Agent IAM · Trust layer

Every agent is a governed enterprise identity — not anonymous code.

Each agent carries an owner, department, business purpose, risk tier, expiry, allowed models, actions and environments, and a recertification cycle — enforced at credential issuance and again at runtime. Off-policy or expired agents are refused before they ever touch a model.

Enforced at token issuance · 403 IDENTITY_EXPIRED · 403 MODEL_NOT_ALLOWED

Fraud Triage
agent · did:cortex:7cf07f61
active
Ownerrisk-ops@northwind
Risk tierHigh
Expiry2026-09-30
Allowed models
claude-opusgemini-pro
Allowed actions
read:Claimpropose:Payout
The problem

An anonymous agent is an ungoverned one.

When agents run as shared service accounts or raw API keys, you can't say who owns them, what they're for, which models they may call, or when their access should expire. Agent IAM gives every agent a first-class identity with the same lifecycle discipline you already demand of human and machine accounts — and wires it into the runtime so the policy is the enforcement.

One identity, full accountability

Everything an auditor asks about an agent, on the credential.

Owner & purpose

Every agent names a human owner, an owning department, and a written business purpose — so accountability is never ambiguous.

Risk tier & expiry

A risk tier drives oversight strictness, and a hard expiry date means access lapses by default unless it is deliberately renewed.

Allowed models & actions

Least-privilege allow-lists scope which models, actions, and environments the agent may ever reach — machine surfaces, machine-blue.

Recertification cycle

A review cadence flags agents as needsRecertification; recertify resets lastReviewedAt and the next-review-due date.

Enforced twice — issuance and runtime

The identity is checked when a token is minted, and again on every run.

Governance that lives only in a dashboard is a suggestion. In Cortex the identity is enforced fail-closed at two points: when the agent asks for credentials, and when it presents those credentials to act.

  • Token mint refuses an inactive identity (409) or an expired one (403 IDENTITY_EXPIRED)
  • At runtime an expired or suspended identity is rejected before execution (403 AGENT_IDENTITY_EXPIRED)
  • A resolved model outside allowedModels is refused (403 MODEL_NOT_ALLOWED)
  • Token scopes still least-privilege-restrict skills via delegated auth
KYC Screener
agent · did:cortex:7cf07f61
403 EXPIRED
Ownerrisk-ops@northwind
Risk tierHigh
Expiry2025-12-01
Allowed models
claude-opus
Allowed actions
read:Casepropose:Decision
Prove it — don't just claim it

Off-policy agents get a refusal, not a best-effort run.

Each control returns a specific, auditable status code. Here is what the gate actually does at credential issuance and at runtime.

Token issuance403 IDENTITY_EXPIRED
POST /v1/agent-identities/:id/tokens
→ 403  { error: "IDENTITY_EXPIRED" }

# recertify, clear expiry, then mint
PATCH /:id            { expiresAt: null }
POST  /:id/recertify  { intervalDays: 90 }
POST  /:id/tokens     → 200  token issued

An expired identity cannot mint a credential. Recertify and renew, and the very next request succeeds — the lifecycle is the gate.

Runtime check403 MODEL_NOT_ALLOWED
# agentToken presented; resolves to a model
# that is not on this identity's allow-list
run → 403  { error: "MODEL_NOT_ALLOWED" }

# expired / suspended identity, pre-execution
run → 403  { error: "AGENT_IDENTITY_EXPIRED" }

When an agent reaches for a model outside its allow-list — or its identity has lapsed — the run is refused before any model is touched. Deny is the default.

The full control surface

Manage agent identity the way you manage every other account.

Register, govern, introspect, and recertify agent identities through the console and SDK — wired into the Control Tower so the whole fleet is visible at once.

Identity & lifecycle
  • Owner & department
  • Business purpose
  • Risk tier
  • Hard expiry date
  • Recertification cycle
Least-privilege scope
  • Allowed models
  • Allowed actions
  • Allowed environments
  • Allowed skills (= tools)
  • Delegated-auth token scopes
Credential gates
  • Token mint refuses inactive (409)
  • Token mint refuses expired (403)
  • Runtime identity check
  • Runtime model allow-list check
Introspection & review
  • verify returns identityStatus
  • identityExpired & allowedModels
  • Computed expired flag
  • needsRecertification flag
Fleet visibility
  • Control Tower identities KPI
  • total · needsRecert · expired
  • CSV governance export
  • Risk / expiry / recert badges
Build & integrate
  • console dashboard/agent-iam
  • Register & update governance
  • SDK agentIdentities.update
  • SDK agentIdentities.recertify
How it works

Identity is the first link in the provenance chain.

Because the agent is a named identity, every downstream hop — skill, prompt, policy, model, tool, artifact, outcome, approval — traces back to an accountable owner. Agent IAM is what makes ten-hop provenance answerable.

01 · Humanrisk-ops@nw02 · AgentFraud Triage03 · Skilltriage.v404 · Promptsha 0x3a…05 · Policyapprove≥5k06 · Modelclaude-opus07 · ToollookupCase08 · Artifactmemo #447109 · Outcomeapproved10 · Approvalj.lee
  1. 01

    Register & govern

    Create the identity with owner, department, purpose, risk tier, expiry, and allow-lists for models, actions, and environments.

  2. 02

    Issue under policy

    On token mint, an inactive identity returns 409 and an expired one returns 403 IDENTITY_EXPIRED — no credential without a valid identity.

  3. 03

    Enforce & recertify

    Each run re-checks identity status and the model allow-list; the recertification cycle keeps access current or lets it lapse.

Security & compliance

Identity discipline your auditors already recognize.

Named owners, risk tiers, hard expiry, least-privilege scope, and a recertification cadence — the access-governance controls behind the frameworks you map to, applied to non-human agents.

SOC 2ISO 27001ISO 42001EU AI ActNIST AI RMFGDPRHIPAAFINRA
We stopped letting agents share service accounts. Now every agent has an owner, an expiry, and a model allow-list — and if any of that lapses, the run simply doesn't happen.
Director of Identity & AccessGlobal financial-services firm

Give every agent an identity worth trusting.

Owners, risk tiers, expiry, and model allow-lists — enforced at issuance and at runtime, so off-policy agents are refused before they act.