SH
SHELL
AI Powered Learning Portal
Identity for Agents: Why Your LLM Needs a Passport
·AI Governance

Identity for Agents: Why Your LLM Needs a Passport

Solving the 'who did this?' problem in multi-agent systems. Learn how to implement Agent Identity (CIMD) and OAuth scopes specifically designed for AI agents.

ai-agentssecurityidentityoauthcimdgovernance

Identity for Agents: Why Your LLM Needs a Passport

In a traditional microservices architecture, we know exactly which service made an API call. We have service accounts, JWTs, and audit logs. But in the world of Agentic AI, the lines are blurring.

When your "Sales Agent" calls the "Finance Tool" to issue a refund, who is actually responsible? Is it the user who prompted the agent? Is it the agent developer? Or is it the agent instance itself?

If that refund was $10,000 and it was fraudulent, "an LLM did it" is not an acceptable answer for a compliance auditor. By 2026, every production AI agent will need a Passport—a verifiable, cryptographic identity that travels with every thought and action.

1. The Engineering Pain: The Accountability Gap

Why is agent identity so critical?

  1. Auditing & Compliance: You cannot meet SOC2 or HIPAA requirements if you have "Shared Credentials" among agents. Every agent must have its own unique ID.
  2. Cost Attribution: How much did the "Market Research" swarm cost vs. the "Customer Support" swarm? Without identity, it's just one massive OpenAI/Anthropic bill.
  3. Security Escalation: If an agent is compromised via prompt injection, you need to be able to "Revoke" its passport immediately without killing the entire system.

2. The Solution: CIMD and Agent-Scoped OAuth

The emerging standard for this is CIMD (Client ID Metadata Documents) and specialized OAuth 2.0 Scopes for agents.

  • CIMD: A signed document that describes the agent's purpose, its authorized tools, and its "Owner" (the human responsible for its actions).
  • Agent Scopes: Instead of giving an agent full admin access, we give it agent:refund:limit_500.

3. Architecture: The Agent Identity Provider (IdP)

graph TD
    subgraph "Identity Layer"
        IdP["Agent Identity Provider"]
        PKI["Public Key Infrastructure"]
    end

    subgraph "Agentic Runtime"
        A["Agent Instance"]
        S["System Prompt (Signed)"]
    end

    subgraph "Downstream Tool"
        T["Financial API"]
    end

    A -- "1. Request Passport" --> IdP
    IdP -- "2. Issue JWT with CIMD Claims" --> A
    A -- "3. Call Tool + Bearer JWT" --> T
    T -- "4. Verify Signature & Scopes" --> IdP
    T -- "5. Log Action: Agent_77 (Owner: Sudeep)" --> Audit["Central Audit Log"]

The "Signed Prompt"

A key part of agent identity is the Signed System Prompt. This prevents an attacker from changing the agent's behavior by alerting the IdP if the prompt hash doesn't match the one authorized in the "Passport."

4. Implementation: Defining an Agent Passport in Python

Let's look at how we might structure a JWT claim for an AI agent using Pydantic and PyJWT.

import jwt
import datetime
from pydantic import BaseModel
from typing import List

class AgentPassport(BaseModel):
    agent_id: str
    version: str
    owner_email: str
    scopes: List[str]
    max_spend: float
    prompt_hash: str

def generate_agent_token(passport: AgentPassport, secret_key: str):
    """
    Generates a JWT that acts as the agent's passport.
    """
    payload = {
        "sub": passport.agent_id,
        "iss": "shshell-agent-idp",
        "iat": datetime.datetime.utcnow(),
        "exp": datetime.datetime.utcnow() + datetime.timedelta(hours=1),
        "cimd": passport.dict() # The Identity Metadata
    }
    
    return jwt.encode(payload, secret_key, algorithm="HS256")

# Example Usage
my_passport = AgentPassport(
    agent_id="fin-agent-001",
    version="v1.2.0",
    owner_email="sudeep@example.com",
    scopes=["read:orders", "write:refunds"],
    max_spend=500.0,
    prompt_hash="a1b2c3d4e5f6..."
)

token = generate_agent_token(my_passport, "SUPER_SECRET_KEY")
print(f"Issued Agent Passport: {token[:50]}...")

Why this works

When the fin-agent-001 calls the Refund API, the API inspects the cimd claim. It checks:

  • Is the prompt_hash still valid?
  • Does the agent have the write:refunds scope?
  • Has it exceeded its $500 spend limit?

5. Deployment: The "One-Time-Key" Pattern

To prevent long-lived agent sessions from being hijacked, we use Short-Lived Passports.

Every time an agent starts a new reasoning loop, it must "Check-In" with the Identity Provider to get a fresh token. If the agent's behavior deviates from its metadata (e.g., it suddenly tries to access a "Payroll" tool), the IdP can refuse the next token.

6. Engineering Opinion: What I Would Ship

I would not ship an agent that uses an environment variable for its API key (OPENAI_API_KEY).

I would ship an architecture where every agent instance gets its own dynamic credential. It is more work upfront, but it is the only way to scale AI safely in a corporate environment. By 2026, "Unidentified LLMs" will be treated with the same suspicion as "Unidentified Network Traffic."

Next Step for you: If one of your agents was compromised today, how would you track its actions? Could you prove which agent did it?

Next Up: Inference Economics: Strategies for the $10M Inference Bill. Stay tuned.

Subscribe to our newsletter

Get the latest posts delivered right to your inbox.

Subscribe on LinkedIn