{
  "profile_id": "agent_identity_mode",
  "version": "1.0.0",
  "published": "2026-06-29",
  "name": "Agent Identity Mode Profile",
  "description": "Defines six identity modes for AI agents — from borrowed user session to attested workload identity — each with appropriate use cases, prohibited patterns, required Apeiris controls, failure modes, minimum evidence requirements, and migration paths. Evaluators and validation engines can use this profile to classify a deployment's identity posture and determine which controls are mandatory, which are advisory, and which failure modes to probe. Corresponds to the Identity domain taxonomy (workload / personal / personal-in-enterprise).",
  "status": "active",
  "normative_anchors": [
    {
      "source_id": "openid",
      "standards": [
        "RFC 9396 — OAuth 2.0 Rich Authorization Requests",
        "RFC 8693 — OAuth 2.0 Token Exchange",
        "RFC 8707 — Resource Indicators for OAuth 2.0",
        "RFC 9449 — OAuth 2.0 DPoP"
      ]
    },
    {
      "source_id": "spiffe_spire",
      "standards": ["SPIFFE SVID Specification", "SPIFFE Workload API"]
    },
    {
      "source_id": "w3c_did",
      "standards": ["W3C Decentralized Identifiers (DID) v1.0"]
    }
  ],
  "identity_taxonomy": {
    "description": "Apeiris classifies agent identity into three types. Each mode below maps to one of these types.",
    "types": {
      "workload": "An enterprise-owned agent or workflow identity, not linked to a named human at runtime. Identity is cryptographically asserted by the infrastructure. Suitable for fully automated pipelines, server-to-server calls, and autonomous agents operating without real-time human delegation.",
      "personal": "An agent acting on behalf of a named human using that human's authority. The human's consent and the scope of delegation must be explicit, short-lived, and auditable. Human remains the accountable principal.",
      "personal_in_enterprise": "A human-linked agent operating inside enterprise systems, requiring both explicit human consent and enterprise authorization permission. Human authorization alone is insufficient — the enterprise's own delegation ceiling must also be satisfied. Separates human consent from enterprise authority."
    }
  },
  "modes": [
    {
      "mode_id": "user_session",
      "name": "User Session Mode",
      "identity_type": "personal",
      "maturity_tier": "C1",
      "description": "The agent borrows the user's live session context — cookies, local credentials, dev tokens, or ambient access — without explicit delegation. The user is actively present or recently authenticated. This is the lowest-maturity mode: tolerated in personal and developer contexts but constrained by hard limits that cannot be relaxed.",
      "appropriate_use_cases": [
        "Developer-local personal automation where the user is actively present and has full visibility",
        "Short-lived scripted tasks with no server-side persistence and no enterprise data access",
        "Prototyping and exploratory use where the user explicitly accepts the risks"
      ],
      "prohibited_use_cases": [
        "Enterprise production environments of any sensitivity",
        "Multi-step or long-running automation where the user may not be present",
        "Access to regulated data (personal data, financial records, health information)",
        "Consequential or irreversible actions on behalf of the user",
        "Server-side execution or scheduled jobs"
      ],
      "hard_limits": [
        "No server-side caching or storage of the borrowed session material",
        "Credential or token must expire when the user's own session expires",
        "No delegation to downstream agents — single hop only",
        "No actions beyond read-only unless the user is actively present and confirms",
        "Full attribution to the human user in all logs"
      ],
      "required_controls": [
        "apeiris://identity/controls/II-01",
        "apeiris://identity/controls/IM-01",
        "apeiris://identity/controls/IM-03"
      ],
      "failure_modes": [
        "Session material persists after user logout — ghost access",
        "Agent caches token and continues acting after session expiry",
        "Borrowed session used for server-side scheduled automation without user awareness",
        "Actions attributed to the agent rather than the human — attribution loss",
        "Escalation to higher-sensitivity resources using ambient session trust"
      ],
      "minimum_evidence": [
        "User consent to agent operation recorded (timestamp, scope, channel)",
        "Session-bound execution confirmed — no persistent credential storage",
        "All actions attributed to the human user's identity in audit logs",
        "Termination on session expiry confirmed"
      ],
      "saas_authorization_ceiling_note": "In this mode the ceiling is the user's own session scope. No capability to request tighter scopes — residual risk from ambient over-breadth must be documented.",
      "migration_path": "brokered_user_delegation"
    },
    {
      "mode_id": "brokered_user_delegation",
      "name": "Brokered User Delegation Mode",
      "identity_type": "personal_in_enterprise",
      "maturity_tier": "C2",
      "description": "The user explicitly delegates authority to the agent for a specific task via a formal token exchange mechanism. The agent receives a short-lived, task-scoped credential that carries the user's intent but is issued by an authorization server, not lifted from the user's session. Requires both the user's explicit consent and the enterprise's authorization ceiling to be respected.",
      "appropriate_use_cases": [
        "Enterprise SaaS integrations where a named user explicitly delegates a bounded task",
        "Request-scoped actions with clear purpose, resource, and TTL",
        "Workflows that need to carry the user's identity through to resource servers for audit attribution",
        "Agentic assistants operating inside enterprise collaboration tools"
      ],
      "prohibited_use_cases": [
        "Actions beyond the declared delegation scope",
        "Long-running background tasks without re-authorization or task-scoped token refresh",
        "Treating the delegated credential as a long-lived service credential",
        "Delegating the token further to sub-agents without establishing a signed delegation chain"
      ],
      "required_controls": [
        "apeiris://identity/controls/II-01",
        "apeiris://identity/controls/II-02",
        "apeiris://identity/controls/DE-01",
        "apeiris://identity/controls/DE-02",
        "apeiris://identity/controls/DE-03",
        "apeiris://identity/controls/NI-02",
        "apeiris://identity/controls/NI-04",
        "apeiris://identity/controls/IF-01",
        "apeiris://authority/controls/PV-02",
        "apeiris://authority/controls/PA-01",
        "apeiris://agentic/controls/AA-01",
        "apeiris://agentic/controls/AT-02"
      ],
      "failure_modes": [
        "Token exchange produces a broader scope than the declared task — scope creep at issuance",
        "Delegated credential reused across multiple tasks — TTL abuse",
        "User consent captured once but treated as standing delegation",
        "Sub-agent receives the token without establishing a chain — anonymous hop",
        "Resource server accepts the token without validating the authorization_details object"
      ],
      "minimum_evidence": [
        "Explicit per-task user consent with declared scope and resource",
        "RFC 8693 token exchange audit log entry (actor, resource, scope, TTL)",
        "authorization_details object (RFC 9396) on every protected action",
        "Credential TTL ≤ 1 hour; assertion TTL ≤ 15 minutes",
        "Human user identity preserved in resource server attribution"
      ],
      "differentiation_from_user_session": "Brokered user delegation produces a formally issued credential from an authorization server. The agent does not hold the user's session material. The credential scope is narrower than the user's full session authority and is scoped to a declared purpose. This distinction is critical — an evaluator must not accept a short-lived user token as equivalent to an attested workload identity.",
      "saas_authorization_ceiling_note": "If the downstream SaaS only supports coarse scopes (e.g., 'files:write' not 'files:write:folder_id'), record the gap as residual_risk: medium and document the specific limitation in the evidence artifact.",
      "migration_path": "attested_workload_identity"
    },
    {
      "mode_id": "service_account",
      "name": "Service Account Mode",
      "identity_type": "workload",
      "maturity_tier": "C2",
      "description": "The agent uses a dedicated service account, API key, or client credential — not linked to a named human. The credential may be long-lived. This mode is the baseline for automated workloads but carries elevated risk from static credentials, orphaned accounts, and over-broad scopes. Acceptable for low-sensitivity automation; insufficient for consequential or regulated decisions.",
      "appropriate_use_cases": [
        "System-to-system integration with low-sensitivity resources",
        "CI/CD pipeline steps accessing build artifacts",
        "Background batch processing with no regulated data",
        "Monitoring and telemetry agents"
      ],
      "prohibited_use_cases": [
        "Consequential decisions involving regulated data without additional attestation",
        "Actions that require human accountability or attribution",
        "High-autonomy agents operating without behavioral guardrails",
        "Environments where the service account has not been registered with owner binding"
      ],
      "required_controls": [
        "apeiris://identity/controls/II-01",
        "apeiris://identity/controls/NI-01",
        "apeiris://identity/controls/NI-02",
        "apeiris://identity/controls/NI-03",
        "apeiris://identity/controls/NI-04",
        "apeiris://security/controls/IA-03"
      ],
      "failure_modes": [
        "Static API key committed to source control — exposure risk",
        "Service account not bound to an accountable owner — orphaned identity",
        "Overly broad scopes granted at account creation and never reduced",
        "No rotation schedule — credential age creates increasing exposure window",
        "Account persists after the service or team that created it is deprovisioned"
      ],
      "minimum_evidence": [
        "Service account registered in identity catalog with owner binding",
        "Credential rotation schedule documented and enforced (max 90 days)",
        "Minimum-scope access justified and reviewed",
        "Deprovisioning trigger documented (team departure, service retirement)"
      ],
      "saas_authorization_ceiling_note": "Service account scopes are often provisioned at the broadest level supported by the SaaS provider. Record as residual_risk: medium unless scope has been restricted to minimum necessary.",
      "migration_path": "governed_service_account"
    },
    {
      "mode_id": "governed_service_account",
      "name": "Governed Service Account Mode",
      "identity_type": "workload",
      "maturity_tier": "C3",
      "description": "A service account with full lifecycle governance: declarative registration, accountable owner, rotation enforcement, automatic deprovisioning triggers, permission ceiling policy, and audit trail. This is the minimum acceptable mode for production AI workloads accessing sensitive but non-regulated resources.",
      "appropriate_use_cases": [
        "Production AI pipelines accessing internal enterprise systems",
        "Agentic workflows with defined capability manifests and behavioral guardrails",
        "Enterprise integrations subject to internal access review",
        "Automation operating within declared and auditable policy boundaries"
      ],
      "prohibited_use_cases": [
        "Actions requiring cryptographic proof of identity at the workload level",
        "Multi-agent orchestration chains without signed delegation",
        "Regulated data processing requiring verifiable identity attestation"
      ],
      "required_controls": [
        "apeiris://identity/controls/II-01",
        "apeiris://identity/controls/II-02",
        "apeiris://identity/controls/II-03",
        "apeiris://identity/controls/NI-01",
        "apeiris://identity/controls/NI-02",
        "apeiris://identity/controls/NI-03",
        "apeiris://identity/controls/NI-04",
        "apeiris://identity/controls/NI-05",
        "apeiris://identity/controls/NI-06",
        "apeiris://identity/controls/IM-01",
        "apeiris://identity/controls/IM-02",
        "apeiris://authority/controls/PV-04",
        "apeiris://authority/controls/PA-03",
        "apeiris://security/controls/GV-03"
      ],
      "failure_modes": [
        "Policy-as-code config exists but is not enforced — declared governance without runtime enforcement",
        "Owner binding recorded but deprovisioning trigger never fires on owner departure",
        "Permission ceiling policy set but not enforced at the authorization server",
        "Rotation schedule documented but not automated — relies on manual compliance"
      ],
      "minimum_evidence": [
        "IaC-declared registration with owner binding (Terraform / Pulumi / Helm or equivalent)",
        "Automated rotation demonstrated (last rotation timestamp, next rotation scheduled)",
        "Ceiling policy evaluated at authorization server on each request",
        "Deprovisioning automation tested — owner removal triggers account suspension",
        "Access review completed within last 90 days",
        "Audit log of all account lifecycle events"
      ],
      "saas_authorization_ceiling_note": "At this maturity tier, the residual_risk from SaaS coarse scoping must be formally documented in the evidence artifact, accepted by an accountable owner, and included in the access review cycle.",
      "migration_path": "attested_workload_identity"
    },
    {
      "mode_id": "attested_workload_identity",
      "name": "Attested Workload Identity Mode",
      "identity_type": "workload",
      "maturity_tier": "C4",
      "description": "The agent holds a cryptographically attested workload identity — SPIFFE/SVID, managed identity with OIDC workload federation, or mTLS — that is continuously refreshed and independently verifiable. The identity is bound to the compute environment, not to a human or a static secret. This is the minimum mode for agents accessing regulated data, executing consequential financial or health decisions, or operating in EU AI Act high-risk AI contexts.",
      "appropriate_use_cases": [
        "Production agents processing regulated data (PII, PHI, financial records)",
        "Multi-agent orchestration where each hop must carry verifiable identity",
        "EU AI Act high-risk AI system deployments",
        "Agents operating in zero-trust architectures where ambient network trust is unavailable",
        "Deployments requiring cryptographic proof of identity for audit or regulatory reporting"
      ],
      "prohibited_use_cases": [
        "Using this mode without continuous refresh — a stale SVID is equivalent to no attestation",
        "Treating the workload identity as equivalent to human authorization — workload identity does not carry user consent"
      ],
      "required_controls": [
        "apeiris://identity/controls/II-01",
        "apeiris://identity/controls/II-02",
        "apeiris://identity/controls/II-03",
        "apeiris://identity/controls/II-04",
        "apeiris://identity/controls/II-05",
        "apeiris://identity/controls/NI-01",
        "apeiris://identity/controls/NI-02",
        "apeiris://identity/controls/NI-04",
        "apeiris://identity/controls/DE-03",
        "apeiris://identity/controls/IF-01",
        "apeiris://identity/controls/IF-02",
        "apeiris://identity/controls/IC-08",
        "apeiris://authority/controls/PV-02",
        "apeiris://authority/controls/PV-04",
        "apeiris://agentic/controls/AA-01",
        "apeiris://agentic/controls/AA-02",
        "apeiris://security/controls/IA-01",
        "apeiris://security/controls/IA-03",
        "apeiris://security/controls/IA-04"
      ],
      "failure_modes": [
        "SVID refresh fails silently — agent continues with expired workload identity",
        "Workload identity used as a substitute for human delegation — conflates identity types",
        "mTLS certificate pinned to a long-lived intermediate rather than a short-lived leaf",
        "Workload identity not scoped to the specific task type — ambient over-authorization",
        "Identity attestation not propagated through agent hops — downstream loses provenance"
      ],
      "minimum_evidence": [
        "SPIFFE SVID, managed identity OIDC token, or mTLS leaf certificate with short TTL (≤1 hour)",
        "Continuous refresh demonstrated (workload API health, cert rotation log)",
        "OIDC issuer, audience, and algorithm validated at each resource server",
        "Workload identity scoped to declared capability manifest",
        "IC-08 attestation current and not stale",
        "Identity propagation verified through all agent hops in multi-agent chains"
      ],
      "saas_authorization_ceiling_note": "Even with attested workload identity, the authorization granularity is capped by what the downstream SaaS can enforce. Record the specific SaaS scope limitation, the granted scope actually enforced, and the delta as residual_risk with level proportional to the sensitivity of resources accessible within the granted scope.",
      "migration_path": "hybrid_user_to_workload_chain"
    },
    {
      "mode_id": "hybrid_user_to_workload_chain",
      "name": "Hybrid User-to-Workload Chain Mode",
      "identity_type": "personal_in_enterprise",
      "maturity_tier": "C5",
      "description": "A signed, auditable chain where a human user initiates an intent, the authorization server mints a task-scoped delegation (RFC 9396 + RFC 8693), and downstream workload hops carry that delegation alongside their own attested workload identity. Each hop in the chain is independently verifiable. The human's intent, the enterprise's authorization ceiling, and the workload's cryptographic identity all participate simultaneously. This is the correct mode for consequential multi-agent enterprise deployments and for EU AI Act high-risk AI systems where human oversight is required at authorization time.",
      "appropriate_use_cases": [
        "Consequential multi-agent orchestration in enterprise environments",
        "EU AI Act high-risk AI systems requiring traceable human oversight",
        "Agentic workflows that must carry user attribution through agent-to-agent hops",
        "Regulated financial, healthcare, or legal AI deployments",
        "Scenarios where audit must reconstruct the complete principal chain from human intent to resource action"
      ],
      "prohibited_use_cases": [
        "Constructing the chain retroactively — the delegation and attestation must be established before execution",
        "Treating the chain as re-usable across multiple sessions — each initiation creates a new chain"
      ],
      "required_controls": [
        "apeiris://identity/controls/II-01",
        "apeiris://identity/controls/II-02",
        "apeiris://identity/controls/DE-01",
        "apeiris://identity/controls/DE-02",
        "apeiris://identity/controls/DE-03",
        "apeiris://identity/controls/IF-01",
        "apeiris://identity/controls/IF-02",
        "apeiris://identity/controls/IC-08",
        "apeiris://authority/controls/PV-02",
        "apeiris://authority/controls/PV-04",
        "apeiris://authority/controls/PA-01",
        "apeiris://authority/controls/PE-08",
        "apeiris://agentic/controls/AA-01",
        "apeiris://agentic/controls/AA-02",
        "apeiris://agentic/controls/AT-02",
        "apeiris://agentic/controls/AT-07",
        "apeiris://agentic/controls/AM-01",
        "apeiris://agentic/controls/AG-08",
        "apeiris://security/controls/IA-01",
        "apeiris://security/controls/IA-03",
        "apeiris://security/controls/IA-04",
        "apeiris://security/controls/RT-03"
      ],
      "failure_modes": [
        "One hop in the chain does not propagate the delegation — chain is broken, downstream loses attribution",
        "Workload identity at a later hop is valid but not bound to the originating human's intent — chain becomes anonymous",
        "User consent obtained but enterprise ceiling not evaluated — personal consent alone is insufficient",
        "Chain not signed — non-repudiation claim cannot be verified after the fact",
        "Re-authorization not triggered on scope escalation at a downstream hop"
      ],
      "minimum_evidence": [
        "Signed delegation chain artifact: user_id, session_id, task_id, hop sequence with agent_id and workload_identity at each hop",
        "RFC 9396 authorization_details present at every protected action in the chain",
        "RFC 8693 token exchange log for each delegation hop",
        "Enterprise ceiling evaluated at chain initiation and at each scope escalation",
        "IC-08 + PE-08 + AG-08 all current at chain initiation time",
        "Full chain reconstructable from audit log without gaps"
      ],
      "saas_authorization_ceiling_note": "The chain preserves the user's intent and the workload's identity through every hop, but SaaS enforcement granularity remains a ceiling. Each SaaS ceiling limitation must be documented per-hop in the chain's evidence artifact, not just at the final resource server.",
      "migration_path": null
    }
  ],
  "saas_authorization_ceiling": {
    "description": "When a downstream SaaS system (Salesforce, GitHub, Slack, ServiceNow, or similar) only supports coarse authorization scopes — for example 'files:write' rather than 'files:write:folder/{id}' — the authorization granularity of any Apeiris mode is capped by what the SaaS can actually enforce at runtime. This is a structural limitation, not a configuration error. Apeiris requires it to be explicitly recorded rather than silently assumed.",
    "required_handling": "For any integration where the downstream SaaS scope is coarser than the intended action scope, the evidence artifact must carry a saas_ceiling_limitation entry.",
    "ceiling_limitation_fields": {
      "provider": "Name of the SaaS platform",
      "granted_scope": "Scope actually enforced by the SaaS authorization model",
      "intended_scope": "The narrower scope that Apeiris would require if the SaaS supported it",
      "gap": "Description of what is accessible within granted_scope but not within intended_scope",
      "residual_risk": "none | low | medium | high | critical — set proportional to the sensitivity of the gap",
      "accepted_by": "Accountable owner who explicitly accepted this limitation",
      "accepted_on": "ISO-8601 date of acceptance",
      "review_due": "Next review date for this accepted limitation"
    },
    "controlling_controls": [
      "apeiris://identity/controls/DE-03",
      "apeiris://authority/controls/PV-04",
      "apeiris://agentic/controls/AB-02"
    ]
  },
  "implementation_signals": [
    {
      "provider": "Okta",
      "pattern": "Cross App Access / ID-JAG",
      "description": "Token exchange for agent-to-service delegation with fine-grained scope propagation across SaaS applications",
      "normative_force": "best-practice",
      "relevant_modes": ["brokered_user_delegation", "hybrid_user_to_workload_chain"]
    },
    {
      "provider": "Microsoft",
      "pattern": "Entra Agent ID",
      "description": "Managed identity framework for Copilot and autonomous agents operating within Microsoft 365 and Azure environments; combines workload identity with enterprise policy enforcement",
      "normative_force": "best-practice",
      "relevant_modes": ["governed_service_account", "attested_workload_identity"]
    },
    {
      "provider": "AWS",
      "pattern": "Bedrock AgentCore Identity",
      "description": "IAM-integrated workload identity for Bedrock agents; supports OIDC-federated short-lived credentials scoped to specific agent capabilities",
      "normative_force": "best-practice",
      "relevant_modes": ["governed_service_account", "attested_workload_identity"]
    },
    {
      "provider": "Google",
      "pattern": "Agent Identity / Gemini Enterprise Agent Platform",
      "description": "Workload identity federation with Google-managed service accounts for Vertex AI and Gemini agents; supports OIDC federation and IAM condition expressions",
      "normative_force": "best-practice",
      "relevant_modes": ["governed_service_account", "attested_workload_identity"]
    },
    {
      "provider": "CNCF / Uber-pattern",
      "pattern": "SPIFFE actor-chain model",
      "description": "Multi-hop workload identity chain using SPIFFE SVIDs where each service asserts its own identity and the originating caller's identity in a verifiable chain; implemented in production at scale by Uber and others",
      "normative_force": "best-practice",
      "relevant_modes": ["attested_workload_identity", "hybrid_user_to_workload_chain"]
    },
    {
      "provider": "Canva",
      "pattern": "Credential Broker pattern",
      "description": "Centralized credential broker that issues short-lived, purpose-scoped credentials to agents rather than distributing long-lived secrets; decouples credential issuance from secret storage",
      "normative_force": "best-practice",
      "relevant_modes": ["governed_service_account", "attested_workload_identity"]
    }
  ],
  "mode_selection_guide": {
    "description": "Decision rules for selecting the appropriate identity mode based on deployment context",
    "rules": [
      {
        "condition": "Personal developer tool, user actively present, no enterprise data",
        "recommended_mode": "user_session",
        "ceiling": "C1 — personal use only"
      },
      {
        "condition": "Enterprise SaaS task, user initiates, single agent, bounded scope",
        "recommended_mode": "brokered_user_delegation",
        "ceiling": "C2 — personal-in-enterprise"
      },
      {
        "condition": "Fully automated pipeline, no human delegation required, low sensitivity",
        "recommended_mode": "service_account",
        "ceiling": "C2 — workload, unattested"
      },
      {
        "condition": "Production automation, enterprise resources, internal access review required",
        "recommended_mode": "governed_service_account",
        "ceiling": "C3 — workload, governed"
      },
      {
        "condition": "Regulated data, consequential decisions, EU AI Act high-risk, or zero-trust required",
        "recommended_mode": "attested_workload_identity",
        "ceiling": "C4 — workload, cryptographically attested"
      },
      {
        "condition": "Consequential multi-agent chain, human oversight required at authorization, full audit required",
        "recommended_mode": "hybrid_user_to_workload_chain",
        "ceiling": "C5 — personal-in-enterprise with cryptographic chain"
      }
    ]
  },
  "cross_domain_controls": {
    "description": "This profile spans four Apeiris domains. Minimum required attestations by mode tier.",
    "tier_requirements": [
      {
        "tiers": ["C1", "C2"],
        "required_attestations": ["IC-08"],
        "note": "Identity attestation is the minimum for any mode. Authority and Agentic attestations required as scope and consequence increase."
      },
      {
        "tiers": ["C3"],
        "required_attestations": ["IC-08", "AS-08"],
        "note": "Governed service accounts require security posture attestation to confirm credential management and access controls."
      },
      {
        "tiers": ["C4"],
        "required_attestations": ["IC-08", "AS-08", "PE-08"],
        "note": "Attested workload identity requires policy attestation confirming the ceiling policy is current and enforced."
      },
      {
        "tiers": ["C5"],
        "required_attestations": ["IC-08", "AS-08", "PE-08", "AG-08"],
        "note": "The hybrid chain requires behavioral attestation confirming the full delegation chain is valid and each hop is authorized."
      }
    ]
  },
  "meta": {
    "authored_on": "2026-06-29",
    "schema_version": "1.0.0",
    "endpoint": "https://apeiris.ai/integration/profiles/agent_identity_mode.json",
    "related_profiles": [
      "https://apeiris.ai/integration/profiles/structured_agent_authorization.json"
    ],
    "primary_domains": ["identity", "authority", "agentic", "security"]
  }
}
