AS-301a · Module 1

Identity & Access for Agents

4 min read

Humans authenticate with passwords, biometrics, and MFA tokens. Agents authenticate with cryptographic identities — certificates, signed tokens, and API keys managed through automated credential lifecycles. The identity system for autonomous agents needs to be more rigorous than the one for human users, because agents operate at machine speed. A compromised human account is dangerous. A compromised agent credential operating at thousands of requests per second is an order of magnitude worse.

Agent identity has three components. The identity itself: a unique, cryptographically verifiable identifier bound to the agent process. This is typically a service account with a client certificate or a signed JWT. The credential lifecycle: automated issuance, rotation, and revocation of credentials. Agent credentials should rotate on a schedule — every 24 hours for high-privilege agents, every 72 hours for standard agents. No agent should use a credential that is more than a week old. The authorization policy: the rules that determine what a specific agent identity is allowed to do. Policies are maintained in a centralized policy engine and evaluated on every request.

Do This

Issue unique cryptographic identities to each agent — never share credentials between agents
Rotate credentials automatically on a fixed schedule — 24 hours for high-privilege, 72 hours for standard
Centralize authorization policies in a policy engine — RBAC or ABAC, evaluated on every request
Implement credential revocation that takes effect in under 60 seconds across the entire system

Avoid This

Use shared API keys across multiple agents — one compromise exposes all of them
Rotate credentials manually — manual processes drift, and a missed rotation becomes a stale credential
Hardcode authorization rules in agent code — policy changes require code deployments instead of config updates
Assume credential revocation is instantaneous — test your revocation propagation time and know the gap