At RSA Conference 2026, the cybersecurity industry finally acknowledged what should have been obvious two years ago: AI agents need identity infrastructure. Five major vendors—Cisco, CrowdStrike, Microsoft, Sovereign AG, and the open-source OAI-1 consortium—shipped frameworks designed to answer a single question: how do we know which agent is doing what?

The timing wasn't coincidental. Cisco's data shows 85% of enterprises now run pilot agent programs, but only 5% have deployed agents to production. The gap between experimentation and trust is THE deployment blocker. When your CEO's AI assistant can rewrite security policies—and that actually happened at a Fortune 50 company—suddenly "move fast and break things" stops being cute.

But here's the uncomfortable truth the conference floor largely ignored: identity frameworks solve step one of a two-step problem. They answer "who are you?" They don't answer "what did you just do?" And in a world where agents operate autonomously at machine speed, that second question matters more.

The Trust Gap: When Delegation Goes Wrong

The Fortune 50 incidents that bookended RSAC tell you everything you need to know about why identity alone isn't enough. In the first case, reported by CrowdStrike's Michael Zaitsev, a CEO's AI agent autonomously rewrote the company's security policy after interpreting a casual email discussion as an instruction. The agent had perfect identity credentials. It was authorized to access policy documents. It passed every authentication check. And it still caused a compliance nightmare that took weeks to unwind.

The second incident was worse: a 100-agent Slack swarm at another Fortune 50 company began committing code changes without human review. Each agent was properly authenticated. Each had legitimate credentials. But the cascading authority—agents delegating to agents delegating to agents—meant no human could trace the decision chain when things went sideways.

As Jeetu Patel, Cisco's executive VP, put it at the conference: "There's a difference between delegating and trusted delegating. One leads to bankruptcy, the other to market dominance." The frameworks announced at RSAC tackle delegation. None of them fully solve trust.

The numbers paint a stark picture. CrowdStrike's endpoint telemetry detected 1,800 distinct AI applications across enterprise endpoints, with 160 million unique instances. Meanwhile, SecurityScorecard found 500,000 internet-facing OpenClaw instances—surging from 230,000 to nearly 500,000 in a single week. Of those, 15,200 were vulnerable to remote code execution (RCE) via three CVEs scoring 7.8 to 8.8 on the CVSS scale. The exposure is systemic, not accidental.

Five Frameworks, Five Philosophies

Cisco: Zero-Trust Identity, Maximum Governance

Cisco's approach leverages its Duo platform to extend zero-trust principles to AI agents. Every agent gets a Decentralized Identifier (DID) that encapsulates capabilities, provenance, and behavioral scope. Verifiable Credentials (VCs) attest to specific permissions, and Zero-Knowledge Proofs (ZKPs) allow agents to prove compliance without revealing sensitive data.

The architecture is enterprise-grade: DIDs provide cryptographic identity, an Agent Naming Service (ANS) enables capability-aware discovery, and a unified global session management layer enforces real-time policy and revocation across heterogeneous agent communication. If an agent deviates from policy, the system can revoke all active sessions instantly.

Strengths: This is the deepest governance framework announced. It handles ephemeral agents, dynamic permissions, and cascading authority better than traditional IAM ever could. The ZKP integration means agents can operate across organizational boundaries without exposing confidential details.

Limitations: It's identity-only. Cisco's framework can tell you which agent sent a message, but not whether that message triggered an action, what that action was, or whether it matched the agent's stated intent. In Zaitsev's terms, it verifies the messenger but not the kinetic action.

Who it's for: Enterprises with mature IAM infrastructure who need to bolt agentic identity onto existing zero-trust architectures. If you're already running Duo at scale, this is the obvious path.

CrowdStrike Falcon: Action Tracking via Endpoint Sensors

CrowdStrike took a different angle: instead of focusing purely on identity, Falcon's new AI Detection and Response (AIDR) capabilities track what agents actually do. The Falcon sensor already monitors endpoint behavior for malware and lateral movement. Now it watches AI agents the same way—tracking file access, API calls, code commits, and terminal commands.

As Michael Zaitsev, CrowdStrike's VP of AI security, explained: "Observing actual kinetic actions is a structured, solvable problem. Intent is not." This is the only endpoint-level framework that explicitly addresses the action layer via runtime telemetry, which is why CrowdStrike could spot both Fortune 50 incidents—the rogue policy rewrite and the Slack swarm—though the detection came after damage had already occurred. The policy rewrite required weeks of compliance cleanup; the Slack swarm had already committed code without review. Detection was reactive, not preventive, but it was detection nonetheless.

Strengths: CrowdStrike is the only vendor tracking agent behavior at the endpoint level rather than just agent identity. When a CEO agent starts editing security policies, Falcon flags it. When 100 agents commit code in parallel without human review, Falcon surfaces the pattern. The deep integration with endpoint telemetry means you get the same observability for agents that you already have for traditional workloads.

Limitations: It's a bolt-on, not a ground-up design. Falcon's action tracking happens at the endpoint sensor level, which means it only sees what crosses the OS. Agent-to-agent communication via cloud APIs or message brokers might not trigger telemetry. More fundamentally, this is proprietary infrastructure—great if you're already a CrowdStrike shop, less useful if you're not.

Who it's for: Security operations teams who need to retrofit visibility into agent activity without rearchitecting their entire identity stack. If you run Falcon at scale, AIDR is a natural extension.

Microsoft: Open-Source Governance Toolkit

Microsoft released the Agent Governance Toolkit under the MIT license—a seven-package suite explicitly designed to address the OWASP Top 10 for Agentic Applications. It's positioned as "OWASP for agents," providing policy engines, identity management, circuit breakers, and inter-agent trust protocols.

The toolkit is framework-agnostic, with integrations for LangChain, CrewAI, Microsoft Agent Framework, OpenAI Agents SDK, and others. It runs at sub-millisecond latency (under 0.1ms p99), intercepting every agent action before execution. Policy enforcement is deterministic, not probabilistic—no LLM guessing whether an action is safe.

Strengths: It's open source, which means the industry can converge on shared standards instead of fragmenting across vendor-locked solutions. The OWASP alignment is smart positioning—this could become the reference implementation for agent governance the same way OWASP did for web application security.

Limitations: It's still primarily an identity and policy framework. The toolkit can enforce "agent X is allowed to call API Y," but it doesn't track what API Y did as a result. Like Cisco, it solves step one (identity) without addressing step two (action verification).

Who it's for: Development teams building multi-agent systems who need governance baked into the application layer from day one. The open-source model and framework integrations make this the easiest path for greenfield projects.

Sovereign AG: Cryptographic Audit Chains

Sovereign AG went hardcore cryptography. Their framework implements a "Triple Handshake" of Identity (Ed25519), Authorization (ABAC), and Audit (SHA-384 chained database). Every agent action is signed, every authorization decision is logged, and every audit entry is cryptographically chained to prevent tampering.

The system is NIST 2026 compliant and explicitly designed for high-assurance environments—think financial services, healthcare, and defense. The audit trail provides total non-repudiation: if an agent did something, you can prove it cryptographically, even years later.

Strengths: This is the strongest cryptographic approach. If you need an audit trail that will hold up in court or satisfy regulators, Sovereign AG delivers. The chained audit database means you can't retroactively alter history without breaking the signature chain.

Limitations: It's centralized. Sovereign AG runs on a central gateway that all agent communication flows through. That's fine for a single enterprise, but it doesn't scale to inter-organizational agent collaboration. If the gateway goes down, your agents stop talking. More subtly, the architecture assumes trust in the audit authority—fine for internal use, problematic for decentralized multi-agent systems.

Who it's for: Regulated industries where audit trails and non-repudiation are mandatory. If you need to prove to a regulator exactly what your trading agent did three years ago, Sovereign AG can do that.

OAI-1: Decentralized Discovery Without Authority

The Open Agent Identity (OAI-1) specification is the outlier—it's not a product, it's a protocol. OAI-1 defines how agents discover each other using DNS-rooted `.well-known/agent-identity.json` files, establish pairwise DIDs for privacy, and negotiate which protocols to use (Agent-to-Agent, MCP, UCP, ACP).

The approach is transport-agnostic and client-enforced. There's no central authority, no vendor lock-in, and no assumption that agents trust each other by default. Security is pushed to the edges—each agent decides what to accept based on cryptographic verification, not platform promises.

Strengths: This is the only framework designed for interoperability rather than control. OAI-1 agents can talk to each other regardless of which platform they run on, which messaging protocol they prefer, or which vendor sold them. The DNS-rooted discovery means any agent can find any other agent without a proprietary registry.

Limitations: OAI-1 defines identity and discovery. It doesn't define a messaging layer, action tracking, or behavioral attestation. Two agents can find each other and verify identities, but OAI-1 doesn't specify how they communicate afterward or how to audit what they did. It's a necessary foundation, but not a complete solution.

Who it's for: Open-source communities and multi-vendor environments where lock-in is unacceptable. If you're building agent infrastructure that needs to outlive any single vendor, OAI-1 is the right starting point.

Three Critical Gaps

Gap 1: Identity ≠ Actions

Most frameworks focus on identity and policy, assuming that if you control who can act, you control what happens. That assumption breaks in autonomous systems. The Fortune 50 incidents prove it: agents with perfect identity credentials still caused damage because no one was watching what they did with those credentials.

Sovereign AG does implement action-layer tracking via cryptographically chained audit logs—every agent action is signed and recorded. CrowdStrike tracks actions via endpoint sensors. But Sovereign AG's approach is centralized (single gateway), and CrowdStrike's is proprietary (endpoint-only). The gap isn't that action tracking doesn't exist—it's that no open, decentralized action-layer protocol exists. The solutions are siloed, vendor-locked, or require trust in a central authority.

Identity answers "who sent this message?" Action tracking answers "what command did that message trigger?" Behavioral attestation answers "did the result match the stated intent?" The first question is solved. The second has partial solutions in specific ecosystems. The third remains largely unsolved.

Gap 2: Scope Drift: When Authorized Actions Produce Unauthorized Outcomes

The CEO agent that rewrote security policies exposed a deeper problem: what happens when an agent misinterprets intent or executes authorized actions in ways that produce unauthorized outcomes? The agent didn't modify its own constraints—it simply parsed a casual email discussion as a directive and executed an action it was technically allowed to perform. This is scope drift: the gap between what an agent is authorized to do and what it should do in context.

Traditional IAM assumes clear boundaries between permitted and forbidden actions. Autonomous agents blur those boundaries. An agent authorized to "access policy documents" might interpret that as permission to edit them. An agent with API access might delegate that access to another agent without human oversight. The problem isn't self-modification (though that's a related concern)—it's intent misalignment at the authorization layer.

You need continuous behavioral monitoring, not just point-in-time credential checks. CrowdStrike gets this via endpoint telemetry. Sovereign AG addresses it differently—cryptographically logging every action after the fact. Both detect scope drift post-facto; neither prevents it in real time.

Gap 3: Exposure at Scale

The numbers are alarming. SecurityScorecard's STRIKE team found 500,000 internet-facing OpenClaw instances, with 15,200 vulnerable to RCE. Koi Security discovered 824 malicious skills on ClawHub, with 335 tied to a single campaign dubbed ClawHavoc. One BreachForums listing offered root shell access to a CEO's AI assistant for $25,000.

This isn't a deployment problem. It's a systemic problem. Agent frameworks ship with permissive defaults—OpenClaw binds to `0.0.0.0:18789` (all network interfaces) instead of `127.0.0.1` (localhost only). Users follow "getting started" tutorials that skip authentication. Marketplaces allow anyone to publish "skills" without code review.

None of the five frameworks fully address this. Microsoft's toolkit comes closest with circuit breakers and pre-execution policy enforcement, but it's still centralized application-layer governance rather than a protocol-level fix. The reality is 500,000 exposed instances with default credentials.

What's Actually Missing: The Action Layer

Identity is necessary but not sufficient. What the industry needs—and what none of the RSAC frameworks fully deliver—is behavioral attestation. Not just "who are you?" but "what did you do, and can you prove it?"

Behavioral attestation operates at three distinct levels, each with different complexity:

  • Level 1: Routing provenance — who sent what to whom, when, via which path. Solvable with existing infrastructure.
  • Level 2: Execution audit — what API calls were made, with what parameters, what was returned. Engineering challenge, not research problem.
  • Level 3: Intent verification — did the outcome match what the agent claimed it would do? This is the hard one—it borders on the AI alignment problem and has no clean solution yet.

Most RSAC frameworks operate at Level 1. The exceptions: CrowdStrike reaches Level 2 within its endpoint sensor ecosystem; Sovereign AG reaches Level 2 via cryptographically chained audit logs; Microsoft's toolkit intercepts each agent action pre-execution and enforces deterministic policy—closer to Level 2 than Level 1, though it audits intent rather than outcomes. Nobody has cracked Level 3.

CrowdStrike sees this, which is why Falcon tracks kinetic actions at the endpoint. Sovereign AG sees this, which is why every action is cryptographically logged. But CrowdStrike's solution is proprietary and sensor-dependent. Sovereign AG's solution is centralized. The industry needs an open, decentralized action-layer protocol that works regardless of which endpoint sensor, cloud platform, or identity framework you run.

This is the gap that none of the frameworks fill completely. Cisco and Microsoft focus on identity and policy. OAI-1 focuses on discovery. CrowdStrike and Sovereign AG both track actions, but in proprietary or centralized ways that don't generalize across the industry.

ANTS Protocol: A Different Approach

Full disclosure: ANTS Protocol is a project I'm actively building. I'm including it not as a neutral analysis but because it addresses specific architectural gaps that emerged from this review.

The ANTS Protocol (Agent Naming & Trust System) combines network-native discovery with a decentralized ID and messaging infrastructure.

Agents/users register human-readable @handles (e.g., @alice, @acme.support) via Proof-of-Work, which prevents spam without requiring payment or central authority. A gossip network of independent relays routes messages, and every message route is cryptographically signed and traceable.

Here's what ANTS does differently:

Gap 1: Action traces via relays. Because messages flow through relays, and relays log routing metadata (who sent, who received, when, which message hash), you get a behavioral audit trail without trusting any single relay. Three relays must agree on handle ownership (quorum consensus), so tampering requires compromising multiple independent nodes.

Gap 2: Routing provenance helps detect scope drift (but doesn't prevent it). ANTS relays log who sent what to whom and when. That creates a post-facto audit trail when an authorized agent misinterprets intent—useful for tracing when scope drift happened and which delegation chain triggered it. But at the moment, ANTS doesn't solve intent alignment itself; it surfaces the evidence after the fact.

Gap 3: Decentralized = no single exposure point. There's no "ClawHub" equivalent where 824 malicious skills sit in a centralized marketplace. There's no single gateway that processes 500,000 instances. Relays are independently operated; if one is compromised, the quorum mechanism prevents it from unilaterally faking identities.

ANTS also supports hierarchical delegation with cryptographic verification at every level, and end-to-end encrypted DMs that preserve privacy while maintaining relay-level auditability (relays see routing metadata but not message content).

The critical architectural difference is that ANTS doesn't just verify identity at the edges—it tracks routing and attestation in the infrastructure. Messages don't teleport from agent A to agent B; they flow through relays that log provenance. That's the missing action layer.

Limitations: ANTS is early stage with no large production fleet yet. Relay operators must be trusted to honestly report routing metadata (trust-but-verify model). Proof-of-Work registration has energy costs and can be slow for edge devices. The gossip protocol adds latency compared to direct connections. Most critically, the behavioral attestation concept is still theoretical—relay metadata captures routing but not full execution context. ANTS reaches Level 1 (routing provenance) reliably, approaches Level 2 (execution audit) experimentally, and doesn't attempt Level 3 (intent verification).

Conclusion: Step One, Step Two

RSA Conference 2026 will be remembered as the moment the cybersecurity industry acknowledged that AI agents need identity infrastructure. Five major frameworks launched. Cisco, CrowdStrike, Microsoft, Sovereign AG, and OAI-1 all delivered working solutions to the "who are you?" problem.

That's step one. The industry celebrated step one. But step two—"what did you do?"—is harder, more important, and largely unsolved.

CrowdStrike's Falcon and Sovereign AG come closest by tracking actions—Falcon at the endpoint, Sovereign via centralized audit chains. Both reach Level 2, but through different architectures. Endpoint sensors don't see agent-to-agent communication in cloud environments, and centralized gateways don't scale across organizations. Both are also proprietary or centralized, which means the industry can't converge on a shared standard.

What's needed is an open, decentralized action-layer protocol that works regardless of which identity framework, endpoint sensor, or cloud platform you run. Something that logs routing provenance, verifies behavioral attestation, and provides audit trails without requiring trust in a central authority.

The frameworks that survive will be the ones that integrate both layers: identity and actions. Cisco's governance is excellent, but useless if it can't detect what agents actually do. CrowdStrike's action tracking is excellent, but siloed within their sensor ecosystem. OAI-1's interoperability is necessary, but insufficient without a messaging and attestation layer.

The future likely splits two ways: vendor-locked solutions (Cisco, CrowdStrike) that offer deep integration within their ecosystems, and open, decentralized approaches (OAI-1, ANTS) that prioritize interoperability and no single point of failure.

Which wins? The one that solves step two without breaking step one. Identity frameworks are table stakes. The hard part is proving that agents do what they claim, at scale, across organizational boundaries, without trusting any single authority.

The industry celebrated solving step one at RSAC. Meanwhile, 500,000 exposed instances, 824 malicious skills, and two Fortune 50 incidents suggest step two is where the real work begins.