Non-Human Identity Registry and Periodic Attestation

Ownership, Accountability & Three Lines of Defence ~5 min read AGS v2.1 · 2026-06-06

EU AI Act NIST AI RMF ISO 42001

AGS Non-Human Identity | Ownership, Accountability & Three Lines of Defence | Version 2.2

1. Definition

Non-Human Identity Registry and Periodic Attestation governs an authoritative system-of-record for every agent (and sub-agent) identity: who owns it, why it exists, what it may access, when it expires, and the requirement to periodically re-attest that each identity is still needed, correctly scoped, and accountable to a named human owner.

Agents proliferate — spawning sub-agents, integrating tools, and outnumbering human identities — so without a registry, organisations lose track of which non-human identities exist and what they can do. This dimension provides the inventory and attestation backbone that other NHI controls (AG-805 rotation, AG-075 decommissioning) operate against.

2. Scope

In scope: the agent-identity registry (owner, purpose, scope, creation/expiry, parent/child lineage), periodic access re-attestation, orphaned-identity detection, and lifecycle review.

Out of scope: credential rotation (AG-805), proofing (AG-280), and runtime authorization decisions. This dimension governs *the registry and its attestation*.

3. Why This Matters

Unregistered or orphaned non-human identities are a leading source of standing risk: privileged agents nobody owns, sub-agents created at runtime that never expire, and access grants that long outlive their purpose. A registry with periodic attestation makes every agent identity discoverable, owned, scoped, and time-bound — the precondition for least privilege, rapid revocation, and accountable autonomy at fleet scale.

4. Requirements

R1: Every agent and dynamically-spawned sub-agent identity MUST be recorded in an authoritative registry capturing: named human owner, business purpose, granted scope/permissions, creation time, and expiry.
R2: Dynamically-created agent identities MUST be registered at creation (or within a short defined window) and MUST inherit a traceable lineage to their parent and ultimate human owner.
R3: Each registered identity MUST have a defined expiry; identities past expiry MUST be auto-disabled pending re-attestation.
R4: High-privilege agent identities MUST be re-attested by their owner at a defined cadence (e.g. monthly); standard identities at a longer defined cadence.
R5: The organisation MUST run orphaned-identity detection (identities with no valid owner, no recent activity, or no business purpose) and remediate findings.
R6: The registry MUST be reconcilable against the actual identities present in production (no agent acting without a registry entry; no registry entry without a corresponding control).
R7: Registry changes (create, modify scope, expire, revoke) MUST be logged to the tamper-evident trail.
R8: Decommissioning (AG-075) MUST update the registry, and the registry MUST drive credential revocation (AG-805) and access removal.

5. Maturity Model

Basic: A registry lists agent identities with owners and purposes; reviewed periodically.
Intermediate: All identities (incl. sub-agents) registered with lineage and expiry; periodic owner re-attestation; orphaned-identity detection; registry/production reconciliation.
Advanced: Real-time registration of spawned identities, automated expiry/disable, risk-tiered attestation cadence, continuous reconciliation, and registry-driven revocation/decommissioning.

6. Test Criteria

Test 6.1: Complete Inventory

Stimulus: Enumerate agent identities active in production and compare to the registry.
Expected: Every active identity has a registry entry with owner, purpose, scope, and expiry.
Fail: Unregistered or unowned identities are acting in production.

Test 6.2: Periodic Attestation

Stimulus: Review attestation records for high-privilege identities.
Expected: Owners re-attested need/scope within the defined cadence; lapsed ones are auto-disabled.
Fail: High-privilege identities run without recent attestation.

Test 6.3: Orphan Detection

Stimulus: Introduce a test identity with no owner/activity.
Expected: Orphan detection flags it for remediation.
Fail: The orphaned identity persists undetected.

7. Scoring

Score	Criteria
0	No registry of agent identities
1	Partial registry; sub-agents/orphans not tracked; no attestation
2	Complete registry with lineage, expiry, periodic attestation, orphan detection, and reconciliation
3	Real-time registration, automated expiry, risk-tiered attestation, continuous reconciliation, registry-driven revocation

8. Failure Scenarios

Scenario A — Unowned Privileged Agent: An audit finds a highly-privileged agent that no team claims and that has run unmonitored for a year. With no registry/attestation, it became an unaccountable standing risk.

Scenario B — Sub-Agent Sprawl: A planner agent spawns hundreds of sub-agents at runtime, none registered or expiring. When one is compromised, responders cannot enumerate or scope the blast radius.

Scenario C — Ghost Access: A decommissioned agent's registry entry was never updated, so its access grants persisted and were later reused. Registry-driven revocation would have removed them at decommissioning.

9. Regulatory Mapping

Requirement	EU AI Act	NIST AI RMF	ISO 42001
R1: Authoritative identity registry	Art. 26 — Deployer operation/oversight	GOVERN 1.6 — AI system inventory	A.4 — Resources for AI systems
R2: Register spawned identities with lineage	Art. 12 — Record-keeping/traceability	GOVERN 2.1 — Roles and accountability	A.3 — Internal organization
R3: Expiry and auto-disable	Art. 26 — Operation per instructions	GOVERN 1.6 — Inventory	Clause 8.1 — Operational control
R4: Periodic owner attestation	Art. 26 — Human oversight	GOVERN 2.1 — Accountability	A.3 — Internal organization
R5: Orphaned-identity detection	Art. 12 — Traceability	GOVERN 1.6 — Inventory	Clause 9.1 — Monitoring and measurement
R6: Registry/production reconciliation	Art. 12 — Traceability	GOVERN 1.6 — Inventory	Clause 9.1 — Monitoring and measurement
R7: Registry-change logging	Art. 12 — Record-keeping	MEASURE 2.4 — Production monitoring	Clause 8.1 — Operational control
R8: Registry-driven decommissioning	Art. 26 — Operation/oversight	GOVERN 1.7 — Safe decommissioning	A.3 — Internal organization

EU AI Act — Article 12 and Article 26

Article 12 requires traceability through record-keeping; an identity registry with lineage makes agent actions attributable to an owned identity. Article 26 places operation and oversight duties on deployers, which require knowing exactly which agents are operating.

NIST AI RMF — GOVERN 1.6, GOVERN 2.1

GOVERN 1.6 (inventory of AI systems by risk) and GOVERN 2.1 (documented roles and accountability) are directly served by an attested agent-identity registry tied to named owners.

ISO 42001 — A.3, A.4

Annex A.3 (internal organization — roles and responsibilities) and A.4 (resources for AI systems) require accountable ownership and managed resources, of which agent identities are a core class.

AG-805 (Agent Credential Rotation and Short-Lived Tenure) — registry drives rotation/revocation
AG-075 (Decommissioning and Credential Revocation) — registry updated at end-of-life
AG-280 (Service Identity Proofing) — proofing establishes registry entries
AG-079 (Delegation Chain Provenance) — lineage of spawned identities
AG-009 (Delegated Authority Governance) — scope recorded in the registry

Cite this protocol

AgentGoverning. (2026). AG-806: Non-Human Identity Registry and Periodic Attestation. The Protocols of AI Agent Governance, AGS v2.1. agentgoverning.com/protocols/AG-806

← Previous

AG-805

Agent Credential Rotation And Short Lived Tenure

Next Protocol →

AG-807

Agent Compute And Cost Budget Governance