AI agents are getting identity systems. DIDs, Ed25519 signatures, certificate-based auth - the tooling is growing fast. Microsoft shipped Entra agent identity. AgentNexus brought decentralized identifiers to autonomous agents. This is good work.
But identity only answers one question: who is this agent?
It does not answer the harder question: what did this agent actually do, and can it prove it?
Two layers, two problems
Think of it as a stack.
Layer 1 is identity. The agent holds a signing key. It can prove who it is to other systems. DID documents, Ed25519 keypairs, X.509 certificates - these all live here. The agent controls the key and uses it to authenticate.
Layer 2 is attestation. A separate system - one the agent does not control - certifies what the agent did. Server-side signatures, certifying proxies, neutral third-party receipts. The signing key never touches the agent.
The distinction matters more than it looks.
The student grading their own exam
Layer 1 alone has a structural problem. If the agent controls the signing key, a compromised agent can forge its own identity proofs. It can sign falsified logs. It can claim it did things it never did, or hide things it actually did.
Self-attestation is a student grading their own exam. It works when trust is high and stakes are low. For anything serious - compliance, audit trails, legal evidence - you need a proctor.
Layer 2 gives you the proctor. The attestation comes from something the agent cannot tamper with. A server-side signer. A certifying proxy sitting between the agent and the outside world. A receipt generated by infrastructure the agent never touches.
Why compliance needs both
Under the EU AI Act, Article 12 requires automatic logging for high-risk AI systems. But self-generated logs from the agent itself are weak evidence. If the agent produced the log and signed it with its own key, what stops a compromised agent from producing a clean log?
Tamper-evident records need to come from outside the agent. That is what Layer 2 provides.
You need Layer 1 to know who the agent is. You need Layer 2 to know what it did and that it cannot deny it. Identity plus attestation. Both layers, working together.
The current gap
Most teams building agents today are focused on Layer 1. Identity is well-understood - we have decades of PKI experience to draw from. The patterns are familiar.
Layer 2 is less explored. Tools like ArkForge are building certifying proxies. asqav takes a server-side ML-DSA-65 approach where the signing key stays on the server. These are early but they point in the right direction.
The gap is real. Teams are shipping agents with strong identity and no independent attestation. That is like having a passport with no customs stamps - you can prove who you are but not where you have been.
If you are building agent infrastructure, Layer 2 deserves as much attention as Layer 1. It is harder to get right. It is also where compliance actually lives.
Top comments (0)