Every few months the security industry discovers that AI agents need identities, and reintroduces a problem it already solved. The current framing — "agentic identity," a new frontier requiring new primitives — is mostly wrong. What agents actually need is two old, boring, standardized things stitched together. The interesting part is not either thing. It's the stitch.

Start with the problem everyone agrees on. Agents are machine identities, and machine identities have quietly overrun the fleet. CyberArk's 2025 Identity Security Landscape puts them at more than 80 to 1 over humans, driven by cloud and AI, with API keys named among the leading breach vectors. An agent handed a static API key at deploy time is that statistic — a long-lived, over-scoped secret sitting in an environment variable, waiting to leak. This is the same secret-sprawl exposure that has haunted microservices for a decade, now multiplied by every agent you spin up.

What SPIFFE actually does#

SPIFFE — Secure Production Identity Framework For Everyone — is the CNCF-graduated answer to exactly this, and its central move is almost counterintuitive: a workload has no authentication secret at all.

The SPIFFE Workload API is served on a local Unix domain socket with no handshake, no token, nothing to steal. When a process asks for its identity, SPIRE (the runtime implementation) runs an attestor: it inspects the calling process's OS and kernel properties — its path, its uid, its Kubernetes service account, its cgroup — and matches them against registered selectors. The workload doesn't present a credential. It proves what it is, and gets back an SVID: a short-lived, auto-rotated identity document, either an X.509 certificate with the SPIFFE ID in its SAN (for mutual TLS) or a signed JWT (for HTTP). Lifetimes run around an hour and can be cut to minutes.

SPIFFE's whole idea is that identity should be something a workload is, attested from its runtime, not something it holds, waiting to be exfiltrated.

For an agent running inside infrastructure you control, this is genuinely the right answer. No baked-in key, automatic rotation, mutual authentication by default. The API-key problem, gone.

The half it doesn't touch#

Here is where the "new frontier" story quietly falls apart, and where the real engineering is.

SPIFFE answers one question: what workload is this? But an AI agent is not a normal workload. It is a single process acting on behalf of many different users, fanning out to many downstream services, each of which wants to know not just "which agent is calling" but "for whom, with what rights." That is a delegation question, and SPIFFE does not answer it. It was never meant to.

The answer to that question is also already standardized — it's just in a different document. RFC 8693, OAuth 2.0 Token Exchange, published back in 2020, defines exactly this: a subject_token for the principal you're acting on behalf of, an actor_token for the delegated actor, and a may_act claim the authorization server checks to decide whether that impersonation is even allowed. This is the on-behalf-of layer. It is the missing half of agent identity, and it is five years old.

So the actual agent-identity stack is a composition, not an invention:

Notice what nobody did: invent a new protocol. Google's A2A, now under the Linux Foundation, explicitly declined to define its own identity system and hands auth to OAuth, OIDC, or mTLS advertised in an Agent Card. The scoop of 2026 is the absence of a new primitive — the same standards bodies that already control the plumbing simply pointed agents at the primitives they shipped years ago.

The seam is the story#

If it all composes so neatly, why is anyone still writing about it? Because the composition has a seam, and the seam is exactly where agents live.

Attestation only reaches as far as your infrastructure can attest. SPIFFE gives you clean, secretless identity inside a trust domain you control — your cluster, your cloud account, your mesh. The instant the agent is a hosted SaaS agent, or makes a cross-organization A2A call to someone else's agent, you have left that trust domain. There is no shared attestor across a company boundary. You are back to federation, trust-domain bridging, and token exchange between authorities that have to be taught to trust each other.

That boundary — inside a domain I can attest versus a cross-org agent call I can only federate — is the unglamorous frontier. It's not a missing protocol; it's the operational hard part of wiring SPIFFE trust domains to OAuth authorization servers so that a delegated identity survives the hop from your infrastructure into someone else's. HashiCorp is already building toward it, shipping native SPIFFE into Vault with a secrets engine that mints JWT-SVIDs for non-human actors — plumbing to carry attested identity to the edge of the domain, where OAuth takes over.

The lesson for anyone building agents is deflating and useful in equal measure. You do not need to wait for an "agent identity standard." It exists, in pieces, and has for years. What you need to do is the integration work at the seam — and to stop deploying agents with the one thing all of this was built to abolish: a long-lived key in an environment variable.