HireNinja: Blog

Checklist for this guide

• What just changed in agent identity and delegated authority
• Architecture: human identity, agent identity, mandates, audit
• 14‑day rollout plan with code‑level controls
• KPIs, guardrails, and common pitfalls
• Links to deeper playbooks on governance, observability, and checkout

Why identity is the missing piece for AI agents

In 2025, AI agents moved from demos to production workflows. Two standards are making that shift tangible: Google’s Agent Payments Protocol (AP2), which formalizes intent and cart approvals for agent‑driven purchases, and the Agent‑to‑Agent (A2A) protocol, which standardizes discovery and interop via AgentCards. For teams that sell, support, or operate online, this means you can finally give agents limited, auditable authority—without handing them the keys to the kingdom. citeturn0search0turn1search4

What just changed

• Purchases require explicit mandates. AP2 separates a user’s intent mandate (permission to search/negotiate) from the cart mandate (final approval), giving buyers and merchants a shared audit trail for every agent transaction. citeturn0search0
• Interop via AgentCards. A2A requires servers to publish an AgentCard (often at /.well-known/agent.json) that declares identity, capabilities, and auth schemes—so agents can discover and invoke each other safely. citeturn1search4
• Enterprise support is arriving. Microsoft joined the A2A working group and is adding support in Azure AI Foundry and Copilot Studio, signaling cross‑vendor momentum. citeturn0search1
• Agents are getting better at computer use. Amazon’s Nova Act model reports state‑of‑the‑art results on agentic computer‑use benchmarks, raising the stakes for robust identity and authorization. citeturn0search3

The practical identity stack for agents

Here’s a simple, defensible structure you can implement this month:

1. Human identity (passkeys/WebAuthn + your IdP).
2. Agent identity (A2A AgentCard describing capabilities, endpoints, required auth).
3. Delegated authority (OAuth 2.1/OIDC tokens scoped to specific tools and workflows; AP2 intent/cart mandates for purchases).
4. Auditability (A2A + AP2 logs tied to user, agent, scopes, and outcomes).

Note: passkeys authenticate people, not software agents. Agents should receive scoped tokens via OAuth/OIDC, not raw credentials. citeturn1search2

14‑day rollout plan

Use this plan to add delegated authority to one high‑value workflow (e.g., refund approvals, RMA creation, or cart recovery offers):

1. Days 1–2 — Inventory and scope. Pick a target flow. List the exact actions the agent must perform and data it must touch. Define scopes like orders.read, refunds.create, offers.apply.
2. Days 2–3 — Publish your AgentCard. Create /.well-known/agent.json with identity, capabilities, and security schemes (e.g., OAuth 2.1 Authorization Code + PKCE). citeturn1search4turn1search5
3. Days 3–5 — Wire OAuth/OIDC. Use your IdP to mint short‑lived, least‑privilege tokens for the agent; require proof‑of‑possession (DPoP or MTLS) for sensitive actions; bind tokens to the AgentCard’s client_id.
4. Days 5–6 — Implement AP2 mandates for purchases. Record both intent and cart approvals with timestamps, scope, and who/what approved (user, policy, or human‑in‑the‑loop). citeturn0search0
5. Day 7 — Add agent attestation claims. Include immutable attributes (tool set, version, config hash) in tokens or via an Agent‑JWT/A‑JWT pattern to prevent in‑process impersonation and replay. citeturn1academia12
6. Days 8–9 — Safety and evals. Run MCP‑tooling evals (e.g., LiveMCP‑101 style tasks) and red‑team with an MCP safety scanner to catch prompt‑injection or tool‑abuse paths. citeturn0academia14turn0academia15
7. Day 10 — Observability and incident response. Emit OpenTelemetry traces for every tool call and mandate; define incident runbooks (rollback, token revocation, scope quarantine). For a blueprint, see our Agent Observability post.
8. Days 11–12 — Governance controls. Map controls to the 2025 Agent Governance Checklist (identity, approvals, audit, retention, privacy).
9. Days 13–14 — Pilot and review. Launch to 5–10% of traffic; review KPIs and logs; prepare a 30‑day scale‑up plan.

KPIs that prove it’s working

• Mandate coverage: % of agent transactions with both intent and cart mandates logged (target: >99%).
• Token hygiene: average token TTL (95%).
• Scope adherence: violations per 1,000 actions (target: 0); automated revocations executed within minutes.
• Checkout uplift: for agentic offers/assists, measured A/B lift in conversion or AOV. See our Agentic Checkout playbook.
• Safety metrics: Live task success rate and tool‑misuse detections per 100 tasks. citeturn0academia14

Common pitfalls (and fixes)

• Letting agents “use passkeys.” They can’t; only humans can. Always delegate via OAuth/OIDC with least privilege and PoP. citeturn1search2
• Identity in payloads. Keep identity at the transport/HTTP layer per A2A; advertise auth in the AgentCard. citeturn1search1turn1search5
• No attestation of the agent itself. Bind tokens to agent configuration (hash of prompt/tools) or use an Agent‑JWT style approach to prevent config drift impersonation. citeturn1academia12
• Unobserved tool calls. Trace every action; define SLOs and rollback criteria. See Observability.
• Assuming interop equals security. Interop makes scale possible; security still needs scopes, mandates, PoP, and continuous evaluation. citeturn1search4turn0search0

Where this fits in your stack

Pair identity and delegation with your broader agent platform choices and system of record. If you’re evaluating platforms, start with our Enterprise Guide to Agent Platforms and Agent System of Record. When you’re ready to wire up across vendors, use our A2A Interoperability blueprint.

Resources to go deeper

• AP2 overview and intent/cart mandates. citeturn0search0
• A2A specification (AgentCards, discovery, enterprise features). citeturn1search4turn1search5
• OIDC for Agents and Agent‑JWT proposals (identity, attestation, delegation). citeturn1academia15turn1academia12
• LiveMCP‑101 and MCP security audit (evals and red‑teaming). citeturn0academia14turn0academia15
• State of computer‑use agents (Nova Act). citeturn0search3

Call to action: Want help implementing mandates, AgentCards, and scoped tokens fast? Book a working session with HireNinja—ship a secure pilot in 14 days.