A Novel Zero-Trust Identity Framework for Agentic AI: Decentralized Authentication and Fine-Grained Access Control

Abstract: Traditional Identity and Access Management (IAM) systems, primarily designed for human users or static machine identities via protocols such as OAuth, OpenID Connect (OIDC), and SAML, prove fundamentally inadequate for the dynamic, interdependent, and often ephemeral nature of AI agents operating at scale within Multi Agent Systems (MAS), a computational system composed of multiple interacting intelligent agents that work collectively. This paper posits the imperative for a novel Agentic AI IAM framework: We deconstruct the limitations of existing protocols when applied to MAS, illustrating with concrete examples why their coarse-grained controls, single-entity focus, and lack of context-awareness falter. We then propose a comprehensive framework built upon rich, verifiable Agent Identities (IDs), leveraging Decentralized Identifiers (DIDs) and Verifiable Credentials (VCs), that encapsulate an agents capabilities, provenance, behavioral scope, and security posture. Our framework includes an Agent Naming Service (ANS) for secure and capability-aware discovery, dynamic fine-grained access control mechanisms, and critically, a unified global session management and policy enforcement layer for real-time control and consistent revocation across heterogeneous agent communication protocols. We also explore how Zero-Knowledge Proofs (ZKPs) enable privacy-preserving attribute disclosure and verifiable policy compliance. We outline the architecture, operational lifecycle, innovative contributions, and security considerations of this new IAM paradigm, aiming to establish the foundational trust, accountability, and security necessary for the burgeoning field of agentic AI and the complex ecosystems they will inhabit.

• The paper presents a novel zero-trust IAM framework leveraging DIDs and VCs to dynamically authenticate and authorize AI agents.
• It introduces an Agent Naming Service (ANS) and employs Zero-Knowledge Proofs to support confidential, capability-based agent discovery.
• The framework implements layered, dynamic access control combining static policies with context-aware enforcement to mitigate over-privileging.

A Novel Zero-Trust Identity Framework for Agentic AI: Decentralized Authentication and Fine-Grained Access Control

Introduction to Agentic AI and Identity Management

The transition to a world populated by autonomous Multi-Agent Systems (MAS) necessitates the development of an Identity and Access Management (IAM) framework fundamentally different from the traditional human-centered models. Traditional protocols such as OAuth 2.0, OpenID Connect (OIDC), and SAML are designed for static human users or simple machine identities and are unable to cater to the dynamic, ephemeral, and interdependent nature of AI agents in MAS. The paper proposes a novel IAM framework that utilizes Decentralized Identifiers (DIDs) and Verifiable Credentials (VCs) to encapsulate agent capabilities, provenance, and security postures. This enables the creation of sophisticated, fine-grained access control mechanisms crucial for secure agent interactions.

Architectural Framework and Key Features

The proposed framework integrates multiple technological advancements:

1. Decentralized Identifiers (DIDs) and Verifiable Credentials (VCs): Leveraging DIDs provides globally unique and verifiable identities for agents. VCs allow for granular proof of an agent's attributes and capabilities, supporting dynamic updating and revocation as agent's capabilities evolve.
2. Agent Naming Service (ANS): This service allows secure discovery of agents based on capabilities rather than names alone. ANS integrates with agent identities to ensure secure, capability-aware discovery processes.
3. Zero-Knowledge Proofs (ZKPs): ZKPs are utilized to enable agents to verify credentials without disclosing sensitive information, enabling private and secure exchanges.
4. Unified Global Session Management and Policy Enforcement: A session authority layer oversees policy enforcement and manages global logout mechanisms across heterogeneous communication protocols within MAS, ensuring consistent security posture throughout agent interactions.

   Figure 1: Core Architecture and its layers.

Agent Identity and Lifecycle Management

The redefinition of an AI agent's identity is central to this framework. An agent's identity is a dynamic and cryptographically secured profile composed of:

• Cryptographic Anchor: Comprising a DID and associated key pairs for signing actions and encrypting communications.
• Core Attributes: Identifying information such as software version, creator, lifecycle status, and other metadata.
• Capabilities and Scope: Task-specific permissions and toolsets are specified to provide granular control over agent operations.
• Operational and Security Parameters: Communication protocols supported and any compliance or regulatory information pertinent to the agent's operations.

Additionally, agent identities can be dynamically adapted at runtime to enable specific task roles via ephemeral IDs or scoped VCs, allowing precise and flexible access control based on context and operational needs.

Figure 2: Agent discovery process using the Agent Name Service (ANS).

Implementing Fine-Grained Access Control

The framework employs a layered access control model that integrates static policies, dynamic conditions, and agent-specific attributes to govern decisions:

• Policy Decision Point (PDP): Evaluates access requests against current policies.
• Policy Information Point (PIP): Provides attribute and context data required for decision making.
• Policy Administration Point (PAP): Where policies are authored and managed.
• Dynamic Access Control Models: Just-In-Time (JIT) access models and real-time policy enforcement ensure the system dynamically responds to agent context changes, reducing over-privileging risks.

  Figure 3: Fine-grained access control enforcement when RiskAnalyzerBot requests access to sensitive financial data.

Implications and Future Work

The proposed framework sets the stage for more secure, efficient, and scalable AI ecosystems by addressing the unique identity challenges of AI agents. Future developments will focus on enhancing scalability, optimizing cryptographic operations, formalizing interoperability standards, and establishing robust governance models.

Potential research areas include leveraging advanced privacy-enhancing technologies, increasing inter-agent interoperability, and ensuring compliance with evolving regulatory landscapes. Comprehensive benchmarking and the development of developer-friendly tools will support broad adoption and facilitate seamless integration into existing IAM infrastructures.

Figure 4: Ephemeral agent authorization using Just-In-Time (JIT) Verifiable Credentials for Model Context Protocol (MCP) tool access.

Conclusion

This paper presents a sophisticated IAM framework that empowers Agentic AI to operate securely within complex, interdependent ecosystems. By redefining identity through DIDs and VCs, instituting an Agent Naming Service for capability discovery, and proposing a forward-thinking architectural framework, it paves the way for secure and accountable agent interactions, advancing the capabilities of AI-driven systems in diverse applications. The innovative blend of technology and security considerations addresses critical shortcomings of existing IAM systems, underlining the necessity for such advancements to safely scale autonomous AI systems.