Identity-Conscious Governance for Autonomous AI Agents: A Framework for Enterprise Authorization, Delegation, and Auditing

Abstract

AI agent systems capable of autonomous operation in enterprise environments are swiftly evolving from research prototypes to production implementations. These technologies acquire ambient credentials, function non-deterministically, and lack standardised methods for associating actions with human identity, resulting in a security stance that is fundamentally incompatible with organisational governance standards. This paper introduces a thorough framework for identity-aware agent governance that addresses five significant deficiencies in existing architectures: (1) the eradication of ambient authority via identity-inherited permissions, (2) infrastructure-level policy enforcement that is independent of model compliance, (3) sequence-aware authorisation capable of identifying composition attacks within the authorised scope, (4) independent action verification that tackles the oracle problem of agents self-reporting their actions, and (5) hallucination-aware audit systems that consider the unreliability of LLM reasoning. Our analysis is based on documented vulnerabilities from production agent systems, including the ClawHavoc supply chain attack (over 824 malicious agent skills), Cisco's discovery that 26% of analysed agent skills exhibit security vulnerabilities, and an architectural examination of credential inheritance patterns in Claude Code Agent Teams, Cursor FastRender (2,000 concurrent agents), and OpenClaw (over 30,000 internet-exposed instances). We assess the relevance of current standards (OAuth 2.0, SPIFFE/SPIRE, Zero Trust Architecture, MCP) and pinpoint particular changes necessary for non-deterministic agent processes. Our primary contribution is a stratified identity model utilising cryptographic delegation tokens that disseminate human authorisation throughout multi-agent chains, facilitating per-call policy assessment at the infrastructure level.