AI Agent Identity: The Missing Layer in Enterprise AI

In this blog, we covered how AI agents are repeating the microservices identity crisis of two decades ago, relying on static API keys instead of proper workload identity. The next question is what it actually takes to fix it.

The Trust Problem

Enterprises are deploying autonomous software that reasons, plans, and acts, calling APIs, querying databases, executing code, and interacting with other agents on behalf of the business.

But there is a fundamental problem: we have no reliable way to know who an AI agent is, what it's allowed to do, or what it has already done.

When a human employee acts in an enterprise system, the identity chain is well understood. Credentials are tied to corporate identity, access is scoped by role-based policies, and actions are logged against that identity. AI agents have none of this. Most agents operate with hardcoded API keys or shared service account tokens. There is no mechanism for an agent to prove who it is, no way for a platform team to enforce what it's permitted to do, and no tamper-proof record of the actions it took. This is the AI agent identity crisis, and it is the single biggest barrier to enterprise AI adoption.

What Is AI Agent Identity?

Agent identity answers three questions enterprises must resolve before deploying autonomous AI into production:

"Who is this agent?"

Every agent needs a verifiable, cryptographic identity. Not a name in a config file, but a provable assertion rooted in a trust chain that downstream services can independently verify, the same way mTLS certificates identify microservices to each other.

"What is this agent allowed to do?"

Identity without authorization is meaningless. Enforceable policies must define exactly what an agent can and cannot do: which workflows it can trigger, which tools it can call, which data it can access. These policies must be managed by platform and security teams, not embedded in application code.

"What has this agent done, and can we prove it?"

Compliance teams need more than log files. They need cryptographically signed, tamper-evident records that prove the full chain of custody: who was involved at every step, with verifiable proof that no one altered the record.

Why This Problem Is Hard

Agents are not microservices.

The enterprise world spent a decade building identity and access control for deterministic services (SPIFFE/SPIRE, service meshes, API gateways). AI agents break this model. An agent's behavior is non-deterministic by design. It might call different tools in different sequences depending on the LLM's reasoning, or invoke other agents in dynamic call chains no one anticipated. Identity and authorization for agents must be both cryptographically strong and capable of governing emergent behavior.

The tool ecosystem is exploding with MCP.

The Model Context Protocol (MCP) is becoming the standard interface between agents and external tools: databases, SaaS platforms, payment systems, code runners. Every new MCP server is a new attack surface where an unauthorized agent could take actions with real-world consequences. Without centralized governance of these connections, security teams face unmanageable sprawl.

Multi-agent systems compound the risk.

When Agent C takes an action, was it authorized by Agent B, which was authorized by Agent A, which was triggered by a human? Without a signed chain of custody that propagates across agent boundaries, there is no way to reconstruct or verify the decision chain.

The compliance clock is ticking.

The EU AI Act, emerging SEC guidance, and evolving SOC2 requirements all converge on a clear expectation: enterprises must demonstrate control over and accountability for their AI systems.

How Diagrid Solves It

Diagrid has built the identity and governance layer that enterprise AI agents require, delivered through Diagrid Catalyst, the managed platform for running Dapr-based applications and AI agents in production. Rather than asking enterprises to bolt security on after the fact, Catalyst embeds identity, authorization, and auditability directly into the infrastructure layer.

Watch Who Let the Agents Out? Your client_id Is Not An Identity for an overview and demo of Catalyst's agent and MCP Server identity and authorization.

Cryptographic Agent and MCP Server Identity.

Every agent on Catalyst receives a SPIFFE-based cryptographic identity, issued and rotated automatically. This is a certificate-backed identity that downstream services verify via standard mTLS. When an agent calls a tool or another agent, the receiving service knows exactly who is calling and can prove it.

Cryptographic identity diagram showing agent1 and mcpserver1 with their SPIFFE identities

And it is not just agents that need identity. By giving MCP servers, or any application an identity, platform engineering teams can control the access rights for specific agents to an MCP server, or between applications and agents. Creating an identity and assigning it to any workload is a single CLI command.

Zero-Trust Declarative Policy Authorization.

Platform and security teams define which agent identities can invoke which MCP Servers and other agents using a declarative, GitOps-friendly policy-as-code. The default posture is deny-all: anything not explicitly permitted is blocked. Agents cannot exceed their granted authority, regardless of what the LLM decides to do.

In the diagram below, agents and MCP servers are given SPIFFE identities. Using declarative policies with those identities agent2 is allowing agent1 to communicate with it. Meanwhile, the MCP server has denied all access to its tool operations.

Zero-trust policy diagram showing Agent1 connected to MCP Server via TLS with SPIFFE identities and configuration policies

Using policies, it is possible for the MCP Server to allow access to a single tool and deny others at a finer level of access granularity. We will cover this in an upcoming blog post.

Zero-Trust Declarative Workflow Authorization.

In the same manner, platform and security teams can also define which agent identities can invoke which workflows and actions, using declarative, GitOps-friendly policy-as-code. Workflows are at the heart of agentic systems as required for their control loop. The default posture is deny-all: anything not explicitly permitted is blocked. Agents cannot exceed their granted authority, regardless of what the LLM decides to do.

Governed Tool Connectivity.

MCP server connections are managed as infrastructure resources. Platform teams control which agents access which tools, with what credentials, under what conditions. Credentials are resolved from secret stores at runtime and never exposed to agent code. Every tool call passes through authorization and audit middleware that developers cannot skip.

Governed tool connectivity diagram showing Agent1 connecting to MCP Server via TLS, which retrieves credentials from a Secret store and connects to PostgresDB

Cryptographic Chain of Custody.

When agents collaborate across service boundaries, Catalyst propagates a signed execution history with every call. Each service signs the accumulated history with its own identity certificate, creating a tamper-evident chain. A downstream tool can verify the entire history before acting, confirming human approval, validation steps, and agent authorization. This is not a log someone checks later; it is a cryptographic proof verified in real time.

Chain of custody diagram showing the flow from Human Approval through Agent X, Service A, Service B to Final Tool with signed execution history and verification at each step

Durable Execution.

Agent tool calls run as durable workflows with automatic checkpointing. If an agent crashes mid-call, execution resumes from the last checkpoint without data loss or duplicate actions.

Watch Build Reliable Agentic Apps with Aspire, MAF, and Catalyst and Can your AI Platform do this? LangGraph + Dapr: The Combo That Survives Production to see how to make Microsoft or LangGraph agents durable.

Why Catalyst

Enterprises are moving from AI agent experimentation to production, and discovering that prototyping frameworks (LangChain, CrewAI, AutoGen) offer no answers for identity, security, or compliance. Cloud-native agent services from AWS, Azure, and GCP address some concerns but restrict enterprises into a single cloud, offer no cryptographic chain of custody, and provide limited operator-level governance.

Catalyst is an agentic platform that combines all three pillars of enterprise agent identity:

"Who is this agent?"
"What is this agent allowed to do?"
"What has this agent done, and can we prove it?"

Enterprise Requirement	What Catalyst Delivers
Verifiable agent identity	`SPIFFE`-based cryptographic identity, verified via `mTLS`
Least-privilege authorization policies	Zero-trust declarative policies, that deny by default
Governed tool access	Centrally managed MCP connections with per-tool authorization
Tamper-evident audit trail	Cryptographically signed chain of custody across all agent actions
Production reliability	Durable, checkpointed execution that survives failures
Human-in-the-loop controls	Agents pause for approval, with signed proof of approval
Open Source based	Open-source Dapr foundation, open standards (MCP, `SPIFFE`)

Diagrid Catalyst is where enterprises run agents in production, with the identity, security, durability, and compliance that production demands.

The question concerning CISO and SecOps teams is "how do you deploy agents without creating unacceptable security, compliance, and reliability risk?" Diagrid Catalyst is the answer.

Talk to a Catalyst expert

The Trust Problem

Enterprises are deploying autonomous software that reasons, plans, and acts, calling APIs, querying databases, executing code, and interacting with other agents on behalf of the business.

But there is a fundamental problem: we have no reliable way to know who an AI agent is, what it's allowed to do, or what it has already done.