Owner & purpose
Every agent names a human owner, an owning department, and a written business purpose — so accountability is never ambiguous.
Each agent carries an owner, department, business purpose, risk tier, expiry, allowed models, actions and environments, and a recertification cycle — enforced at credential issuance and again at runtime. Off-policy or expired agents are refused before they ever touch a model.
Enforced at token issuance · 403 IDENTITY_EXPIRED · 403 MODEL_NOT_ALLOWED
When agents run as shared service accounts or raw API keys, you can't say who owns them, what they're for, which models they may call, or when their access should expire. Agent IAM gives every agent a first-class identity with the same lifecycle discipline you already demand of human and machine accounts — and wires it into the runtime so the policy is the enforcement.
Every agent names a human owner, an owning department, and a written business purpose — so accountability is never ambiguous.
A risk tier drives oversight strictness, and a hard expiry date means access lapses by default unless it is deliberately renewed.
Least-privilege allow-lists scope which models, actions, and environments the agent may ever reach — machine surfaces, machine-blue.
A review cadence flags agents as needsRecertification; recertify resets lastReviewedAt and the next-review-due date.
Governance that lives only in a dashboard is a suggestion. In Cortex the identity is enforced fail-closed at two points: when the agent asks for credentials, and when it presents those credentials to act.
Each control returns a specific, auditable status code. Here is what the gate actually does at credential issuance and at runtime.
POST /v1/agent-identities/:id/tokens
→ 403 { error: "IDENTITY_EXPIRED" }
# recertify, clear expiry, then mint
PATCH /:id { expiresAt: null }
POST /:id/recertify { intervalDays: 90 }
POST /:id/tokens → 200 token issuedAn expired identity cannot mint a credential. Recertify and renew, and the very next request succeeds — the lifecycle is the gate.
# agentToken presented; resolves to a model
# that is not on this identity's allow-list
run → 403 { error: "MODEL_NOT_ALLOWED" }
# expired / suspended identity, pre-execution
run → 403 { error: "AGENT_IDENTITY_EXPIRED" }When an agent reaches for a model outside its allow-list — or its identity has lapsed — the run is refused before any model is touched. Deny is the default.
Register, govern, introspect, and recertify agent identities through the console and SDK — wired into the Control Tower so the whole fleet is visible at once.
Because the agent is a named identity, every downstream hop — skill, prompt, policy, model, tool, artifact, outcome, approval — traces back to an accountable owner. Agent IAM is what makes ten-hop provenance answerable.
Create the identity with owner, department, purpose, risk tier, expiry, and allow-lists for models, actions, and environments.
On token mint, an inactive identity returns 409 and an expired one returns 403 IDENTITY_EXPIRED — no credential without a valid identity.
Each run re-checks identity status and the model allow-list; the recertification cycle keeps access current or lets it lapse.
Named owners, risk tiers, hard expiry, least-privilege scope, and a recertification cadence — the access-governance controls behind the frameworks you map to, applied to non-human agents.
“We stopped letting agents share service accounts. Now every agent has an owner, an expiry, and a model allow-list — and if any of that lapses, the run simply doesn't happen.”
Testable allow / deny / require-approval rules that decide what an authenticated agent may do.
Explore →Control TowerThe command center that surfaces identities — total, needs-recert, expired — and can pause the whole fleet.
Explore →Trust LedgerHash-chained audit and 10-hop provenance that trace every outcome back to a named identity.
Explore →Oversight modesRisk-based autonomy where the identity's risk tier informs how much a run can do on its own.
Explore →Owners, risk tiers, expiry, and model allow-lists — enforced at issuance and at runtime, so off-policy agents are refused before they act.