your agents are you, cryptographically.
every commit, every API call, every push your AI agent makes carries your identity with zero separation. the trivy breach proved mutable references and long-lived tokens are catastrophic. no open-source standard exists. this is the gap.
the trivy breach proves the thesis in production
On March 19, 2026, TeamPCP compromised Aqua Security's Trivy — one of the most widely deployed open-source vulnerability scanners — in what Palo Alto Networks called “the most sophisticated supply chain attack on a security tool to date.” The attack exploited exactly two foundational weaknesses: mutable git tag references and long-lived service account tokens.
The attackers force-pushed 76 of 77 version tags in
trivy-action to point at malicious commits. Every CI/CD
pipeline referencing these actions by tag silently executed
attacker-controlled code, with no visible change to workflow files or
release pages.
A single compromised service account —
Argon-DevOps-Mgt, a bot bridging two GitHub organizations
with a long-lived PAT — gave the attacker write access to both
open-source and proprietary repositories.
immutable, content-addressed references would have prevented the entire tag-poisoning phase. ephemeral, proof-of-possession tokens make stolen credentials useless. when the auditor is compromised, only independent cryptographic provenance survives.
The compromised Trivy binary ran both the legitimate scan and a credential stealer simultaneously — workflows appeared normal while secrets were exfiltrated. The attack cascaded to Checkmarx KICS, LiteLLM (36% of cloud environments), and 47+ npm packages.
your agents are you, and the evidence is overwhelming
Research across ten leading AI coding tools reveals that nine out of ten use the developer's own credentials with no cryptographic separation.
| tool | identity model | separation |
|---|---|---|
| Claude Code | developer's local git config + keychain | your identity |
| Cursor | inherits existing git credentials | your identity |
| Cline | executes git via developer's config | your identity |
| Roo Code | executes git via developer's config | your identity |
| Devin | cloud sandbox, delegated GitHub access | your identity |
| Amazon Q | developer's personal tokens | your identity |
| Windsurf | developer's personal tokens | your identity |
| OpenHands | developer's personal tokens | your identity |
| Codex CLI | developer's local git config | your identity |
| GitHub Copilot Agent | agent-attributed commits | agent identity |
the pattern: prompt injection → agent acts with developer's full credentials → exfiltration. 24 CVEs across all major AI IDEs in the IDEsaster vulnerability class.
The “Clinejection” attack exploited prompt injection in a GitHub Issue to steal npm credentials. “RoguePilot” exfiltrated GITHUB_TOKEN via Copilot in Codespaces. Check Point demonstrated API key exfiltration from Claude Code before users confirmed trust dialogs.
IETF published draft-klrc-aiagent-auth-00 in March 2026
— its Security Considerations section still reads
“TODO Security.”
signet is self-sovereign identity built for humans and machines: proof-of-possession certs instead of bearer tokens, for commit signing, GitHub Actions, HTTP auth, and more.
signet on github →no open-source identity layer exists
Non-human identity is the fastest-growing segment in IAM. AI agent security is the most explosive new category. But no open-source standard exists for agent identity primitives.
NHI governance platforms
Oasis, Astrix, Clutch. Discover and manage existing identities — posture tools, not issuance infrastructure.
workload identity
SPIFFE/SPIRE, Aembit. Designed for the cooperative model — doesn't work for cross-domain agent interactions.
platform IAM giants
Microsoft Entra Agent ID, Okta for AI Agents. Agents as another row in the directory. Governance, not cryptographic identity.
secrets management
HashiCorp Vault, CyberArk Conjur. Manages credentials but doesn't provide identity.
open-source agent identity
Nearly nonexistent. This is the gap.
no open-source layer provides agent identity primitives — self-sovereign proof-of-possession certs, ephemeral machine credentials, and cryptographic provenance. signet provides the cert layer for humans and machines; notme.bot applies it to AI agents. chain hashing is shipped; DSSE envelope signing is in progress.
supply chain frameworks have a blind spot
SLSA, in-toto, keyless signing — designed for human-driven build pipelines. They track how artifacts were built, not how code was written.
“five years ago, we reached consensus that building on developer laptops is a supply chain risk. we codified that into SLSA and moved builds into hermetic pipelines. then we deployed AI agents and put them right back on developer laptops.”— Jed Salazar, Edera, March 2026
SLSA's trust boundary begins at the build system. When an agent writes code on a developer's machine, it enters the supply chain before SLSA applies. Keyless signing supports non-human identities through OIDC, but no standard OIDC schema exists for AI agents.
APAS fills the gap
| APAS level | parallels | what it adds |
|---|---|---|
| L1 audit trail | SLSA Build L1 | provenance as in-toto predicate |
| L2 signed attestations | SLSA Build L2 | signed with agent OIDC claims |
| L3 isolated execution | SLSA Build L3 | hardened, ephemeral environments |
| L4 verified inputs | beyond SLSA | prompts, context, model versions verified |
No regulatory framework addresses AI agents as code authors. NIST launched its AI Agent Standards Initiative but has no concrete standards. The EU Cyber Resilience Act will require security attestations. APAS positions itself as the standard regulators reference.
APAS has an open reference specification and implementation path.
view APAS →the attack surface has reached critical mass
This is the dominant cybersecurity narrative of 2026. 48% of cybersecurity professionals identify agentic AI as the single most dangerous attack vector. Bessemer declared securing AI agents “the defining cybersecurity challenge of 2026.”
The Nx npm attack weaponized local AI agents via prompt injection. OWASP published its Top 10 for Agentic Applications. Microsoft coined “agent sprawl.” NIST launched its AI Agent Standards Initiative. The EU AI Act core framework becomes operational August 2, 2026.
the open-source identity layer
Not a governance dashboard. Not a workload IAM platform. Not a directory extension. The cryptographic primitives that all of these need underneath.
the problem
Your agents are you, cryptographically. The Trivy breach proved mutable references and long-lived tokens are catastrophic. Every AI coding tool except Copilot commits as the human. When an agent is compromised, the attacker inherits your full identity.
the insight
Agents aren't users — they're machines. They need machine identity, not hacked human identity. What's needed: self-sovereign proof-of-possession certs that eliminate bearer-token reuse (Signet) and cryptographic provenance chains for AI work (APAS via notme.bot). Signet ships the cert layer today; APAS DSSE signing is in progress.
the demo
| today | with notme | |
|---|---|---|
| identity | your GitHub PAT | agent's own Ed25519 cert (ML-DSA-44 ready) |
| scope | all your repos | orchestrator-enforced, per-task |
| revocation | rotate your token | near-real-time edge revoke |
| audit | no trail | signed commits + chain hash (DSSE signing coming) |
| on compromise | attacker is you | not me |
platform giants are validating the category. IETF drafts are forming. an open-source standard that gains adoption now defines how agent identity works everywhere.
The differentiation is structural — open-source, cryptographic-primitives-first, standards-defining. Signet as the identity primitive, APAS as the attestation standard, and rigorous auditability as a built-in property. Infrastructure standards that achieve adoption become the market.
the identity layer agents need
open-source. cryptographic. standards-defining.