A frontier lab and I landed on the same conclusion about how to credential AI agents.

Here’s the argument and the timeline that shows the field is only now catching up to where the work already was.

Last month, Anthropic published Zero Trust for AI Agents, a framework for deploying autonomous agents in the enterprise. Read its sections on identity and credentials and you’ll find a clear set of claims: give every agent instance a unique cryptographic identity, issue short-lived task-scoped tokens, keep no static secrets anywhere an agent can reach, and verify every single request. Static API keys, it says flatly, are “no longer a legitimate entry point, not even at Foundation.”

I read it the way you read a review you didn’t ask for bracing for the line that tells you you’re wrong.

That line never came. What came instead was a stranger feeling: I’ve made this argument. Recently. In public. And I can show you the timestamp.

So let’s work backwards.

Ten Days Earlier

On May 8 ten days before that eBook I published a piece on the Cloud Security Alliance blog under a deliberately uncomfortable title: AI Agent Identity Is Being Solved Backwards.

My argument wasn’t “agents need better IAM.” It was that IAM is the wrong tool, applied backwards.

Every credential system enterprises run was built on one assumption: you know what a workload will do before it runs. A traditional service is deterministic a developer wrote its logic, so you can scope its credentials at deploy time. An LLM agent detonates that assumption. The same agent, same task, takes different execution paths on consecutive runs: queries the database first, or the API first; spawns a sub-agent, or doesn’t. That non-determinism isn’t a bug. It’s the entire reason agents are useful.

Which means you cannot scope an agent’s credentials before it runs, because you don’t yet know what it will do. So teams pick one of two losing moves: hand over broad credentials to cover every possible path risk acceptance dressed as convenience or let agents accumulate entitlements and govern the pile after the fact a cleanup operation dressed as a strategy.

The way out isn’t a better IAM tier for agents. It’s a different mental model. Don’t govern the agent like a standing identity govern the workflow. And don’t assign identity at deploy time issue it at runtime, scoped to this task, on this run, for exactly as long as the task lives. Identity for a non-deterministic actor has to be born at the moment of execution, because that’s the first moment you actually know what it’s doing.

Keep Going Back

That CSA piece didn’t appear from nowhere. It was the through-line of a year of building in public.

In October 2025, I published the original pattern ephemeral agent credentialing, six components, the thing I’d been arguing for in architect meetings, finally written down so I could stop arguing and start pointing.

In December, a 9.3 CVE called LangGrinch proved the premise in the worst way possible: every secret sitting in an agent’s environment, exfiltrated in a single request. Not theoretical — real teams, real production.

Then, within weeks of each other, four standards bodies OWASP, NIST, the IETF, and the CSA converged on the same verdict: traditional IAM is fundamentally inadequate for agents.

By the time I wrote “solved backwards” in May, I wasn’t speculating. I was describing a problem the field had spent half a year confirming. Ten days later, a frontier lab shipped a framework built on the same foundation. So when people ask whether Anthropic’s framework validates the pattern, my honest answer is that the sequence runs the other way: the work was already there, and the framework caught up to it.

The Convergence

I want to be precise about this, because “a big lab agrees with me” is exactly the kind of claim that should make you suspicious. So here’s the overlap, in their words and mine, side by side.

They open on the same premise I built on: “trust nothing, verify everything, assume breach has already occurred.” That’s not a slogan to me. It’s the reason every token in my pattern expires in minutes instead of hours.

On identity, they say unique cryptographic identifiers per agent are now table stakes “unique identifiers alone are a labeling exercise” unless they’re cryptographically rooted. That’s Component 1.

On credentials, they’re blunt in a way I rarely see a vendor be. Static keys, they write, are “among the first things an attacker with model-assisted code analysis will find” and elsewhere, “treat them as already-compromised.” The replacement? “Short-lived, narrowly-scoped tokens issued by an identity provider are the new baseline.” That’s Component 2, almost verbatim.

On access, they adopt OWASP’s “least agency” and just-in-time access that revokes the moment a task completes. Component 4. On audit, immutable append-only logs with cryptographic integrity verification. Component 5. On multi-agent systems, explicit trust boundaries and per-agent credentials, because “if you break it into multiple agents and provide them all the same credentials, you have failed to compartmentalize the risk.”

I didn’t write their book. They didn’t read mine. We landed in the same place because the problem only has so many honest answers.

Why This Matters More Than a Citation

Here’s the thing about convergence: it doesn’t make a solution obvious. It makes the urgency undeniable.

Four standards bodies converging is, honestly, expected that’s their job. A frontier lab shipping production deployment guidance is a different signal. It means this stopped being a working-group conversation and became something teams are building against right now.

So I’m not going to position this pattern as a footnote to Anthropic’s framework. The sequence runs the other way. I published the formal pattern; the industry’s documentation caught up to it. That’s not ego. It’s just the timeline.

Where I Have to Be Honest

A frontier lab’s framework is broad on purpose. Zero Trust for AI Agents covers prompt injection, memory poisoning, supply chain risk, input and output filtering, behavioral anomaly detection, and an entire section on running defensive security operations at machine speed. My pattern covers exactly one thing: identity and credentials.

If their framework is the zoning code for the whole agent-security city roads, water, power, policing mine is the engineering spec for one utility. The electrical grid. Down to the wire gauge.

That’s not a weakness to hide. It’s the discipline of a pattern. I told you in October exactly what it defends against and exactly what it doesn’t. Prompt injection isn’t in scope. Data poisoning isn’t in scope. Those need complementary controls, and a serious framework names them. Anthropic’s does. So does mine.

The grid doesn’t apologize for not being the water system.

The One Place We Disagree — and Why I’m Glad

Their framework climbs a maturity ladder: Foundation, then Enterprise, then Advanced. Start at the bottom, progress as you scale.

My v1.4 rejects the phased rollout outright. I called the section Migration, Not Remediation. The argument: these aren’t milestones you reach over quarters. They’re design decisions you make before the first agent runs. Ship agents on shared credentials now and bolt on identity later, and you’ve conceded the credential shape is wrong at deployment, then spent budget making the wrong shape auditable.

So we disagree. Except read their fine print. They say “the Foundation floor has been raised.” Short-lived tokens, cryptographically rooted identity, identity-based isolation: “now entry requirements, not aspirations.” Static keys are “no longer a legitimate entry point, not even at Foundation.”

That’s a maturity model quietly admitting its own bottom rung now holds the things I said you can’t defer. The ladder is getting shorter from the bottom up. We’re converging on the absolutism, just from opposite directions they’re raising the floor, I’m refusing to build above an empty one.

And look at what moved to that floor: short-lived, runtime-issued, identity-provider credentials. Ten days after I argued on CSA that runtime issuance is the only model that fits a non-deterministic actor, the lab put runtime-issued short-lived credentials at the entry tier. A tier model still frames this as an IAM maturity problem assign the identity, manage its lifecycle, scope its permissions. My argument is that the unit itself is wrong: govern the workflow, not the standing identity. But I’m not going to pretend the floor moving in exactly the direction I pointed is anything other than the field starting to turn the right way.

The Component That Still Keeps Me Up

There’s one place the framework points at the problem and stops at the edge of it. And it happens to be the exact problem that took me a full version to solve.

Multi-agent delegation. Agent A hands work to Agent B, which hands work to Agent C, which reaches for a resource. How does the resource server know that chain of authority is real?

Anthropic’s framework gets the requirement right: “Agents should verify the identity and authorization of other agents before accepting delegated tasks. Implement authorization checks at each step of multi-agent workflows, rather than trusting that the initiating agent had appropriate permissions.” They even name the failure modes “unscoped privilege inheritance” and the “confused deputy” problem, where a low-privilege agent relays valid-looking instructions to a high-privilege one.

Correct. Necessary. And it stops there at what must be true, not how you make it true.

That gap is Component 7. The VP authorizes a manager to approve $10,000. The manager tells an intern, “I’m authorized, so you are too.” The intern approves $50,000. Without a receipt at every step who authorized what, with what limit nobody can tell a real chain from a fabricated one. “Verify authorization at each step” is the right instruction. It is not yet a mechanism.

The mechanism is cryptographic delegation chains: every hop signs a record, permissions can only narrow and never expand, any verifier can trace the full chain back to the original principal, and one broken link kills the request. That’s the difference between telling agents to behave and making misbehavior impossible to forge. Anthropic’s own design test “does this make the attack impossible, or just tedious?” is the cleanest argument for it I’ve read, and I didn’t write that line. They did.

Lead, Don’t Follow

The easy move when a frontier lab validates your work is to spike the ball. See? I was right. They’re late.

I’m not interested in that framing, and not because it’s bad manners. It’s wrong. They’re not late. Nobody’s late. This is new to all of us.

The discipline of securing autonomous agents is months old. There’s no incumbent, no settled canon, no authority whose permission you need before you’re allowed to have a position. I didn’t wait for a lab to tell me how to credential an agent. I looked at the problem, saw that IAM built for long-lived human users didn’t fit machines that live for ninety seconds, and wrote down an answer knowing parts of it were wrong and I’d fix them in public. A frontier lab reaching the same conclusions months later doesn’t mean they were slow. It means the work was sitting there for anyone willing to do it.

Including you.

So if you’re holding an opinion about agent security and waiting for OWASP or NIST or a lab to bless it first don’t. They’re writing this in real time. The labs are writing it in real time. The barrier to leading here isn’t a research budget or a brand. It’s being willing to publish something you know you’ll have to revise.

The point of doing the work early was never to beat anyone to it. It was to do the work. The convergence just proves the work was there to be done. The window isn’t only open for adoption. It’s open for authorship and it won’t stay that way once the canon settles.

Why wait?

What Building In Public Actually Buys You

When I shipped v1.0, the honest critique was “this is clean on paper.” Then LangGrinch proved the static-secret problem in production. Then four standards bodies converged. Now a frontier lab has published a framework that reads, in its identity and credential sections, like a parallel derivation of the same pattern.

None of that came from being right alone in a document. It came from putting the thing where people could test it against the real world, and updating when the real world pushed back.

The pattern is independent. It doesn’t need the lab’s blessing to be correct. But the convergence tells you the window I’ve been describing isn’t theoretical anymore the rest of the field is now writing it down too. The teams that get ahead of this won’t be the ones with the most advanced agents. They’ll be the ones who got the credential shape right before the first agent ran.

Read the full patttern and the research paper