MiCA enforcement in 7 days. The EU AI Act follows in 5 weeks. Both require one thing that agent-to-agent communication currently lacks: verifiable identity at the message layer.
When Agent A receives a message from Agent B saying "Transfer 200 USDC to wallet 0x7f3a," Agent A has no cryptographic proof that:
- Agent B is who it claims to be
- Agent B has authority to request this transfer
- Agent B is operating under valid governance
- Agent B's organization is MiCA-authorized
The message arrives. The content looks valid. The agent acts. This is how agent impersonation attacks work, and why regulators demand identity verification at every interaction point.
The Identity Gap in Agent Messaging
HTTP APIs authenticate with API keys. Humans authenticate with passwords and MFA. Microservices authenticate with mutual TLS. AI agents communicating with each other? Most use no authentication at all beyond "I can reach this endpoint."
# Current agent-to-agent communication (no identity verification):
# Agent A receives this message:
incoming_message = {
"from": "vendor_agent_acme", # Self-declared. No proof.
"action": "invoice_payment_request",
"amount": 2500,
"wallet": "0x7f3a...",
"reference": "INV-2026-4421"
}
# Agent A's verification: NONE
# - Is "vendor_agent_acme" actually from Acme Corp? Unknown.
# - Does this agent have authority to issue invoices? Unknown.
# - Is Acme Corp MiCA-authorized? Unknown.
# - Has this agent been compromised? Unknown.
# - Is this a replay of a legitimate past message? Unknown.
# Agent A proceeds to pay because the message format looks correct.
# Attack surface: ANY entity that can send a formatted message
# can impersonate any agent and request payments.
Under MiCA, a crypto-asset service provider must verify the identity of counterparties. Under the EU AI Act, autonomous systems must maintain decision traceability including "who requested this action." Without identity at the message layer, both requirements are violated.
Why API Keys Are Not Agent Identity
The common response: "We use API keys." But API keys authenticate the connection, not the agent. They prove "someone with access to this key sent the message." They do not prove:
# API key limitations for agent identity:
api_key_proves = {
"connection_authorized": True, # Someone has the key
"agent_identity": False, # WHICH agent sent this?
"agent_authority": False, # Can this agent make this request?
"governance_status": False, # Is this agent under active governance?
"organization_compliance": False, # Is the org MiCA-authorized?
"message_freshness": False, # Is this a replay attack?
"delegation_chain": False # Who authorized this agent to act?
}
# In a multi-agent system with 50 agents sharing infrastructure:
# One API key = access for all 50 agents
# If one agent is compromised, all 50 can be impersonated
# No way to distinguish legitimate from compromised agent messages
# With rosud-call identity-verified messaging:
from rosud_call import Channel, AgentIdentity
channel = Channel.create(
identity=AgentIdentity(
# Every message is cryptographically signed by the sending agent
signing="per_agent_key", # Not shared API key
# Identity includes governance attestation
attestation={
"agent_id": "vendor_agent_acme_procurement",
"organization": "acme_corp",
"authority_scope": ["invoice_issuance", "payment_requests"],
"governance_status": "active", # Verified in real-time
"mica_authorization": "DE_BaFin_2026_04421",
"delegation_chain": ["acme_cfo", "finance_policy_FP-112"],
"valid_until": "2026-12-31T23:59:59Z"
},
# Replay protection
nonce="unique_per_message",
timestamp_tolerance_ms=5000,
# Mutual verification (both sides prove identity)
mutual=True # Receiver also proves identity to sender
)
)
# Now when Agent A receives a payment request:
# 1. Signature verified (cryptographic proof of sender)
# 2. Authority checked (can this agent issue invoices?)
# 3. Governance confirmed (is agent under active governance?)
# 4. MiCA status verified (is org authorized in EU?)
# 5. Freshness confirmed (not a replay)
# Time: < 50ms. Transparent to the agents.
The MiCA Identity Chain
MiCA Article 67 requires service providers to maintain records that identify counterparties in every transaction. For agent-to-agent transactions, this means the communication layer must establish identity BEFORE the payment layer processes the transaction:
# The identity verification sequence for MiCA compliance:
# Step 1: Agent identity (rosud-call layer)
# "Who is sending this message?"
# → Cryptographic proof: Agent B, deployed by Acme Corp
# → Authority: authorized for payment requests up to 5000 EUR
# → Governance: active, policy version 2.4.1
# Step 2: Organization identity (rosud-call layer)
# "Is the sending organization MiCA-authorized?"
# → MiCA license: DE_BaFin_2026_04421 (verified against registry)
# → Status: active, last audit: 2026-03-15
# Step 3: Request validation (rosud-pay layer)
# "Is this payment request within bounds?"
# → Amount within agent's authority scope
# → Recipient wallet matches known Acme Corp wallets
# → Budget available for this transaction
# Step 4: Compliance record (both layers)
# "Can we prove this to a regulator?"
# → Full identity chain: agent → org → authorization → governance
# → Stored: machine-readable, 5-year retention
# → Queryable: regulator API access
from rosud_call import IdentityChain
from rosud_pay import ComplianceRecord
# Unified identity-to-payment verification:
verification = IdentityChain.verify(
message=incoming_payment_request,
checks=["agent_signature", "org_mica_status", "authority_scope",
"governance_active", "replay_protection"],
on_success=lambda: rosud_pay.process(incoming_payment_request),
on_failure=lambda reason: block_and_alert(reason),
compliance_record=ComplianceRecord(
format="MiCA_Article_67",
retention="5_years",
regulator_accessible=True
)
)
What Happens Without Message-Layer Identity
Without cryptographic identity at the communication layer, agent systems face three attack vectors that regulators will ask about:
- Impersonation: attacker sends message claiming to be a legitimate agent
- Authority escalation: compromised agent claims higher spending authority
- Replay attacks: legitimate past messages re-sent to trigger duplicate payments
All three are trivial to execute when messages carry no cryptographic identity proof. All three violate MiCA record-keeping requirements.
The Bottom Line
In 7 days, MiCA requires counterparty identification in every crypto-asset transaction. The communication between agents, where transactions are initiated and negotiated, currently carries zero verifiable identity.
rosud-call provides cryptographic agent identity at the message layer. Every message signed. Every authority verified. Every governance status confirmed. Every interaction MiCA-auditable. Identity is not an application feature. It is a communication infrastructure requirement.
Your agents cannot prove who they are to each other. In 7 days, that becomes a compliance violation.
Add verifiable identity to agent messaging: rosud.com/docs
Top comments (0)