Who Verifies the Agents?

Shivdeep Singh
Builder — Airlock Protocol

AI agents are starting to act on their own. They write and deploy code, file support tickets, query internal databases, trigger workflows, move money, and increasingly call other agents to get work done. The interesting shift isn't that an agent can do these things — it's that it can do them without a human pressing confirm on every step.

That raises a question that sounds simple and isn't: when an autonomous agent shows up at your system asking to do something, how do you decide whether to let it?

I've spent the last several months building Airlock to work through that question carefully. This post is the honest version of what I learned — including where existing standards already have good answers, and where there's a real gap worth filling.

The question is actually three questions

"Can I trust this agent?" collapses three distinct things that security people keep deliberately separate. Getting them muddled is the fastest way to build the wrong thing:

"Authentication proves who. Authorization decides what. Risk asks whether anything looks wrong right now. They're three jobs, not one."

The first two are largely solved problems with mature standards. The third is messier, and it's where agents create genuinely new pressure. Let me give existing work its due before claiming any gap.

What existing standards already solve

If you're going to build in this space, you have to know the landscape — and credit it honestly. Here's the part of the problem that is not open:

StandardWhat it does
OAuth 2.0 / 2.1Authorization — delegated access via scoped tokens. Not an identity protocol, despite common shorthand.
OpenID ConnectAuthentication — the identity layer built on top of OAuth. This is what actually answers "who."
SPIFFE / SPIRECryptographic identity for non-human workloads. Agents are workloads — this is the closest prior art.
MCP AuthorizationOAuth 2.1-based auth for Model Context Protocol tool servers.
CAEP / Shared SignalsAn open framework for sharing risk and revocation signals across providers — the existing answer to "portable trust signal."
W3C Verifiable CredentialsPortable, issuer-signed claims a relying party can independently verify.
Visa TAP / Mastercard Agent PayNetwork-level agent identity for commerce — signed HTTP requests proving an agent and its mandate to merchants. The payment networks own that lane.

So no — "nothing handles trust" would be wrong. Risk-based authentication is a mature commercial category. Reputation algorithms go back decades. If anyone tells you this is a greenfield, they haven't read the field.

So where's the actual gap?

The gap isn't that these pieces don't exist. It's that, for autonomous, delegating, cross-organization agents, they don't come integrated into one agent-native flow, and three things in particular are awkward to assemble from today's parts:

Airlock is an attempt to integrate the right primitives for the agent case — not to reinvent identity. That framing matters, so I'll be precise about what's load-bearing and what's just a signal.

How Airlock works

An agent that wants to act through Airlock goes through five phases. The cryptographic path is fast; the verdict carries an identity, a delegation scope, and a risk signal.

Phase 1Resolve
Phase 2Handshake
Phase 3Identify
Phase 4Verdict
Phase 5Seal

Identity — the load-bearing part

Agents authenticate one of two ways: an Ed25519 signature tied to a W3C Decentralized Identifier (did:key), or an OAuth 2.1 / OIDC bearer token from an identity provider you already run. The OAuth path uses private_key_jwt client authentication (RFC 7523) — no shared secrets. This half needs no trust in Airlock: the signatures verify on their own math.

Delegation — the strongest card

Airlock implements RFC 8693 Token Exchange. When Agent A delegates to Agent B, A exchanges its token for a narrower-scoped one for B — B can only do what it was explicitly granted, never inherit A's full authority. And the chain supports cascade revocation: revoke A, and every token A delegated, transitively, dies with it. This is the part I'd defend in front of anyone, because it solves a concrete multi-agent failure that scoped tokens alone don't.

The behavioral score — one signal, not the root of trust

Each agent has a four-tier reputation that moves with its behavior: successful interactions raise it, failures lower it, inactivity decays it. But this is a signal a relying party can weight or ignore — exactly like a CAEP risk signal — not a verdict you're forced to accept. The cryptographic identity and the signed delegation are what's verifiable; the score is advisory. I'm deliberate about this distinction because reputation systems have well-known limits (cold start, gaming, and the question of who computes the score), and overselling it would be the wrong move.

Audit — the seal

Every verification, pass or fail, is written to a hash-chained audit trail: each record carries the hash of the previous one, so altering history breaks the chain and the tampering is detectable. That's the record that survives a compliance review.

How this relates to what already exists

The honest positioning — the thing I'd want an identity engineer to nod at — is that Airlock sits alongside these standards, not on top of a strawman:

The hard problem I won't hide

A portable reputation score is only as good as the authority computing it. DMARC worked because it leaned on DNS — a trust root the world already accepted. Airlock's score is computed by its registry, which means the open question is "why should a relying party trust that authority?" My answer: don't make the score load-bearing. Keep identity and delegation as the verifiable core, treat the score as an advisory signal, and move toward expressing it as a Verifiable Credential so relying parties choose which issuers they trust. That's the honest path.

This isn't about one industry

The same gap shows up everywhere autonomous agents act with delegated authority. A few concrete shapes:

The common thread isn't a vertical — it's the shift from "a human clicked this" to "an agent did this on someone's behalf." Once that's true, identity, scoped delegation, a risk signal, and an audit trail stop being nice-to-haves.

What's actually built

This is a working implementation, not a concept paper: