Agentic AI Security CMM — D2 Identity & Authorization (Deep Dive)
Companion deep-dive to the CMM’s D2 domain, written under the recalibration method. D2 assigns every agent a per-agent non-human identity and governs its credential lifecycle. The threats this domain answers are Privilege Compromise (T3) and Identity Spoofing and Impersonation (T9) in OWASP Agentic AI Threats and Mitigations, whose Playbook 4 (authentication, identity, and privilege controls) calls for per-agent mutual authentication and short-lived credentials — the operational form of the L3–L5 ladder below. Three things change in the recalibration: a stale GA assertion is corrected (Okta for AI Agents is not yet GA), per-agent identity is now GA platform-native on all three hyperscalers, and per-task capability tokens move to L5+ because no platform ships them.
Single-source grounding
Levels and cost model synthesize the recalibration method against the regulated-FI stress test plus vendor documentation. Tooling status is a May 2026 snapshot.
D2-L3 is the highest-leverage rung in the model. The active dependency caps are D2→D5 and D2→D7, so a verifiable per-agent identity (D2-L3) is the cheapest move that lifts three domains at once. Egress and observability cannot exceed D2’s level, because neither per-agent egress policy nor per-agent behavioral baselining has a stable principal to bind to without it. For a Microsoft incumbent, D2-L3 costs near-zero licensing: Entra Agent ID rides the directory. Spend the first identity dollar here.
The Microsoft ZT4AI Identity pillar (verify explicitly / least privilege) supplies the named controls behind these rungs: Entra Agent ID per-agent identity, Conditional Access for Agent Identities, and ID Protection for agents, all crosswalked to the D2 ladder in the 2026-Q2 ZT4AI review. Agent 365 sits above these controls as a management plane — the agent registry and admin surface that aggregates and operates them — rather than as a new enforcement control or a portable standard; it is a vendor-bound, per-user-licensed product, not a specification an organization can implement on another stack. The management-plane-versus-catalogue distinction is set out in Agent 365 review.
Threat coverage
D2 is the primary domain for ASI03 (Identity & Privilege Abuse) and ASI10 (Rogue Agents), and the entry point for Class 1 (AI-aware insider) through least-privilege MLOps roles. Because per-agent egress (D5) and behavioral baselining (D7) are capped by it, D2 is the prerequisite for containing any per-agent threat. See the Threat Taxonomy Reconciliation matrix and the threat classes.
Control landscape (dated)
| Capability | What ships today | Status (May 2026) | Platform-native (MS / AWS / GCP) |
|---|---|---|---|
| Per-agent non-human identity | SPIFFE/SPIRE (OSS); OAuth 2.1 / OIDC | GA | MS: Entra Agent ID — a credential-less service principal from an agent blueprint, GA Apr 20261. AWS: Bedrock AgentCore workload identities2. GCP: Agent Identity, SPIFFE-based3 |
| Credential lifecycle (issue/scope/rotate/revoke) | OAuth 2.1 token exchange; X.509 + STS | GA | MS: blueprint holds credentials, the agent identity holds none1. AWS: AgentCore token vault2. GCP: auth-manager credential vault3 |
| Zero-credentials-in-agent-context | credential-proxy pattern; SPIFFE SVID; Azure Managed Identities | GA | Native on all three; Managed Identities (GA, long-standing) covers the credential-less case on Azure |
| Conditional / risk-based access for agent identities | — | MS GA (no AWS/GCP agent-specific equivalent) | MS: Conditional Access for Agent Identities, GA, requires Entra ID P14 |
| Coupled-credential migration (SAS / storage keys / SaaS API keys → decoupled) | pattern, not a product | — | MS Managed Identities + RBAC; AWS IAM Roles Anywhere / STS5; GCP Workload Identity Federation6 |
| Per-task / capability-scoped tokens (holder-bound, attenuating) | Tenuo Warrant (OSS, Ed25519, monotonic attenuation) | OSS, early-stage; no platform-native equivalent | None. Entra issues per-resource (audience) tokens, not per-task holder-bound grants |
Correction. The current CMM dates “Okta for AI Agents GA Apr 30 2026.” That is wrong. Okta’s own materials place it at Early Access in FY27 Q1 and GA later in FY277; the GA’d product is Auth0 for AI Agents (Oct 2025). The date is removed from D2 and the tooling map. Per-agent identity is well covered platform-native regardless, so nothing in the ladder depends on Okta.
Capability-decoupled levels
Stated as capabilities per rule 1; a control counts when it operates in production per rule 2.
- L1 — Initial. Agents share human credentials or service accounts; no inventory.
- L2 — Developing. Agents hold distinct non-human identities in a manual inventory; delegation runs only through the human user.
- L3 — Defined. Every agent has a verifiable, attested per-agent identity (platform-native agent identity or SPIFFE workload ID); OAuth 2.1 token exchange handles delegation; the NHI lifecycle binds to the deploy pipeline, not HR joiner/mover/leaver; the inventory distinguishes coupled from decoupled credentials (identity-credential coupling); every NHI carries a human owner; every action traces to a human.
- L4 — Managed. Zero-credentials-in-agent-context is enforced (credential broker/vault or a credential-less identity model); per-agent authorization runs at a PDP; an orphaned-agent kill switch is tested; rotation is automated per credential class against a documented consumer-dependency map; a behavioral baseline exists per NHI; a migration plan off coupled credentials is active.
- L5 — Optimizing. A unified agent-governance program operates in production (registry, lifecycle API, per-agent identity graph, ownership transfer, scoped RBAC, audit-log integration); shadow-agent discovery is operational; risk/conditional access for agent identities is active where the platform supports it; identity binding carries cryptographic attestation (SPIFFE JWT-SVID or platform-attested identity); zero coupled credentials remain for agent-class NHIs.
- L5+ — Leading Edge. Per-task capability tokens with cryptographic holder-binding and monotonic attenuation (Tenuo Warrant-class — OSS-only, no platform-native implementation); multi-vendor agent-identity federation across two or more IDaaS platforms with cross-platform identity-graph reconciliation; named participation in a SPIFFE / OAuth / OIDC agent-extension working group.
The one structural move from the current D2: per-task holder-bound capability tokens leave L5 for L5+. The current L5 implies they are deployable today, but the only implementation is an early-stage OSS primitive, and the platforms issue per-resource tokens, not per-task. This mirrors D6 moving cryptographic attestation up and entitlement enforcement down.
Right-sizing by deployment shape
| Deployment shape | Realistic D2 target | Why |
|---|---|---|
| Internal RAG / support chatbot (no/few tools) | L3 | Per-agent identity + owner + decoupled credentials. The persona’s bot sits here; per-task tokens and federation are irrelevant |
| Data-science / coding copilot | L3 → L4 | Touches secrets and the SDLC; the credential broker and rotation discipline earn their cost |
| MCP / skill provider serving others | L4 → selective L5 | Third-party blast radius raises the bar; scoped tokens per caller, attestation, shadow discovery |
| High-autonomy multi-agent mesh | L5 (selective L5+) | Delegation chains make per-task attenuating tokens (L5+) genuinely load-bearing — the one shape where Warrant-class authority is worth its immaturity cost |
The lethal-trifecta test lowers the bar. An agent with no private-data reach or no external-comms path does not need the per-task-token and federation tail. A sound L3 with the trifecta broken is recorded as an intentional trade-off in the effective-score strategic-rationale field.
Cost model
| Level | Licensing | Operational labor | Run-rate |
|---|---|---|---|
| L2 | ~0 | ~0.25 FTE: NHI inventory, owner fields | — |
| L3 | ~0 for an E5 incumbent (Entra Agent ID rides the directory; Conditional Access for agents needs Entra ID P1, included in E5)4 | ~0.5 FTE: per-agent identity rollout, coupled/decoupled classification, pipeline binding | identity sign-in log volume |
| L4 | ~0 native (Managed Identities / Entra); credential-broker COTS only if not platform-native | the dominant cost: rotation automation + the coupled-credential migration project | — |
| L5 | ~0 native on the Agent 365 path; some Agent ID / governance features meter on Entra P2 or an add-on | ownership-transfer process, shadow-AI triage, attestation-chain upkeep | audit-log ingestion scales with agent count |
| L5+ | Tenuo OSS ~0 license | high: capability-token design, federation reconciliation, standards participation | verifier compute (negligible per call) |
Licensing is near-zero for the E5 incumbent through L5; the spend is the coupled-credential migration labor and audit-log run-rate (agent logs run roughly 10–20× human volume into the SIEM). “Free in E5” holds for the core but not universally: Conditional Access for agents needs P1, and some Agent ID governance features meter on P2 or an add-on.
Customer critiques folded in
- “L5 names a just-GA’d product we cannot procure in 12–18 months.” Addressed: L5 is capability-stated and the production-maturity qualifier applies. Entra Agent ID GA’d April 2026; a buyer satisfies the criterion via an approved-vendor-pipeline product with a documented production date.
- “Microsoft is thin on per-task tokens.” Confirmed and bounded: the one genuine D2 residual gap is per-task holder-bound tokens, which sit at L5+, so most buyers never need them.
- “Cost was invisible.” Addressed: the migration labor and SIEM run-rate are named; licensing is near-zero for incumbents.
- “Zero-credential via Managed Identities is a cheap win.” Preserved: L4 reads “credential-less identity model or broker,” so the Azure Managed Identities path counts without a separate credential-proxy purchase.
Open questions
- Tenuo production-readiness (early-stage OSS, no independent enterprise-deployment evidence) is the variable that would move per-task tokens from L5+ to L5. Re-check quarterly.
- AWS AgentCore Identity and GCP Agent Identity are GA, but precise GA dates and the scope of GCP coverage outside its own agent runtime are not cleanly published.
- Okta for AI Agents GA timing (FY27) is directional; the CMM date is removed regardless.
- D2 maps cleanly to FFIEC/GLBA authentication-and-access expectations and NCUA third-party-NHI scrutiny; the mapping is deferred to the forthcoming FFIEC/GLBA crosswalk.
Notes
Footnotes
-
Microsoft Learn — Overview of agent identities, 2026. Entra Agent ID as a credential-less service principal; GA timing. ↩ ↩2
-
AWS — Understanding AgentCore workload identities, 2026. Workload identities, token vault, credential providers. ↩ ↩2
-
Google Cloud — Agent Identity overview, 2026. SPIFFE-ID agent identity + auth-manager credential vault. ↩ ↩2
-
Microsoft Learn — Conditional Access for Agent Identities, 2026. Access patterns; per-resource (audience) tokens; Entra ID P1 requirement. ↩ ↩2
-
AWS — IAM Roles Anywhere, 2026. X.509 to short-lived STS, replacing long-term keys. ↩
-
Google Cloud — Workload Identity Federation, 2026. Federated identities replacing service-account keys. ↩
-
Okta — Newsroom: securing the AI-driven enterprise, 2026. Okta for AI Agents phasing (EA FY27 Q1 / GA FY27); Auth0 for AI Agents GA Oct 2025. ↩