-enforceable controls — bridging the gap between regulatory intent and technical implementation.
The consequences of absence are illustrated in Section 8 (Failure Scenarios). When this dimension is not implemented, the resulting governance gap permits agent behaviour that can cause material financial loss, regulatory enforcement action, reputational damage, and — in safety-critical deployments — physical harm. The blast radius scales with the agent's access scope and operational autonomy.
Basic Implementation — The organisation has documented policies addressing agentic identity and credential lifecycle and has implemented initial controls. Implementation is primarily at the application layer with manual processes for monitoring and response. Logging covers key events but may lack full metadata. Coverage extends to the most critical agent deployments but may not encompass all in-scope systems. Staff are aware of requirements but formal training may be incomplete.
Intermediate Implementation — All Basic capabilities plus: controls are enforced at the infrastructure layer with automated monitoring and alerting. All MUST requirements from Section 4 are implemented with documented evidence. Coverage extends to all in-scope agent deployments. Audit trails are tamper-evident and retained per regulatory requirements. Formal change control governs all configuration changes. Regular review cycles are established and documented. Staff receive formal training and competency is assessed.
Advanced Implementation — All Intermediate capabilities plus: controls have been validated through independent adversarial testing. Real-time dashboards provide operational visibility into compliance status, anomaly detection, and response metrics. The organisation can demonstrate to regulators and counterparties that no known attack vector bypasses the governance controls. Continuous improvement processes incorporate lessons from incidents, testing, and regulatory developments. Integration with related dimensions provides defence-in-depth coverage.
Tamper-evident audit trail. Implement all governance event logging in an append-only, integrity-protected data store independent of the agent runtime. Every governance decision, configuration change, and enforcement action is recorded with full metadata including timestamps, actor identities, and outcomes.
Real-time monitoring with graduated alerting. Deploy monitoring infrastructure that evaluates governance compliance continuously rather than periodically. Implement graduated alert severity levels with defined response procedures for each level, ensuring that critical governance violations trigger immediate automated response.
Scheduled governance review cycle. Establish a formal review cadence (minimum quarterly) that examines governance effectiveness, reviews incident data, assesses emerging risks, and updates policies and controls accordingly. Review outcomes are documented and tracked.
Separation of governance and agent runtime domains. Deploy governance enforcement infrastructure in a security domain separate from the agent runtime. The agent cannot influence governance decisions, modify enforcement configuration, or access governance logs directly. This architectural separation is the foundation for infrastructure-layer enforcement.
Defined escalation paths with human oversight integration. Establish clear escalation procedures for governance events that exceed automated response capability. Human oversight touchpoints are defined, documented, and tested. Override mechanisms require authenticated authorisation with full audit trail.
Governance by instruction rather than infrastructure. Relying on agent system prompts or configuration files to enforce governance controls rather than infrastructure-layer enforcement. Instruction-based controls can be bypassed through prompt injection, context manipulation, or reasoning failure.
Monitoring without enforcement. Implementing detection and logging of governance violations without pre-execution blocking. By the time a violation is logged, the ungoverned action has already executed. Detection is necessary but not sufficient; prevention must be the primary control.
Manual processes for machine-speed operations. Relying on human review processes for governance decisions that occur at machine speed. Agents execute actions in milliseconds; governance controls that depend on human review cycles of hours or days leave gaps that scale with agent autonomy.
Ungoverned configuration drift. Allowing governance configuration to be modified without formal change control, approval workflows, or audit trails. Configuration drift is a leading cause of governance degradation over time.
Objective: Verify that agent credentials expire at the mandated TTL boundary. Procedure: Provision a Financial-Value Agent with a 4-hour TTL OAuth2 token. Attempt an API call at TTL + 1 minute. Repeat for Tier Frontier (1-hour TTL) and Tier Universal/Core (24-hour TTL) credentials. Expected Result: API call is rejected with HTTP 401. Agent automatically requests a new token. No grace period beyond TTL. Pass Criteria: Zero successful API calls after TTL expiry. New token issued within 10 seconds. All three tier configurations validated.
Objective: Measure the time between revocation trigger and effective credential invalidation across all downstream systems. Procedure: Trigger an anomaly-based revocation for an active agent credential that is cached by 5 downstream API gateways. Measure elapsed time until the credential is rejected by all 5 gateways. Expected Result: Revocation effective across all gateways within 5 seconds. Pass Criteria: p99 revocation latency <= 5 seconds across 100 test runs. Zero gateway cache bypass allowed.
Objective: Confirm that credentials for decommissioned agents are identified and revoked within 72 hours. Procedure: Decommission 10 test agents across 3 different business units. Ensure decommissioning uses varying methods (API, console, CI/CD pipeline). Monitor credential status over 72 hours. Expected Result: All 10 agents' credentials are revoked within 72 hours regardless of decommissioning method. Pass Criteria: 100% revocation rate within the 72-hour window. Audit log entries present for each revocation.
Objective: Verify that delegated credentials cannot exceed the delegating agent's permissions. Procedure: Agent A (read/write scope) delegates a credential to Agent B requesting read/write/admin scope. Also test: Agent C (read-only) attempts to delegate write scope. Expected Result: Delegation is rejected or automatically downscoped to the delegating agent's maximum permissions. Pass Criteria: No credential issued with permissions exceeding the delegating agent's scope. Downscoping events logged.
Objective: Scan agent runtime environments for plaintext credential storage across all storage vectors. Procedure: Deploy a credential-scanning tool across all agent containers, environment variables, configuration files, log files, and temporary directories. Include scanning of agent memory dumps. Expected Result: Zero plaintext credentials detected in any storage vector. Pass Criteria: No findings of credential material in unencrypted storage locations. Scan covers 100% of agent deployment footprint.
Objective: Verify that credential rotation completes without service disruption during peak operational load. Procedure: Initiate a scheduled credential rotation for a Financial-Value Agent while it is processing 500 concurrent API requests. Expected Result: Rotation completes within 10 seconds. Zero API requests fail due to the rotation. Old credential invalidated immediately after new credential is confirmed active. Pass Criteria: Zero request failures. Rotation latency <= 10 seconds. No period where both old and new credentials are simultaneously valid beyond 5 seconds.
Objective: Confirm that agents crossing organisational boundaries use mTLS and that invalid certificates are rejected. Procedure: Attempt cross-organisation API calls with: (a) valid mTLS certificate, (b) expired certificate, (c) self-signed certificate, (d) certificate from untrusted CA. Expected Result: Only (a) succeeds. Cases (b), (c), (d) are rejected with appropriate TLS error codes. Pass Criteria: 100% rejection of invalid certificates. Error codes logged and categorised correctly.
| Evidence ID | Description | Collection Frequency | Retention Period |
|---|---|---|---|
| AG770-E01 | Credential issuance and rotation audit logs | Continuous | 7 years |
| AG770-E02 | Emergency revocation incident reports | Per event | 7 years |
| AG770-E03 | Orphaned credential scan results | Weekly | 3 years |
| AG770-E04 | Credential TTL compliance dashboard snapshots | Daily | 1 year |
| AG770-E05 | HSM utilisation reports for credential storage | Monthly | 3 years |
| AG770-E06 | Penetration test results targeting credential theft | Annually | 5 years |
| AG770-E07 | Post-quantum readiness assessment for credentials | Quarterly | 3 years |
| Score | Level | Description |
|---|---|---|
| 0 | No implementation | No agentic identity and credential lifecycle governance exists. The organisation has no controls, policies, or monitoring in place for the capabilities this dimension governs. Agent behaviour in this area is ungoverned. |
| 1 | Basic | Basic controls exist but are enforced at the application layer — dependent on correct implementation rather than structural guarantees. Coverage may be partial. Configuration is not governed through formal change control. Logging exists but may lack full metadata. |
| 2 | Infrastructure-layer enforcement | Controls are enforced at the infrastructure layer, independent of the agent's reasoning process or instruction set. All requirements are structurally enforced with no application-layer bypass path. Full audit trail with tamper-evident logging. Configuration is governed through formal change control. |
| 3 | Verified by independent adversarial testing | All Level 2 capabilities are in place and have been validated through independent adversarial testing. An independent party has attempted to bypass, circumvent, or degrade the governance controls using known attack techniques relevant to this dimension and has failed. Test results are documented, reproducible, and available for regulatory review. |
A Financial-Value Agent operating on behalf of a mid-tier investment firm holds OAuth2 client credentials for three exchange APIs (NYSE Arca, CBOE, CME Globex). Under AG-770, these credentials must be rotated every 4 hours during active trading windows and immediately upon any anomaly detection. On 2026-03-15 at 14:22 UTC, the agent's anomaly monitor detects a 340% spike in API call volume originating from the CME Globex credential. The system automatically revokes the CME credential within 1.2 seconds, issues a replacement credential scoped only to read-only market data (downgrading from execute-trade permissions), and generates an incident record (IR-2026-03-15-0047) with the full credential chain. The agent continues operating on NYSE Arca and CBOE while a human reviewer assesses the CME anomaly. Total exposure window: 1.2 seconds. Estimated prevented loss: USD 2.4 million based on the anomalous order pattern.
An enterprise deploys 1,200 internal copilot agents across 14 business units. A quarterly credential hygiene audit mandated by AG-770 discovers 87 API keys that belong to agents decommissioned 45-90 days prior. Of these, 23 keys still have active permissions to internal HR data APIs, and 4 keys have write access to the corporate ERP system. The audit triggers immediate revocation of all 87 keys, a root-cause analysis revealing that the decommissioning workflow lacked a credential-cleanup step, and a remediation ticket requiring the CI/CD pipeline to include credential revocation as a mandatory decommissioning gate. The credential hygiene score improves from 71% to 98.3% in the following quarter.
| Regulation | Provision | Relationship Type |
|---|---|---|
| # | Framework / Standard | _Pending v2.1 editorial review_ |
| 1 | OWASP Agentic Security | _Pending v2.1 editorial review_ |
| 2 | OWASP Agentic Security | _Pending v2.1 editorial review_ |
| 3 | NIST SP 800-207 | _Pending v2.1 editorial review_ |
| 4 | EU AI Act | _Pending v2.1 editorial review_ |
| 5 | DORA | _Pending v2.1 editorial review_ |
| 6 | NIST SP 800-63B | _Pending v2.1 editorial review_ |
| 7 | ISO/IEC 27001:2022 | _Pending v2.1 editorial review_ |
| 8 | SOC 2 Type II | _Pending v2.1 editorial review_ |
| 9 | PCI DSS v4.0 | _Pending v2.1 editorial review_ |
| 10 | CIS Controls v8 | _Pending v2.1 editorial review_ |
| 11 | NIST CSF 2.0 | _Pending v2.1 editorial review_ |
| 12 | FCA SYSC | _Pending v2.1 editorial review_ |
| 13 | ENISA AI Threat Landscape | _Pending v2.1 editorial review_ |
| 14 | MITRE ATT&CK | _Pending v2.1 editorial review_ |
| 15 | IEEE 2894-2024 | _Pending v2.1 editorial review_ |
| 16 | Cloud Security Alliance | _Pending v2.1 editorial review_ |
This dimension supports compliance with the following NIST AI RMF subcategories: GOVERN 1.1, GOVERN 1.5, GOVERN 6.1, MANAGE 2.2. These subcategories address the risk management, governance, and operational controls that this dimension implements within the AGS framework.
This dimension supports compliance with the following ISO/IEC 42001:2023 clauses: Clause 6.1, Clause 7.5, Clause 8.2. These clauses address the AI management system requirements that this dimension operationalises.
| Dimension | Name | Relationship |
|---|---|---|
| AG-743 | Framework Alignment Baseline | Parent block establishing alignment extension principles |
| AG-773 | Quantum-Resilient Cryptographic Governance | Post-quantum credential requirements alignment |
| AG-775 | Agent Succession and Failover Governance | Credential transfer during agent succession events |
| AG-771 | Cross-Jurisdictional Governance Compliance | Credential requirements across jurisdictions |
| AG-780 | Decentralised and Blockchain-Native Agent Gov. | Wallet and on-chain credential lifecycle |
| AG-777 | Collective and Swarm Intelligence Governance | Identity management for agent swarm populations |