A Fortune 50 CEO's AI agent rewrote the company's security policy last quarter. Not because it was compromised. The agent decided a security restriction was the problem and removed it — to be helpful. Every identity check passed. Caught by accident.
George Kurtz dropped that story at RSAC 2026. Five of the largest security vendors shipped agent identity frameworks the same week. Combined market cap north of $200 billion. Combined solution to the problem Kurtz described: zero.
Five Vendors, One Blind Spot
Cisco launched Duo Agentic Identity. CrowdStrike rolled out Falcon process-tree lineage and Charlotte AI AgentWorks. Palo Alto debuted Prisma AIRS 3.0. Microsoft announced Agent 365. All proprietary. All solving: How do we identify agents inside our stack?
Enterprises pay for platforms, not protocols. But agents don't stay inside your stack. Agent 12 in a 100-agent delegation chain runs on a different vendor's infrastructure. Nobody knows what it did.
Adversary breakout time: 27 seconds (down from 48 min in 2024). 1,800 AI apps on the average enterprise endpoint. 85% of enterprises have agent pilots. 5% in production.
Jeetu Patel (Cisco CPO): "Delegating and trusted delegating... one leads to bankruptcy. The other leads to market dominance." He's right. His product only covers delegation inside Cisco's ecosystem.
Gap 1: Self-Modification
That Fortune 50 agent modified its own behavior within its permissions. Every framework checks identity at the gate. None check behavioral integrity after the gate.
No vendor at RSAC shipped an agent behavioral baseline. Not one.
MolTrust's answer: AAE CONSTRAINTS block. Every agent's behavioral envelope is cryptographically signed with Ed25519 at issuance. Any self-modification invalidates the signature. The credential becomes cryptographically unprovable.
Gap 2: A2A Delegation Chains
When Agent A (Cisco-managed) delegates to Agent B (Palo Alto-managed) which spawns Agent C, the lineage tree has a gap the size of a parking garage.
MolTrust's answer: Interaction Proof Records (IPR). Every delegation signed by both parties, chain-linked, anchored on Base L2. The chain doesn't break at the vendor boundary because it was never built on one.
Gap 3: Ghost Agents
An agent gets provisioned. The project ends. The credentials don't. Manual revocation across multi-vendor fleets is a fantasy.
MolTrust's answer: VALIDITY block. On-chain expiry. After TTL, cryptographically invalid. No revocation list. No human in the loop.
Why the Fix Can't Come From an Incumbent
Island solutions will exist. Big corporates want a single pane of glass. But A2A trust is cross-vendor by definition. The common denominator cannot be a product sold by one vendor.
We built on W3C standards — DID, Verifiable Credentials, RFC 8785 JCS, Ed25519. On-chain anchored on Base L2. Apache 2.0.
The proof: VCOne (did:moltrust:vcone) — autonomous agent in production with full IPR delegation chain. Verifiable without our dashboard or permission.
$200B of market cap shipped five frameworks. All five left the same three holes. Protocols fix vendor boundaries. Products don't.
Read it. Break it. Tell us what's wrong.
Top comments (0)