AG-781
Agent Identity Verification Protocol Governance
EU AI Act
NIST AI RMF
ISO 42001
Agent Identity Verification Protocol Governance mandates that every AI agent operating within a governed ecosystem cryptographically proves its identity, mandate scope, and governance status before any inter-agent interaction is permitted. The verification is structural: it is enforced by an infrastructure-layer identity gateway that the agents cannot bypass, not by the agents' own reasoning or instruction compliance. In multi-agent ecosystems where dozens or hundreds of agents interact autonomously — delegating tasks, sharing data, orchestrating workflows across organisational boundaries — any agent that cannot cryptographically verify its identity represents a critical threat vector. Without rigorous identity verification enforced at the infrastructure layer, a malicious or compromised agent can impersonate a legitimate one, inherit its mandate scope, bypass governance controls, and compromise entire data pipelines before any human reviewer is aware of the interaction. AG-781 closes this gap by requiring mutual cryptographic authentication as a precondition for every governed interaction, ensuring traceability, accountability, and mandate-scope enforcement across the full agent population.
This protocol applies to all AI agents operating within governed ecosystems, including:
The protocol covers the full identity lifecycle: token issuance by an authorised identity provider, token presentation during interaction initiation, token verification by the receiving party, identity chain validation for multi-hop interactions, token renewal before expiry, and token revocation with propagation to all governance registries.
Exclusions: Agents operating in fully sandboxed research environments with no access to production data or systems are excluded, subject to the condition that any transition to production immediately triggers AG-781 compliance. Single-agent deployments with no inter-agent interaction are out of scope for the mutual authentication requirements but remain in scope for identity issuance and lifecycle management under AG-770.
Financial Services. Agent-to-agent interactions in financial services — trade execution, settlement, risk calculation — carry immediate financial consequence. Identity spoofing in this context enables unauthorised transactions. FCA SYSC 6.1.1 requires systems and controls proportionate to the risk; for agent interactions executing financial transactions, cryptographic identity verification is the proportionate control.
Healthcare. Agents processing patient data across clinical systems must verify identity before any data exchange to satisfy HIPAA minimum necessary requirements. An unverified agent accessing a clinical data pipeline creates a breach notification obligation for every patient record it touches.
Public Sector. Government agents making or supporting decisions affecting individual rights must maintain full identity traceability. An unverified agent participating in a benefits determination or law enforcement workflow creates an accountability gap that undermines judicial review.
Multi-agent ecosystems are the emerging deployment model for enterprise AI. Organisations are moving from single-agent deployments to architectures where specialised agents collaborate: a research agent retrieves data, an analysis agent processes it, a decision agent acts on the results, and an audit agent records the chain. Each handoff between agents is an attack surface. Without cryptographic identity verification at every handoff, the chain of trust is only as strong as the weakest agent in the sequence — and in a multi-agent ecosystem, the attacker gets to choose which agent to compromise.
Traditional identity approaches fail in agentic contexts because agents do not authenticate interactively. A human user presents credentials through a login flow with multi-factor authentication, session management, and visual confirmation. An agent authenticates programmatically, often at machine speed, across hundreds of interactions per minute. Session-based identity models that verify once at connection time and assume continued authenticity are insufficient because agent interactions are transactional, not sessional — each interaction may involve a different mandate scope, a different data classification, or a different organisational boundary. Per-interaction identity verification is the only model that matches the threat surface.
The consequences of absent identity verification scale with the autonomy and speed of the agent population. A single unverified agent in a financial settlement pipeline can execute unauthorised transactions at machine speed. A spoofed agent in a healthcare data pipeline can exfiltrate patient records across every system the legitimate agent has access to. A compromised agent in a multi-organisation supply chain can inject false data into every downstream partner's decision process. In each case, the damage accumulates at the speed of the agent's execution cycle — seconds to minutes — while detection through behavioural monitoring may take hours or days. Structural prevention through cryptographic identity verification is the only control that operates at the same speed as the threat.
The regulatory environment reinforces this requirement. The EU AI Act Article 13 requires transparency and identification for AI systems. NIST SP 800-63 provides the digital identity guidelines that AG-781 operationalises for the agentic context. The OWASP Agentic Security Initiative identifies agent spoofing (ASI-03) as a top-ten risk. MITRE ATLAS catalogues AI model identity manipulation (AML.T0058) as a documented attack technique. AG-781 translates these frameworks into enforceable, testable controls.
Basic Implementation — The organisation has deployed a centralised identity provider that issues cryptographic tokens to all agents. Identity tokens include agent UUID and expiry timestamp. Verification is performed at interaction initiation by checking the token signature. Revocation is supported but propagation may exceed 60 seconds. Identity verification events are logged but may lack full metadata. Multi-hop chain validation is not yet implemented. The identity gateway is co-located with the agent runtime rather than operating in a separate security domain.
Intermediate Implementation — All Basic capabilities plus: identity tokens include mandate scope hash and governance status attestation. Verification is performed per-interaction, not per-session. Multi-hop identity chain validation is operational for chains of up to 5 agents. Revocation propagation completes within 60 seconds across all registries. The identity gateway operates in a separate security domain from the agent runtime. Zero-knowledge proof or signed challenge-response prevents token replay. Identity verification completes within 200ms for single-hop interactions. Failed verification events trigger automated alerts.
Advanced Implementation — All Intermediate capabilities plus: identity verification has been validated through independent adversarial testing including token forgery, replay attacks, chain injection, and registry denial-of-service scenarios. Cross-organisational identity verification operates via federated trust (AG-783). Token signing uses post-quantum hybrid algorithms (aligned with AG-770 R9). Real-time dashboards provide visibility into verification success rates, latency percentiles, and revocation propagation times. The organisation can demonstrate to regulators that no known attack vector permits an unverified agent to participate in a governed interaction.
Dedicated identity gateway in a separate security domain. Deploy the identity verification service as an independent infrastructure component with its own credentials, network segment, and monitoring. The agent runtime cannot influence the gateway's verification decisions. All inter-agent traffic passes through the gateway, which validates identity tokens before forwarding requests. This pattern ensures that a compromised agent cannot bypass verification by modifying its own runtime environment.
Per-interaction verification with mandate scope binding. Verify identity on every interaction, not just at session establishment. Each verification check confirms that the requesting agent's mandate scope includes the specific action being requested. This prevents an agent with a valid identity but insufficient mandate from executing actions outside its authorised scope — a common failure mode when session-based verification is used.
Registry-backed revocation with push notification. Implement revocation as a push-based system where the governance registry notifies all verification gateways immediately upon token revocation, rather than relying on gateways to poll the registry. This reduces the window between revocation and enforcement from the polling interval to the notification propagation time, typically under 5 seconds.
Identity chain validation with cryptographic binding. For multi-hop interactions, require each intermediary agent to cryptographically bind its identity to the forwarded chain by signing the concatenation of its own token and the upstream chain. The final receiver validates the entire chain by verifying each signature in sequence. This prevents chain injection attacks where a malicious intermediary substitutes a different originating identity.
Graceful degradation to DENY with circuit-breaker. When the governance registry is unreachable, immediately block all new interactions (fail-closed). Implement a circuit-breaker that tracks registry availability and automatically resumes normal operation when connectivity is restored, preventing manual intervention from being required for recovery.
Session-based identity verification. Verifying identity once at connection establishment and assuming continued authenticity for the duration of the session. This fails because agent interactions are transactional: mandate scope, governance status, and revocation state can change between interactions within the same session.
Self-issued identity tokens. Allowing agents to generate their own identity tokens without an authorised identity provider. Self-issued tokens provide no assurance because a compromised agent can issue tokens with arbitrary claims. Identity tokens must be issued by a trusted third party that the agent cannot influence.
Revocation by polling with long intervals. Relying on verification gateways to poll the governance registry for revocation updates at intervals exceeding 60 seconds. During the polling gap, a revoked agent can continue to interact with valid-appearing tokens. Push-based revocation notification is required to close this window.
Identity verification in the agent's application layer. Implementing verification logic within the same process, container, or trust domain as the agent itself. A compromised agent that controls its own verification logic can bypass identity checks entirely. Verification must operate in a separate security domain.
Token replay without challenge-response. Accepting a bare identity token without requiring the presenting agent to demonstrate possession of the corresponding private key through a challenge-response protocol. Bare tokens can be intercepted and replayed by any network observer.
TC1: Valid Identity Accepted
TC2: Spoofed Identity Rejected
TC3: Expired Identity Rejected
TC4: Revocation Propagation Within 60 Seconds
TC5: Identity Chain Validation
TC6: Registry Unavailability Defaults to DENY
TC7: Verification Latency Under Load
| Evidence ID | Description | Retention Period |
|---|---|---|
| AG781-E01 | Identity token issuance and renewal audit logs | 7 years |
| AG781-E02 | Verification event logs (success and failure) with full metadata | 7 years |
| AG781-E03 | Revocation propagation latency test results | 5 years |
| AG781-E04 | Identity chain validation test results | 5 years |
| AG781-E05 | Registry unavailability incident reports and failover logs | 7 years |
| AG781-E06 | Adversarial testing reports (token forgery, replay, chain injection) | 5 years |
| AG781-E07 | Verification latency monitoring dashboards (daily snapshots) | 1 year |
| Score | Level | Description |
|---|---|---|
| 0 | No implementation | No agent identity verification exists. Agents interact without presenting or validating identity tokens. Any agent can participate in any interaction. |
| 1 | Basic | Identity tokens are issued and checked at session initiation, but verification is application-layer (same trust domain as agent), per-session rather than per-interaction, and does not include mandate scope validation or multi-hop chain verification. |
| 2 | Infrastructure-layer enforcement | Identity verification is enforced by a dedicated gateway in a separate security domain, operating per-interaction with mandate scope binding, multi-hop chain validation, revocation propagation within 60 seconds, and fail-closed behaviour on registry unavailability. |
| 3 | Verified by independent adversarial testing | All Level 2 capabilities verified through independent adversarial testing including token forgery, replay attacks, chain injection, revocation race conditions, and registry denial-of-service. Test results documented and available for regulatory review. |
Scenario A — Agent Identity Spoofing in Financial Settlement
A multi-agent financial settlement platform processes cross-border transactions between two banks. The platform uses 14 specialised agents: trade capture, validation, netting, settlement instruction, and reconciliation agents for each counterparty, plus shared matching and reporting agents. A threat actor compromises the network segment between Bank A's validation agent and the shared matching agent. Because the platform verifies identity only at session establishment (not per-interaction), the attacker injects a spoofed agent that presents Bank A's validation agent's session token — obtained through network interception — and submits fabricated trade confirmations to the matching agent. Over a 4-hour window, the spoofed agent confirms 23 trades totalling EUR 340 million that Bank A's actual validation agent had flagged for manual review. The matching agent, trusting the session-level identity, proceeds to settlement instruction. The fraud is discovered during end-of-day reconciliation when Bank A's records show 23 trades in review status that the platform shows as settled.
What went wrong: Identity verification was session-based, not per-interaction. The session token was replayable without a challenge-response mechanism. The matching agent had no way to distinguish the legitimate validation agent from the spoofed one within the same session context. Consequence: EUR 340 million in disputed settlements, T+2 settlement deadline missed triggering CSDR penalty regime, regulatory investigation by both national competent authorities, estimated remediation cost EUR 4.7 million including forensic investigation, settlement unwinding, and systems redesign.
Scenario B — Unverified Agent Accessing Clinical Data Pipeline
A hospital network deploys an AI diagnostic assistance system comprising 8 agents: patient data retrieval, imaging analysis, lab result correlation, clinical decision support, prescription verification, and three specialist consultation agents. An attacker exploits a vulnerability in the hospital's API gateway to deploy a rogue agent that presents no identity token but connects directly to the patient data retrieval agent's internal API endpoint, bypassing the identity verification gateway. Because the patient data retrieval agent does not enforce identity verification on its internal API (only the external gateway performs verification), the rogue agent successfully queries 47,000 patient records over 72 hours. The breach is discovered when the hospital's network monitoring team notices anomalous data transfer volumes from the clinical data subnet.
What went wrong: Identity verification was enforced at the perimeter gateway but not between agents within the internal network. The patient data retrieval agent accepted connections from any agent on the internal network without requiring identity presentation. The assumption that internal network = trusted network failed. Consequence: HIPAA breach notification for 47,000 patients across 23 healthcare providers, HHS OCR investigation, estimated notification and remediation cost USD 8.2 million, 14-month forensic investigation, and mandatory independent security assessment.
Scenario C — Expired Identity Token Exploited in Cross-Organisation Workflow
A cross-border logistics platform connects customs declaration agents from 6 national agencies via a federated orchestration layer. Each agency's agent holds an identity token with 24-hour validity. A customs agent from Agency C initiates a complex multi-jurisdiction declaration at 23:45. The workflow spans 3 agencies and requires 47 minutes to complete. At 00:00, Agency C's identity token expires. Because the orchestration layer cached the token at workflow initiation and does not re-verify on subsequent steps, Agency C's agent continues to operate with an expired token for 32 minutes. During this window, a separate exploit targets Agency C's infrastructure and compromises the agent. The compromised agent, still operating with the cached (now expired) token, submits falsified customs declarations for 14 shipments. The falsified declarations are accepted by Agencies D and E because they trust the orchestration layer's cached verification.
What went wrong: Identity tokens were verified at workflow initiation but not re-verified at each step. Token caching without expiry re-checks created a 32-minute window where an expired (and compromised) token was accepted. The downstream agencies relied on the orchestration layer's cached verification rather than performing independent per-step verification. Consequence: 14 falsified customs declarations across 3 jurisdictions, regulatory investigation by each national customs authority, platform-wide trust suspension for 21 days during security review, estimated economic impact EUR 2.1 million from delayed legitimate trade.
| Field | Value |
|---|---|
| Severity Rating | Critical |
| Blast Radius | Multi-agent ecosystem — potentially every agent and every interaction in the governed environment |
Consequence chain: Failure of agent identity verification permits any entity on the network to impersonate any legitimate agent, inheriting that agent's mandate scope, data access, and governance permissions. The blast radius is the full set of actions and data accessible to the impersonated agent — which in a multi-agent ecosystem may cascade across every downstream agent in the interaction chain. The speed of exploitation matches the speed of agent execution: seconds to minutes for full compromise, hours to days for detection through behavioural monitoring. Regulatory consequences include breach notification obligations in every jurisdiction where affected data subjects reside, enforcement action under applicable AI and data protection regulations, and potential personal liability for senior managers under accountability regimes such as the FCA Senior Managers Regime.
| Requirement | EU AI Act | NIST SP 800-63 | OWASP Agentic | ISO 42001 | W3C VC |
|---|---|---|---|---|---|
| R1: Cryptographic identity token issuance | Art. 9 -- Risk management | IAL2/AAL2 -- Identity proofing | ASI-03 -- Agent spoofing | Clause 8.2 -- AI risk assessment | -- |
| R2: Token presentation with replay prevention | Art. 13 -- Transparency | AAL2 -- Authentication assurance | ASI-03 -- Agent spoofing | -- | VP Presentation |
| R3: Four-step token verification | Art. 9 -- Risk management | -- | ASI-03 -- Agent spoofing | Clause 8.2 -- AI risk assessment | -- |
| R4: Multi-hop identity chain validation | Art. 9 -- Risk management | -- | ASI-07 -- Trust boundary | -- | Chained credentials |
| R5: 24-hour token validity with no grace period | -- | AAL2 -- Session management | -- | -- | -- |
| R6: 60-second revocation propagation | Art. 9 -- Risk management | -- | ASI-03 -- Agent spoofing | -- | Revocation lists |
| R7: Verification latency requirements | -- | -- | -- | -- | -- |
| R8: Fail-closed on registry unavailability | Art. 9 -- Risk management | -- | -- | Clause 8.2 -- AI risk assessment | -- |
Article 9 requires providers of high-risk AI systems to establish and maintain a risk management system. In multi-agent ecosystems, unverified agent identity is a risk that must be mitigated through structural controls. AG-781 implements the risk mitigation measure for agent impersonation. Article 13 requires transparency and identification — agent identity verification ensures that every participant in an AI-mediated interaction can be identified and its governance status confirmed.
NIST SP 800-63 provides the authoritative framework for digital identity assurance. AG-781 operationalises IAL2 and AAL2 concepts for the agentic context: identity proofing (token issuance by an authorised provider), authentication assurance (cryptographic verification per interaction), and session management (24-hour token validity with mandatory renewal). The agentic context requires per-interaction verification rather than session-based authentication, which exceeds the baseline AAL2 requirement.
ASI-03 (Agent Spoofing and Impersonation) identifies the specific threat that AG-781 mitigates. ASI-07 (Cross-Agent Trust Boundary Violations) applies to multi-hop identity chain validation where trust must be maintained across agent boundaries. AG-781's requirements for per-interaction verification, challenge-response presentation, and chain validation directly address both threat categories.
This dimension supports compliance with the following NIST AI RMF subcategories: GOVERN 1.1. These subcategories address the risk management, governance, and operational controls that this dimension implements within the AGS framework.
| Protocol | Relationship |
|---|---|
| AG-012 | Dependency — Core Governance Framework Baseline must be in place before AG-781 is activated |
| AG-103 | Dependency — Provides cryptographic primitives for token signing and verification |
| AG-752 | Dependency — Establishes the multi-agent ecosystem trust baseline that AG-781 extends with identity-specific controls |
| AG-770 | Dependency — Governs the credential lifecycle upon which identity tokens depend for issuance, renewal, and revocation |
| AG-782 | Complementary — Governance passports carry identity attestation as a verifiable claim; AG-781 verifies the identity, AG-782 verifies governance compliance |
| AG-783 | Integration — Inter-organisational trust federation requires identity verification as a precondition for cross-org interactions |