Here's how most agents authenticate today: a long-lived API key, pasted into an environment variable, shared across services, and never rotated. If that agent misbehaves, you can't tell which one did it, and you can't shut it off without breaking five others. That's not an identity — it's an anonymous master key.
The problem: anonymous, unrevocable AI
When agents share credentials, three things break at once. Attribution — logs show "the key," not "which agent." Least privilege — a shared key carries the union of everyone's permissions. Revocation — killing one bad agent means rotating a secret that a dozen healthy ones depend on. In a human IAM world this would be a fireable offense; in the AI world it's the default.
Why it matters to the enterprise
Zero-trust and SOC 2 both rest on one idea: every action traces back to a named identity. Auditors will ask "who did this?" and "AI did it" is not an answer. Giving each agent its own identity is what makes the rest of governance — policy, audit, incident response — actually enforceable. It's the line between "an AI moved this money" and "this AI, owned by this team, moved this money under this policy."
An identity per agent turns "the AI did something" into "this specific agent, owned by this team, did this specific thing."
This is the heart of AI identity governance — read the full pillar guide for its principles, the standards it builds on, and answers to common questions.
How AuthSpoke does it
- A real identity record per agent — client ID, OIDC subject, auth method (OAuth, mTLS, API key, JWT) and optional certificate thumbprint.
- Trust score & lifecycle — provisioned → active → suspended → retired, with a continuous trust score, so an identity's standing is always current.
- Bound to the agent, model and session — the identity links the directory record, the policies that apply, and every session it opens.
- Instant revocation — suspend or retire one identity without touching any other. No shared-secret rotation, no collateral outage.
- Federation-ready — designed to extend AI identity across organizations and partners.
AI Identities speak OIDC, JWT and mTLS — the same protocols securing your human and workload identity — so agents slot into your existing security model instead of inventing a parallel one.
What you get
- Every AI action attributable to one agent
- No more shared, hardcoded keys
- Instant, surgical revocation
- OIDC / JWT / mTLS, not bespoke auth
- Trust score & lifecycle per identity
- The basis for true least-privilege
Give your agents an identity worth trusting
Issue first-class identities to your AI agents and make every action attributable — without re-architecting your stack.