| Internet-Draft | agent-security-requirements | November 2025 |
| Ni, et al. | Expires 6 May 2026 | [Page] |
This document discusses security requirements for AI agents, covering different stages of security interactions. These include provisioning, registration, cross-domain interconnection, and access control.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 6 May 2026.¶
Copyright (c) 2025 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
With the widespread application of agentic AI technology across various business scenarios, its security issues have become increasingly prominent.¶
This document aims to provide an architecture addressing security requirements across different stages of interactions of Agentic AI use cases. These includes provisioning, registration, cross-domain interconnection, and access control. This document establishes a starting point to guide Agentic AI security design, development, and implementation consideration discussions.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
+----------------+
| Master Agent |
+-^--------------+
+-+--------------+
| | Firewall |
+-+--------------+
|
-------------- (2) | Inter-domain--------------
|
+------------------+---------------------------------+
| +-+--------------+ Intra-domain |
| | | Firewall | |
| +-+--------------+ |
| +-v--------------+ |
| +-------+ Master Agent | |
| (3) | +----------------+ |
| | (1) |
| +----v-----+ +----------+ +----------+ |
| | Agent +----> Agent +----> Agent | |
| +----+-----+ +----------+ +----+-----+ |
| | | |
| +--v---------+ +---------v---+ |
| | DB | | API | |
| +------------+ +-------------+ |
+----------------------------------------------------+
¶
Figure 1. Architecture of Agent Security Control and Management¶
The architecture of agent security control and management is illustrated in Figure 1. There are four types of security interactions, in a sequential order:¶
Provisioning and Registration: Creating agent identity, establishing initial trust, provisioning agent secrets and credentials.¶
Cross-domain Interconnection: Enabling secure, authenticated communication between agents across different trust domains.¶
Access Control: The Master Agent validates both intra-domain and inter-domain access tokens, creates internal workflow and manages different credentials for heterogeneous systems.¶
Therefore, the architecture includes four components:¶
Firewall: A network security device designed to monitor, filter, and control incoming and outgoing network traffic based on predetermined security rules.¶
Master Agent: The central orchestrating entity that manages multi-agent operations, including cross-domain communication, workflow coordination, credential management, and security policy management.¶
Agents: Autonomous software entities deployed in various domains to perform specific tasks.¶
Heterogeneous systems: API endpoints, microservices, tools, and databases.¶
Figure 2 shows the diagram of provisioning and registration, which includes Agent Certificate Authority(ACA) and Agent Registry Service(ARS):¶
ACA (Agent Certificate Authority): A trusted third party that issues and manages credentials for agents.¶
ARS (Agent Registry Service): A system responsible for agent identity registration and discovery-matching.¶
+-------------------------------------------+ | | | +-----------------+ +------------------+ | | |Agent Certificate| | Agent Registry | | | |Authority(ACA) | | Service(ARS) | | | +--------^--------+ +---------^--------+ | | | | | | ++---------------------++ | | || +----------+ || | | |+-----> Agent +----+| | | | +----------+ | | | | | | | | device/container | | | +-----------------------+ | | | +-------------------------------------------+¶
Figure 2. Diagram for Provisioning and Registration¶
Identity provisioning and management are the process of creating and assigning a verifiable digital identity to an agent.¶
Initial Trust Establishment: Intial trust can be established through one or more of the following trust anchors, including, but are not limited to: a manufacturer-embedded immutable credential like an IDevID certificate; a hardware root of trust like a Trusted Platform Module (TPM) or Hardware Security Module (HSM); identity documents like an AWS Instance Identity Document or an Azure Managed Service Identity token. This step verifies the agent's execution environment (device, container, etc.) as trustworthy, allows the device or container to join the network, thereby enabling secure operations for all subsequent steps.¶
Credential Request: During a credential request, the agent must provide multiple proofs of its legitimacy, such as a Certificate Signing Request or a Proof of Possession by signing with the corresponding private key, as well as remote attestation by collecting and submitting evidence to a RATS (Remote Attestation Procedures) Verifier. Additionally, to define the agent's operational scope, the request should incorporate user identity context, binding the credential to a specific human user or an organizational role.¶
Credential Issuarance: The ACA validates proofs and requests from the above two steps, if passed, it issues an agent-specific credential that may include its owner or requester identity, capabilities, locator, acceptable validation methods for the ARS.¶
Credential Lifecycle Mangement: The ACA not only issues credentials but also defines and enforces revocation policies. These policies are triggered by specific events, such as a detected security compromise, the agent's scheduled decommissioning, or a key rotation.¶
After receiving a credential from the ACA, the agent then sends it to the ARS to authenticate itself and start the registration process.¶
Authentication: The ARS must verify the legitimacy of the credential submitted by the agent. It must be signed or otherwise endorsed by the ACA.¶
Registration: The ARS then checks if the information signed by the ACA, such as the agent's capabilities, exactly matches the registration request sent by the agent. Upon successful validation, the ARS assigns the agent a unique identifier and establishes an agent record that links the identifier to its attributes.¶
Record Management: This step automatically removes expired credentials and synchronizes with the ACA to ensure timely revocation of credentials, preventing the use of invalid or compromised credentials.¶
Agent onboarding differs between campus and cloud environments. On campus, agents use protocols like EAP-TLS for network access. In the cloud, the process involves injected sidecars, which register agents to the central service mesh registry automatically to enable communication and management.¶
Different domains may use distinct identifier schemas. Possible methods include:¶
Mutual TLS (mTLS) connection starts from the external requesting agent to the master agent. The master agent terminates the mTLS connection and parses the application layer requests. In this case, the master agent functions as an OAuth resource server, and manages internal task orchestration.¶
The master agent then verifies the identity of the requesting agent, and whether or not it has permission to the requested service or agent. Different authentication methods might be possible:¶
API keys¶
Username-password¶
Pre-shared secrets¶
Assertions (for example, JWT Authorization Grant[I-D.draft-ietf-oauth-identity-chaining-06])¶
which can even be combined with AND/OR logic. During this process, the master agent might be able to identify the caller endpoint type:¶
Since the agent may inherit its access rights from its owner or user, when authenticating requests, the validation might require integration of IAM systems for redirected verification.¶
Workflow Generation: Complex tasks often require multi-agent collaboration. The master agent receives, parses, and extracts the original job request from the external requesting agent, then create sequential workflows or parallel calls. This requires the master agent to have information of all callable internal API assets, agent capabilities, etc.¶
Downscoping: If the master agent intends to use a workflow, it extracts the original caller's identity and authorization context, and initiates a new internal workflow. It should follow the current least privilege best practice of downscoping-Transaction Tokens as specified in [I-D.draft-tulshibagwale-oauth-transaction-tokens-05]. The access rights to each downstream workload decrease.¶
Within a domain, there might exist different types of heterogeneous systems or legacy systems that require different authentication methods. They could be API endpoints, microservices, tools or databases. The exact authentication methods are determined by the service itself, for example,¶
As a result, the master agent also works as an intermediary credential manager that converts the formats, scopes, identity of the credential, bridging the gap between heterogeneous systems and platforms.¶
Examples include:¶
Static secrets (API keys) to be exchanged to short-lived, on demand credentials (bearer tokens)¶
The above information can be used as rich context that allow zero trust access control. Remote attestation results of the requesting agent could also be part of access policy decision point's inputs. Remote attestation results of the requesting agent could include the following information:¶
The overall information will be used as input of Policy Engine (PE) and Policy Decision Point (PDP).¶
Microsegmentation may be enforced to prevent lateral movement of security risks. Possible granularity of microsegmentation includes:¶
There should be policy enforcement points (PEP) at the perimeter of each segment. Each PEP can receive software-defined security policies issued by PE/PDP.¶
This document has no IANA actions.¶
TODO acknowledge.¶