Demo buchenDE

SPIFFE answers who. Intent answers why. You need both.

SPIFFE roots agent identity in cryptographic material. Intent governs what that verified identity is allowed to do in a given session. The two layers compose. The fallback for teams that can't ship SPIFFE this quarter is intent-bound governance above whatever credential layer they do have.

7 min read · Last updated June 2026

Kane Narraway, in a June 2026 LinkedIn note on Anthropic's Zero Trust for AI Agents whitepaper:

Anthropic released their Zero Trust for AI agents guide last week. Overall a good read, especially on the identity side. Pushes more towards the SPIFFE architecture with dedicated agent identities and not using API keys or OAuth as mentioned last week.

And then the pragmatic caveat a few sentences later:

A lot of smaller orgs will probably struggle implementing SPIFFE-like designs, and will just fall back to long lived API tokens everywhere.

Both observations are correct. SPIFFE is the right substrate for workload identity, including AI agents. Long-lived API tokens are what most teams will actually use this quarter. The interesting question is what the governance layer above either looks like, and whether the team running on OAuth tokens has to wait for a SPIFFE migration before they can govern agents seriously.

This post is about the two-layer architecture: SPIFFE (or its equivalent) at the substrate, intent-bound governance at the runtime above it. And about what the runtime layer does when the substrate isn't ideal.

What SPIFFE actually solves

Workload identity. Each process, container, function, or agent gets a cryptographically rooted identifier. The identifier (a SPIFFE ID) takes the form spiffe://trust-domain.example.com/payment-service or spiffe://trust-domain.example.com/claude-code-agent/instance-42. The identifier is delivered through an SVID (SPIFFE Verifiable Identity Document), which is typically an X.509 certificate or a JWT, signed by a trust authority that runs in the same environment.

The reason this matters for AI agents: the alternative is API keys and OAuth client credentials, both of which are bearer tokens. A bearer token in a config file is exfiltratable. A bearer token in memory survives a process restart. Anthropic puts the problem bluntly: static API keys "are among the first things an attacker with model-assisted code analysis will find."

SPIFFE's contribution is that the SVID is bound to attested workload attributes (the host's identity, the container's identity, the process's identity) and not to a long-lived secret. If you steal the file the token is in, you can't replay it from a different host because the host's identity won't match. If you compromise the host, you can use the credential but only from that host, and the runtime can detect the anomaly faster because the credential's scope is tighter.

This is what makes SPIFFE the right ceiling for workload identity. It's also what makes it hard to deploy.

What SPIFFE doesn't solve

Authorization at the action level.

A SPIFFE-issued credential tells the receiving service that the workload is who it claims to be. It doesn't tell the service whether the action the workload is currently taking is appropriate for the task it was invoked to do.

Two examples.

A Claude Code agent has a SPIFFE ID. The IdP issues it a scoped token. The session opens for the declared task "analyze retry patterns in the payments service." The agent's SPIFFE-verified identity is correct. The credential is appropriate. Mid-session, the agent attempts to export the customer transactions table. The credential check passes (the agent has read on the database; the database accepts SPIFFE-verified workloads from this domain). The action is wildly outside the declared intent.

SPIFFE didn't catch this. SPIFFE can't catch this. The verification SPIFFE performs is about identity, not about whether the verified identity should be doing this thing right now.

A second example. Sub-agent B has a SPIFFE ID. The orchestrator passes it an instruction that originated as a prompt injection upstream. Sub-agent B executes the instruction. The audit log shows: spiffe://example/sub-agent-b performed action X with valid credentials. Everything looks clean. The action was nevertheless not what the originating user asked for.

The first case is intent drift mid-session. The second case is confused deputy. Both are authorization-layer problems, not identity-layer problems. SPIFFE is necessary for both (without verified identity the rest can't work) but not sufficient.

The two-layer architecture

The working version is straightforward. The substrate is SPIFFE; the runtime is intent.

The substrate layer.

  • Each agent gets a SPIFFE ID bound to attested workload identity. Hardware-rooted where the deployment supports it (TPMs, confidential computing); container-rooted where the deployment is Kubernetes-style.
  • The SPIFFE ID is the canonical identifier in audit logs, IAM policies, and federation flows.
  • The IdP federates this identity to SaaS providers using OAuth extensions (Cross-App Access, ID-JAG) where the SaaS supports it. Where it doesn't, the IdP issues short-lived scoped credentials directly.

The runtime layer.

  • Each session opens with a declared intent.
  • The session's actions are evaluated against intent. Mismatches block or escalate.
  • The audit log captures the SPIFFE-verified identity, the session intent, and the alignment of each action.
  • Sub-agents inherit a constrained slice of the parent's intent, not the full envelope. Cross-agent instructions are evaluated against the originating intent, not just against the immediate caller's authority.

Both layers compose. The substrate makes identity hard to forge. The runtime makes credentialed identities hard to misuse.

The fallback when SPIFFE isn't ready

This is where Kane's caveat hits. Most teams won't ship SPIFFE this quarter. The honest deployment cost (SPIRE server, attestors per workload type, runtime integration) is real. For a team without a platform engineer, it's the kind of project that gets postponed.

The fallback is intent-bound governance above whatever credential layer you do have. OAuth client credentials, STS-style brokering, even shared service tokens in the worst case. The credential is weaker; the runtime layer compensates partially.

What the runtime layer can do with weaker substrate:

  • Bind each session to an intent. Even if the credential is shared or long-lived, the session is short-lived and scoped.
  • Evaluate each action against the session's intent. Even if the credential could authorize a wide envelope, the runtime narrows the effective scope to the declared task.
  • Capture an audit chain that includes the human triggering the session, the credential used, and the intent-alignment outcome. The chain compensates partially for the credential's weakness by making misuse legible.

What it can't do:

  • Prevent credential exfiltration from a compromised host. If the bearer token leaks, it leaks.
  • Distinguish a legitimate session from a session opened by a stolen credential. The intent declaration is what the attacker would also do; the alignment check catches subsequent misuse but not the initial impersonation.
  • Survive a fundamentally weak substrate indefinitely. A team running on shared API tokens for production agents is one model-assisted attacker away from a serious incident regardless of the runtime layer.

The fallback is a real defense. It's also not the answer to "we don't need SPIFFE." The honest framing is: ship intent-bound governance now, plan the SPIFFE migration over the next twelve months, and run the practical version in the meantime.

What this changes for your roadmap

The substrate decision and the runtime decision are separate. Most teams treat them as one project ("we need to figure out agent identity") and the project doesn't ship.

Split them.

The substrate question is an infrastructure roadmap item. SPIFFE is the right target if you're cloud-native; alternatives (CA-based PKI for traditional environments, managed identity for hybrid) are options. The work is real and worth doing. The timeline is quarters, not weeks.

The runtime question is a governance roadmap item. Intent-bound sessions, per-action evaluation, audit chains. This work can ship above whatever credential layer is in production today. The timeline is weeks, not quarters.

Don't wait. The substrate matters; the runtime matters more for what an attacker actually does once they have a credential. Ship the runtime layer above the credentials you have. Migrate the substrate underneath when the work is right.

Kane's pragmatic caveat is the spirit of the right answer. The architecture target is both layers. The reality of next quarter is the runtime layer above whatever substrate you can actually ship. Iden's role is consistent across both: governance above the identity layer, regardless of how cryptographically strong the layer underneath is.

Frequently asked questions

What is SPIFFE?

Secure Production Identity Framework for Everyone. A CNCF specification for workload identity in distributed systems. Each workload (service, agent, function) gets a cryptographically rooted identity called a SPIFFE ID. The identity is delivered through a SPIFFE Verifiable Identity Document (SVID), typically an X.509 certificate or a JWT, signed by a trust authority. SPIRE is the most common reference implementation. The framework solves the 'who is this workload' question in a way that API keys and OAuth client credentials don't, because the identity is bound to attested workload attributes and not to a secret that can leak.

Why is this conversation happening now?

Kane Narraway flagged it in a June 2026 LinkedIn note on Anthropic's Zero Trust for AI Agents guide: 'Pushes more towards the SPIFFE architecture with dedicated agent identities and not using API keys or OAuth as mentioned last week.' Anthropic's whitepaper recommends hardware-bound credentials with attested issuance at the Advanced tier. SPIFFE is the most mature open architecture for delivering that for workloads (including AI agents) at scale. The conversation accelerated because the alternative (long-lived API tokens grepped from a config file) has become indefensible against model-assisted attackers.

What does SPIFFE not answer?

What the verified agent should be allowed to do in a given session. SPIFFE answers identity. It doesn't carry session intent, doesn't evaluate runtime behavior against intent, doesn't catch the case where a credentialed agent drifts toward actions the originating user never asked for. The identity question and the authorization question are separate layers. SPIFFE solves the first cleanly; the second is left to whatever runs above it.

Why can't smaller orgs just deploy SPIFFE?

Kane's pragmatic note from the same piece: 'A lot of smaller orgs will probably struggle implementing SPIFFE-like designs, and will just fall back to long lived API tokens everywhere.' SPIFFE requires running a SPIRE server (or equivalent), configuring trust domains, integrating attestors per workload type, and rolling SVIDs through the runtime. For a team with three engineers and no platform team, this is real work. The benefit (cryptographic workload identity) is real, but the cost is the kind that gets postponed in favor of shipping features. The pragmatic gap is what intent-bound governance has to live with.

What's the working architecture that uses both?

SPIFFE at the substrate, intent at the runtime. Each agent has a SPIFFE ID bound to attested hardware or container identity. The IdP verifies the SPIFFE ID and issues a session-scoped credential. The session declares an intent at start. Runtime evaluation checks each action against the intent. The audit trail captures both the SPIFFE-verified identity and the session intent, so a reviewer can answer both 'who did this' and 'why was this in scope.' Neither layer is optional in the production target state.

What's the fallback if SPIFFE isn't available?

OAuth client credentials or STS-style brokering at the credential layer, intent-bound governance above. The credential is weaker than a SPIFFE-issued SVID (it's a bearer token, exfiltratable from a compromised host, not bound to hardware). Intent-bound governance reduces the blast radius of that weakness: even if the credential is stolen, the attacker has to also satisfy the session-intent check at runtime, which requires either gaming the intent declaration upstream or attempting actions that won't pass the alignment check. This isn't equivalent to SPIFFE-rooted security; it's the practical defense while teams work toward the substrate.

Is SPIFFE only for cloud-native deployments?

Mostly today, yes. SPIFFE works best where the workload's identity can be attested by the platform: Kubernetes pods, EC2 instances, GKE workloads. Bare-metal deployments and traditional VM-based systems can use it but with more integration work. Hybrid environments (mainframe + cloud) are the hardest case. Iden runs governance across all of these; the SPIFFE substrate is the cloud-native part of the story, not the universal answer.

How does this relate to Microsoft Entra Agent ID or Okta XAA?

Different layers. Entra Agent ID and Okta Cross-App Access (XAA) federate agent identity across SaaS applications via OAuth extensions like Identity Assertion Authorization Grant (ID-JAG). They solve the question 'how does the IdP tell the SaaS provider who this agent is' in a vendor-friendly way. SPIFFE solves 'how does the workload's identity get cryptographically rooted in the runtime substrate' in an infrastructure-friendly way. The two layers can coexist: SPIFFE at the workload, XAA/ID-JAG at the federation. Most production agent deployments will need both as the surface expands.

What's the minimum SPIFFE deployment for a small team?

A SPIRE server (or equivalent managed offering), node attestation for the hosts running agents, workload attestation for the agent processes, and a way to consume SVIDs in the agent runtime. For Kubernetes deployments this is mostly off-the-shelf: SPIRE deployed as a controller, node attestation via the kubelet attestor, workload attestation via the k8s_psat attestor, SVIDs delivered via Envoy or the workload API. For bare metal it's more work; for hybrid environments it's significantly more. The honest answer to 'how minimal' is 'still more than three engineers can ship in two weeks while doing their day jobs.'

Where does Iden fit relative to SPIFFE?

Iden is the layer above whatever identity substrate you run. SPIFFE-rooted environments get the strongest version: cryptographically verified identity feeds into Iden's intent evaluation, and the audit trail captures both. Non-SPIFFE environments (OAuth + STS, or even shared service tokens) get the practical version: Iden's intent layer reduces blast radius on weaker credentials, and provides the audit and lifecycle controls regardless of the substrate. The substrate decision is a deployment choice; Iden's role is consistent across both.

Related

AI agents are identities now

Why existing IAM, IGA, and PAM weren't built for AI agents. The attribution gap. Where each vendor category fails specifically. What intent-bound, ephemeral sessions actually look like in production.

Jun 2026

You can't bootstrap trust in your AI tools either

Kane Narraway argued you can't bootstrap trust at the endpoint. The same failure applies to AI tools. If you're running an AI proxy on top of unsigned MCP servers, leaked API keys, and unverified models, you've built apparent governance, not actual governance.

Jun 2026

Anthropic's framework, the deployer gaps

Reading the Anthropic Zero Trust for AI Agents whitepaper. Eight implementation phases, eight unanswered deployment questions, and why intent is the layer that resolves them.

Jun 2026