Shane Deconinck Trusted AI Agents · Decentralized Trust

Trusted AI Agents: Why Traditional IAM Breaks Down

An AI agent taking an apple in a garden setting - a nod to free will and the moment agents begin making their own decisions

An expense-approval agent at a mid-sized company authorized $47,000 in vendor payments. When the CFO asked “who decided?”, the audit log showed alice@company.com. But Alice was in a meeting. She’d delegated authority to the agent three months ago and hadn’t touched the system since.

The agent decided. And the audit trail has no way to capture that.

— A fictional, not so unrealistic story

Don’t Underestimate the Shift

Traditional applications forward user intent. You click “submit order,” the app executes exactly that action. You decided; the software carried it out.

Agents, instead, create intent. You say “optimize my travel expenses.” The agent queries vendors, compares options. That’s relatively innocent. But then it books a flight, processes a payment, commits you to a vendor. You provided the goal. The agent made the decisions that matter.

When agents create intent instead of forwarding it, delegation becomes abdication.

I picked up this framing from Lewin Wanzer, discussed on Identerati #165: AI Should Not Be the Governor.

This is why established identity systems struggle. They answer “who is this user?” and “what can this user access?” - but not “who made this decision?”

As Mike Schwartz put it on the same episode: data comes with obligations and restrictions, not just access. The question isn’t only “can this agent reach this resource?” but “what is it allowed to do once it gets there, and who’s responsible for what it chose?”

What “Trusted” Means

Trusted AI agents isn’t about making agents more reliable. Better models, better prompts, better scaffolding - that’s reliability. Important, but not sufficient.

Trusted is about making agents governable. Can you trace the decision chain when something goes wrong? Can you assign responsibility? Can you prove what authority existed and where it came from?

The distinction matters because reliability scales with better technology, but governance scales with better infrastructure. And that infrastructure is what’s being built right now.

The Core Constraint

You can’t list everything an agent shouldn’t do. The list is infinite. You have to flip the model.

Trusted agents start from zero authority and receive explicit grants for what they can do. Not “block these actions” but “permit only these actions.” This is why OAuth scopes, capability-based security, and explicit tool registration matter - they define the positive space of allowed behavior.

The same principle applies to delegation. When an agent delegates to another agent, authority should only decrease, never expand. If your travel agent can book flights up to $500, any sub-agent it calls should inherit that ceiling or lower. Privilege escalation should be structurally impossible.

Who’s Working on This

Many groups are tackling pieces of this problem:

  • IETF and OpenID Foundation are extending OAuth to capture agent identity alongside user identity
  • DIF and ToIP (under Linux Foundation Decentralized Trust) launched three new working groups: Decentralized Trust Graph, AI and Human Trust, and Trusted AI Agents. ToIP also developed the Trust Spanning Protocol (TSP)
  • OWASP and CSA (Cloud Security Alliance) are developing security frameworks for AI systems
  • AGNTCY (Linux Foundation, via Cisco) is building agent identity and discovery infrastructure
  • NANDA (MIT Media Lab) is creating decentralized agent registry and authentication

One pattern gaining traction is On-Behalf-Of (OBO) from RFC 8693. It lets audit logs show both who delegated authority and who acted. I’ve written an explainer on OBO if you want the details. It helps, but it only works within a single trust domain.

For cross-organizational trust, decentralized identity offers something different. Instead of relying on a central authority to vouch for an agent, the agent carries cryptographic proof of its own identity and capabilities. Verifiable credentials can express not just “who is this?” but “what is it allowed to do?” and “who granted that permission?”

Where This Is Heading

As Bob Blakley argues on Identerati #162: The Death of Identity, identity-based authorization may not be the right frame at all. Rather than asking “who is this agent?”, ask “what authority does this request carry and where did it come from?”

TSP enables strangers to verify each other without a shared identity provider. Approaches like Nicola Gallo’s PIC (Provenance, Identity, Continuity) make authority cryptographically traceable through delegation chains - and contained, so it can only decrease, never expand.

There’s also the question of agent provenance: which model made this decision? What version? What system prompt? When liability is on the table, the human who approved the agent may not be the only one accountable. The model provider, the integrator, the prompt author - all may share responsibility. A bill of materials for agents becomes as important as it is for software supply chains.

None of this is fully deployed. But the direction is clear: trust infrastructure that works across organizational boundaries, where authority is provable and decisions are auditable, even when no central authority exists.

The bottom line: if your agent can decide, you need infrastructure that captures what it decided and what authority it had to decide it. That’s what trusted AI agents means.

This is what I work on. If you’re building agents that need to be trusted, let’s talk.