Ephemeral Agent
Credentialing
AI agents live for minutes. Their credentials live for fifteen. That gap is the attack surface. This pattern eliminates it by binding credentials to tasks, not identities, so authority expires when the work ends.
Every trigger is a new agent. One credential authenticates all of them.
Leadership pictures a single running agent with a stable identity. What is actually deployed is a stream of short-lived instances: one per user click, webhook, or scheduled trigger. Thousands per day. The LLM replans each run from scratch. The agent ends when the task ends. The credential does not.
- One running agent with a predictable identity
- Static permissioning that maps to a named service account
- The access path is knowable before the agent runs
- Credential management is a solved problem
- A new agent instance per trigger, thousands per day
- The LLM replans each run: new tools, new data reach, new scope
- One credential authenticates every invocation across the day
- One compromise reaches everything that credential can reach, across every run.
Standard OAuth tokens outlive the agent by 7x per task. With 1,000 invocations per day and 100 concurrent agents, that is roughly 21,000 agent-hours of credential lifetime after the agents have already finished their work. This is the exposure window. The pattern closes it.
Five principles every executive should recognize.
The executive view of the eight technical components in v1.4. The rest of this page is the evidence behind each one.
Identity, once per instance
Every agent instance receives its own cryptographic identity at spawn time. That identity is retired when the task ends. No two agent runs share an identity, even if they run the same workflow.
Credentials scoped to the task
Tokens are sized to the work and expire with it. A task that needs one customer record gets credentials for one customer record. Renewal cannot expand scope: authority can only attenuate, never grow.
Every request re-validated
Identity, scope, expiry, revocation status, and delegation chain are checked on every call. Zero-trust applied at the agent instance layer, not just at the network perimeter.
Every action attributable, permanently
A tamper-evident, append-only audit log records every credential operation with its delegation lineage. Forensic questions become log queries. Attribution is per-instance, not per-service-account.
Governance at the boundary, credentialing at the instance
Existing IAM (IdP, directory, OAuth, policy engines) governs who can run orchestrators and what policies apply. This pattern governs what identity an agent instance carries during a single task. Both layers are required. Neither replaces the other.
Five risks an executive should recognize by name.
17 of 40 threats in the model score critical (10-12). These five are most likely to appear in a breach disclosure, audit finding, or board conversation in 2026.
Prompt injection leading to credential theft
A crafted input steers the agent to serialize its runtime state. If that state contains long-lived API keys or environment variables, the attacker retains them after the session ends. This is CVE-2025-68664 (LangGrinch, CVSS 9.3) as it actually played out. Ephemeral credentialing means the serialized state contains only a token expiring in under 5 minutes.
One credential across thousands of invocations
The same service account authenticates every agent the workflow spawns. Compromise of one invocation reaches everything that identity can reach across every run that day. Per-instance identity bounds the blast radius to one task.
Long-lived tokens as a GDPR data minimization finding
A 15-minute token on a 2-minute task is not purpose-limited access under Article 5(1)(c). Auditors read it as a direct finding. Task-scoped credentials produce purpose-limitation evidence by construction.
Non-attribution causing regulatory reporting failure
Breach notification under GDPR, HIPAA, and SEC rules requires per-record attribution. Shared credentials cannot produce it. Per-instance audit with hash-chained records turns the question into a log query.
Supply chain compromise extending to agent credentials
A compromised dependency or MCP server harvests whatever credentials the agent holds at the moment of compromise. Scope follows the agent. Ephemeral tokens mean the attacker's window is bounded to one task's lifetime.
Where this lands on the regulatory surface.
Structural alignment, not a compliance product. The pattern fixes credential mechanics. The compliance benefits follow from the structure.
Legacy today. Pattern tomorrow.
| What goes wrong today | What changes under v1.4 |
|---|---|
| One credential behind thousands of invocations per day | Per-instance cryptographic identity issued at spawn; compromise bounded to one task |
| 15-minute OAuth tokens on 2-minute tasks | Task-scoped, minute-scale tokens that end when work ends |
| Credentials in environment variables | No static secrets; injection returns only a short-lived, scoped token |
| Logs that cannot answer "which agent did this" | Per-instance, hash-chained audit trail with full delegation lineage |
| Broad credentials provisioned "just in case" | Scope set at issuance; can only attenuate through delegation, never expand |
| Orphaned credentials that outlive the agent | No long-lived credentials; heartbeat-driven revocation, no orphans |
| Multi-tenant AI platforms with credential bleed | Per-tenant trust domains; cross-tenant tokens cannot validate |
| Regulatory reporting built on inference | Per-agent audit produces the evidence every major framework requires |
Six questions that clarify posture in one conversation.
An executive who leaves this page with these six questions can have a real conversation with engineering and security leadership next Monday.
The pattern is eight coordinated components, each addressing a distinct failure mode.
Each component can be adopted independently. Security benefits accrue at every intermediate step. A six-phase adoption path is documented in the full technical specification.
At spawn time, each agent instance receives a unique, cryptographically-verifiable identity bound to its runtime environment. Identity format: spiffe://trust-domain/agent/{orch_id}/{task_id}/{instance_id}. Cannot be forged, reused, or transferred between agents.
Addresses the bootstrap problem (secret zero) via platform attestation (SPIFFE/SPIRE), domain-based trust (MCP CIMD), cloud-native IAM, or one-time launch tokens. No pre-shared secret required in the SPIFFE path.
Tokens are sized to the work and expire with the task. Default TTL: 5-10 minutes. Renewal cannot expand scope: each renewal is a logged audit event with a maximum renewal limit and a hard ceiling. Semantic scopes (ABAC) express access in terms of the task, not the resource path.
Token bloat threshold: 4KB. Above threshold, switch to by-reference tokens with broker-side introspection. Long-running agents use session resumption and crash recovery without reissuing full credentials.
Every request validates: identity, scope, expiry, revocation status, and delegation chain. mTLS binds tokens to the client certificate so stolen tokens cannot be replayed without the corresponding private key. Clock skew tolerance: 30-second window to accommodate distributed system drift.
Four-level revocation hierarchy: individual token, agent instance, task, and delegation chain. Short TTLs make revocation a last resort rather than a primary control. High-assurance introspection for critical operations (financial transactions, PHI access) triggers additional validation regardless of cached state.
Every credential operation is recorded in a hash-chained append-only log. Each entry includes the delegation lineage, task context, and a cryptographic link to the previous entry. Tampering is detectable. PII and prompt content are sanitized before logging (data minimization by design). RFC 7807-compliant error responses expose the denied scope without leaking token contents.
Sub-agents authenticate to parent agents and vice versa using the same ephemeral identity infrastructure. Secure discovery binding prevents MITM attacks during agent-to-agent trust establishment. Heartbeat and liveness monitoring revoke credentials for silent agents automatically: no zombie credentials from crashed instances.
When a parent agent spawns a sub-agent, it issues a delegation token with attenuated scope: the sub-agent cannot hold more authority than the parent. The full delegation chain is cryptographically verifiable end-to-end, from the original human principal through every intermediate agent. Scope can only attenuate, never escalate.
Standardized KPI metrics: token issuance latency (p50/p95/p99), revocation propagation time, scope rejection rate, delegation depth distribution. RFC 7807 error contracts expose why a request was denied (expired, revoked, scope mismatch) without revealing token internals. Why-denied tracing links rejections back to the originating delegation decision.
This pattern maps directly to three active standards efforts.
All 17 critical risks in the threat model.
Probability (1-4) + Business Impact (1-4) + Regulatory Exposure (1-4). Score 10-12 = critical.
| # | Risk | Score | How v1.4 addresses it |
|---|---|---|---|
| TM-01 | Static credential exfiltration via env vars | 11 | No static secrets; only short-lived, task-scoped tokens issued at runtime. |
| TM-02 | One credential across thousands of invocations | 11 | Per-instance cryptographic identity; compromise bounded to one task. |
| TM-04 | Bearer token replay | 10 | Tokens bound to the client certificate via mTLS; stolen tokens cannot be replayed. |
| TM-05 | Lateral movement via over-privileged credentials | 11 | Task-scoped tokens cannot address resources outside the current scope. |
| TM-09 | Orphaned and zombie credential exploitation | 10 | No long-lived credentials; heartbeat monitoring revokes silent agents. |
| TM-17 | Credential store compromise | 10 | Nothing valuable stored long-term; full store breach yields only minute-expiring tokens. |
| TM-20 | Agentic supply chain credential compromise | 11 | Agent holds only an ephemeral token; compromise shrinks to single-task, minute-scale access. |
| TM-21 | Credential stuffing at machine speed | 10 | Username/password structurally absent; identity via cryptographic attestation only. |
| TM-23 | GDPR data minimization violation | 10 | Task-scoped credentials provide direct, auditable purpose-limited-access evidence. |
| TM-24 | HIPAA unique-identifier violation | 10 | Per-instance identities exceed the unique-identifier requirement by design. |
| TM-28 | Prompt injection credential exfiltration | 11 | No static credentials to exfiltrate; injections return only a short-lived scoped token. |
| TM-30 | Kubernetes service account token over-sharing | 10 | Projected service accounts, per-instance audience claims, short TTLs enforced. |
| TM-32 | PCI-DSS 4.0 non-compliance in CHD environments | 10 | Per-instance IDs satisfy Req 8.6.1; ephemeral tokens exceed Req 8.3.9. |
| TM-34 | AI-assisted recon of non-human identity surface | 11 | No static secrets means automated recon surfaces nothing of persistent value. |
| TM-36 | Cross-tenant credential leakage in multi-tenant AI | 10 | Separate trust domains per tenant provide cryptographic isolation. |
| TM-39 | Third-party MCP server credential interception | 10 | Audience claims bind tokens to a specific MCP server; cross-server reuse fails validation. |
| TM-40 | Regulatory reporting failure from non-attribution | 10 | Hash-chained, per-instance audit produces the forensic trail notification frameworks require. |
What actually runs today.
AgentWrit is the Go reference implementation. A single-binary broker. The distinction between what ships and what is planned is part of the specification.
- Challenge-response registration (Ed25519)
- Scoped JWT issuance and renewal
- Delegation-chain records with scope attenuation
- Four-level revocation (token / agent / task / chain)
- Hash-chained tamper-evident audit
- Transport mTLS support
- RFC 7807 error contracts with why-denied tracing
- Fully wired mutual-auth between agents
- Federation and trust-domain bridging
- Expanded attestation proofs (model, runtime, code hash)
- High-assurance introspection for critical operations
- Broker-optional / brokerless deployments