]> Glyphzero Labs Inc.

karthik@phantomcorgi.com

Security Workload Identity in Multi-System Environments agentic AI delegation identity authorization SPIFFE This document defines PEDIGREE (Per-Agent Delegation Identity with Governance-Enforced Execution), an identity and delegation framework for AI agents that extends the workload-identity model of SPIFFE (RFC 9542 / draft-ietf-wimse) with cryptographic per-hop delegation, monotonic scope attenuation enforced at mint and at verify, and dual-layer authority enforcement combining an operator-controlled ceiling with per-parent mandate narrowing. PEDIGREE complements AAuth (draft-hardt-aauth-protocol) and AIP (draft-prakash-aip) by providing: (a) dual-enforcement semantics absent from both, (b) Cedar-policy mandates with static-analysis proofs of narrowing, (c) strict cryptographic parent-token re-verification that catches parent-swap attacks missed by append-only token chains, and (d) a native bridge to existing SPIFFE deployments.

Introduction

Problem Agentic AI systems spawn sub-agents dynamically. Current identity frameworks fail three tests:

1. Attribution -- when an orchestrator spawns a sub-agent to book flights and another to file expenses, both share the orchestrator's ambient credentials. Incident response cannot determine which sub-agent took which action.
2. Attenuation -- sub-agents typically inherit all parent authority. AAuth explicitly rejects scope attenuation (draft-hardt-aauth-protocol-01 Appendix C.3.7). Bearer-token and OAuth flows have no delegation narrowing primitive.
3. Enforcement -- even protocols that define attenuation (AIP) defer aggregate budget enforcement to "the orchestration platform at runtime" (draft-prakash-aip-00 Section 7.4), leaving a single-layer guard vulnerable to orchestrator compromise.

Non-Goals

• Replacing SPIFFE/WIMSE workload identity for in-cluster service-to-service auth. PEDIGREE is an upper layer that delegates from a SPIFFE-bearing root.
• Defining a user-authentication protocol. OIDC/OAuth flows bootstrap the root consent; PEDIGREE governs what happens after.
• Specifying an authorization policy language. PEDIGREE accepts Cedar (RECOMMENDED), Datalog, or Rego as mandate policy formats.

Related Work The following table compares PEDIGREE with existing protocols across key delegation and enforcement dimensions. Protocol Comparison

Protocol	Sub-agent identity	Scope attenuation	Per-hop audit	Dual enforcement
AAuth (draft-hardt)	No	Explicitly rejected	Mission-level	No
AIP (draft-prakash)	Yes (aip:key:ed25519:)	Yes (Biscuit)	Mandatory context	No (budget punted)
SPIFFE SVID	Per-workload	None	Workload-level	No
ZeroID (open-source)	Yes (RFC 8693)	Yes	CAEP cascade	No
PEDIGREE (this document)	Yes (parent_chain)	Yes (Cedar, mint+verify)	Consent chain + SIEM	Yes (ceiling intersect mandate)

Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

Root

A human principal whose initial consent establishes the delegation chain.

Primary Agent

A long-lived agent holding a signing keypair, directly delegated-to by the root.

Sub-Agent

An ephemeral agent issued a PEDIGREE by a primary or another sub-agent.

PEDIGREE

A signed JWT carrying principal identity, parent chain, mandate (policy set), public key, and lifetime.

SIT

Suradar Identity Token -- the concrete wire format of a PEDIGREE, compatible with RFC 7519.

Mandate

A typed policy set (Cedar by default) defining what actions an agent may perform on which resources.

Ceiling

The deployment-level policy set defined by the operator; applies to all agents regardless of individual mandates.

Consent Chain

An ordered sequence of principal-issued consents authorizing transitive delegation, with optional depth limits.

Identity Model

Identifier Schemes PEDIGREE defines two identifier schemes:

Named (registry-backed)

Format: pedigree:name:<deployment>/<agent-id> Example: pedigree:name:glyphzero/trading-orchestrator-7f3a

Self-certifying (registry-free)

Format: pedigree:key:ed25519:<multibase-public-key> Example: pedigree:key:ed25519:z6MkpZ... RECOMMENDED for sub-agents with lifetimes under 5 minutes.

Root of Trust Each chain terminates at a root principal (human, identified via OIDC/OAuth). The primary agent's PEDIGREE carries the root's sub claim and a signature over the initial consent.

Token Format

Header

Payload (SIT Claims) The following is the set of claims carried in a SIT payload: ", "sub": "", "jti": "", "iat": 1712345678, "exp": 1712349278, "pedigree_version": "0.1", "agent_pub": "", "parent_chain": ["", ""], "delegation_depth": 2, "scopes": ["read:cal", "write:cal"], "mandate": { "format": "cedar", "policy_set": "permit(principal, action == PedigreeAction::\"read_file\", resource);" }, "consent_chain": [""], "ceiling_ref": "sha256:", "completion_bindable": true } ]]>

Required Invariants

1. delegation_depth == len(parent_chain)
2. scopes MUST be a subset of the immediate parent's scopes.
3. exp - iat MUST NOT exceed the parent's remaining lifetime.
4. mandate.policy_set MUST narrow or equal the parent's mandate under the static-analysis check of .

Delegation

Mint To mint a child SIT, the parent:

1. Verifies its own SIT is unexpired and not revoked.
2. Chooses a subset of its scopes.
3. Generates (or receives) the child's public key.
4. Computes a child mandate that is provably narrower than the parent's (see ).
5. Appends its own jti to the child's parent_chain.
6. Signs the child JWT with its own private key.

Verify (Strict) Verifiers MUST:

1. Cryptographically verify the leaf SIT against the issuer's public key.
2. Retrieve each parent JWT referenced by parent_chain and cryptographically verify each.
3. Check each parent's sub equals the corresponding parent_chain entry of the descendant.
4. Check each hop's scopes is a subset of the prior hop's scopes.
5. Check each hop's mandate is a narrowing of the prior hop's mandate via static analysis ().
6. Check the leaf's ceiling_ref hash matches the operator's current ceiling or a published prior version within grace period.

Parent-Swap Resistance Because verification re-verifies each parent against the issuer's public key, an attacker cannot substitute a same-scope parent from a different chain. AIP's Biscuit append-only semantics trust block signatures and do not re-verify upstream; PEDIGREE's explicit re-verification catches this attack class.

Dual Enforcement Every authorization decision requires both:

1. Mandate: the SIT's mandate.policy_set permits the action (parent's delegation narrowing).
2. Ceiling: the operator-deployed ceiling policy permits the action (applies to all agents).

Pseudocode: The ceiling is identified by ceiling_ref (SHA-256 of the operator-signed ceiling policy document) and distributed out-of-band (or via a well-known URL). This primitive is absent from AAuth, AIP, SPIFFE, and ZeroID.

Mandate Narrowing

Narrowing Check A child mandate M_c narrows a parent mandate M_p if and only if: M_p.permits(action, resource) ]]>

Static Analysis When mandate.format == "cedar", implementations MUST emit a static-analysis proof that M_c narrows M_p. Cedar's published analyzer (AWS 2024) suffices. The proof artifact MAY accompany the SIT as a narrowing_proof field referencing the proof by content hash. This static-proof primitive is absent from AIP (Biscuit semantics enforce narrowing imperatively but do not emit a verifiable artifact).

Completion Blocks

Purpose A completion block cryptographically binds the outcome of an agent's action to the delegation chain that authorized it, enabling downstream verifiers to prove a result came from an authorized chain without trusting out-of-band audit logs.

Format ", "parent_sit": "", "status": "completed", "result_hash": "sha256:", "verification_status": "self_reported", "cost_cents": 1234, "timestamp": "", "signing_agent": "" } ]]> The status field MUST be one of: "completed", "failed", or "partial". The verification_status field MUST be one of: "self_reported", "tool_verified", "peer_verified", or "human_verified". The completion block is signed by the executing agent's private key. Verifiers check the signature against agent_pub of the referenced SIT.

Chain Binding A downstream agent receiving a result from an upstream agent SHOULD require the completion block alongside the result. The receiving agent MAY refuse to consume un-bound results.

Revocation

Cascade Revoking a consent or a parent SIT invalidates every descendant in the chain. Implementations MUST walk the consent chain when evaluating revocation.

Shared Signals Framework Implementations SHOULD emit OpenID SSF events (credential-change, session-revoked) on revocation to propagate to connected IdPs. See draft-rampalli-suradar-bindings for CAEP event schema.

Security Considerations

Parent-swap

Mitigated by strict cryptographic re-verification ().

Scope escalation

Mitigated by subset check at mint AND at verify.

Ceiling bypass

Mitigated by dual enforcement ().

Audit evasion

Mitigated by mandatory context on each delegation block and by cryptographic completion blocks ().

Key compromise

Ephemeral self-cert keys () limit blast radius to their TTL.

Replay

jti uniqueness enforced by nonce store.

Transitive consent

ConsentChain with TransitiveConsent=false blocks downstream delegation.

IANA Considerations This document requests the following registrations:

JWT "typ" Header Value Registration of the "pedigree+jwt" value in the "JSON Web Token Types" sub-registry of the "JSON Web Token (JWT)" registry:

Type Header Parameter Value

pedigree+jwt

Specification Document

This document,

URI Scheme Provisional registration of the "pedigree" URI scheme with two defined forms:

• pedigree:name:<deployment>/<agent-id>
• pedigree:key:ed25519:<multibase-public-key>

Well-Known URI Registration of the well-known URI /.well-known/pedigree-agent.json per RFC 8615.

References Normative References Informative References Amazon Web Services https://www.cedarpolicy.com/ CNCF SPIFFE Project https://spiffe.io/

Comparison with AAuth and AIP A detailed landscape comparison of PEDIGREE, AAuth, and AIP across all delegation, enforcement, and audit dimensions is maintained in the companion document: draft-rampalli-pedigree-landscape-comparison. Key differentiators summarized:

• AAuth (draft-hardt-aauth-protocol-01) explicitly rejects scope attenuation and provides no sub-agent identity primitive. PEDIGREE adds both.
• AIP (draft-prakash-aip-00) provides sub-agent identity and Biscuit-based attenuation but defers budget enforcement to the orchestration platform and does not emit static-analysis proofs. PEDIGREE adds dual enforcement and Cedar-based narrowing proofs.

Reference Implementations

Go

github.com/glyphzero/suradar -- production implementation covering L1-L3 of the SURADAR stack.

Python

Planned.

TypeScript

Planned.