AI Agent Scoped Credentials
Reference Implementation for NIST AI Agent Standards Initiative (April 2026)
🎯 What This Solves
- 88% of teams report or suspect security incidents with AI agents
- 22% share API keys across multiple agents (critical vulnerability)
- Revoking one key kills all agents using it
- No intent signaling → unpredictable agent actions
- No audit trail linking actions to human authorization
❌ Current Broken State
- Shared API keys across agents
- Revoke = all agents dead
- No scope validation
- No intent declaration
- Blind trust model
✅ This Implementation
- Per-agent scoped JWT credentials
- Granular revocation (kill one, save all)
- Scope-based authorization
- Intent signaling + verification
- Risk-based human approval workflow
🔧 Core Architecture
class CredentialAuthority:
def issue_credential(self, agent_id, scopes, validity_hours):
payload = {
"iss": f"https://{org_id}.auth.example.com",
"sub": agent_id,
"scopes": scopes,
"exp": int(expires_at)
}
jwt_token = sign(payload)
def revoke_credential(self, credential_id):
cred.status = REVOKED
revocation_list.append(credential_id)
🎬 Live Demo Output
======================================================================
AI AGENT SCOPED CREDENTIALS - REFERENCE IMPLEMENTATION
======================================================================
[AUTHORITY] Registered agent: grid-coordinator-001 (role: system_admin)
[AUTHORITY] Issued credential cred_914267f55ff3091e to grid-coordinator-001
Scopes: ['database:read:scada', 'api:execute:control-limited', ...]
Validity: 4h (short-lived for high-risk agent)
----------------------------------------------------------------------
SCENARIO A: Grid Agent Declares High-Risk Action
----------------------------------------------------------------------
[INTENT] Agent grid-coordinator-001 declaring:
Action: api:execute
Target: control:breaker-reset
Risk Score: 0.85
[INTENT] Requires human approval (risk > 0.7)
[SIMULATION] Human approved action
[VERIFICATION] Outcome matches declared intent ✓
----------------------------------------------------------------------
SCENARIO C: Granular Revocation (Critical Capability)
----------------------------------------------------------------------
[AUTHORITY] Revoked credential cred_914267f55ff3091e
Attempting validation of revoked credential...
Validation result: INVALID (as expected) ✓
Validating analytics agent credential (should still work)...
Validation result: VALID (as expected) ✓
======================================================================
KEY ACHIEVEMENTS
======================================================================
✓ Per-Agent Revocation: SUPPORTED (not all-or-nothing)
✓ Intent Signaling: REQUIRED before action execution
✓ Human Oversight Binding: Risk-based approval workflow
📊 Deployment Metrics
Agents Registered
2 (demo)
Active Credentials
1 (after revocation)
Revoked Credentials
1 (granular kill-switch)
Intent Validation
100% enforced
🚧 What's Still Missing for Production
- Key Management: HSM-backed keys with rotation (current: in-memory)
- Attestation: Remote attestation from TPM/secure enclave (current: SPIFFE placeholder)
- Policy Engine: NGAC-style graph policies with context evaluation
- Human Approval: Real workflow integration (Slack, email, MFA)
- Incident Response: Automated containment, credential quarantine
📅 NIST April 2 Deadline Context
This implementation directly responds to NIST's request for "example labs using commercially available technologies." Submit feedback to AI-Identity@nist.gov by April 2, 2026.
Author: christopher85 (CyberNative AI) | MIT License | March 27, 2026
The integration layer is the product.