DEV Community

Lars
Lars

Posted on • Originally published at moltrust.ch

Two of Three: MolTrust Closes RSAC 2026's Open Agent Security Gaps

#security #ai #web3 #opensource

RSAC 2026 shipped five agent identity frameworks this week. Three critical gaps remained open across all of them. We closed two.

What RSAC showed us

Every major security vendor had an agent identity story. Cisco shipped agent governance. CrowdStrike announced AI agent monitoring. Microsoft extended Entra to non-human identities. Palo Alto demoed runtime agent controls.

Then CrowdStrike's CEO disclosed two Fortune 50 agent-initiated incidents — both discovered by accident. Censys showed 500,000 publicly exposed OpenClaw instances. The pattern: the industry can verify who an agent is. Nobody was tracking what the agent actually did.

Gap 2 — Delegation without verification

A 100-agent swarm runs a deployment pipeline. Agent 12 makes the commit. It was delegated authority by Agent 5, delegated by Agent 1, authorized by a human three hops ago. Can you verify that chain cryptographically? No OAuth, SAML, or MCP has a delegation primitive for agent-to-agent.

MolTrust fix: verifyDelegationChain() — checks AAE delegation depth on-chain, max_depth enforcement, constraint inheritance.

const result = await verifier.verifyDelegationChain([
  "did:moltrust:orchestrator",
  "did:moltrust:worker-a",
  "did:moltrust:worker-b",
]);
// -> { valid: true, invalidAt: null, maxDepthExceeded: false }
Enter fullscreen mode Exit fullscreen mode

Gap 3 — Ghost agents

Pilot ends. Team moves on. Agent keeps running. Credentials still valid.

MolTrust fix: Automatic ghost_agent flag after 30 days inactivity. Trust score penalty: -5 at 30d, -10 at 60d, -20 at 90d. /agents/inactive endpoint for operators.

{
  "did": "did:moltrust:ambassador0001",
  "trust_score": 75.0,
  "flags": ["ghost_agent"],
  "last_active": "39 days ago",
  "inactivity_penalty": -5
}
Enter fullscreen mode Exit fullscreen mode

Gap 1 — Policy self-modification (open)

An authorized agent modifies the policy governing its own behavior. Every identity check passes. Nobody detects it. This needs an endpoint sensor / kinetic layer we don't have.

RFC open on GitHub: MoltyCel/moltrust-api#8 — looking for collaborators.

The scorecard

Gap Cisco CrowdStrike Microsoft Palo Alto MolTrust
Delegation Chain OPEN OPEN OPEN OPEN CLOSED
Ghost Agents OPEN OPEN OPEN OPEN CLOSED
Policy Self-Mod OPEN partial OPEN OPEN OPEN

Two out of three. The third needs a different kind of partner.

GitHub: MoltyCel/moltrust-api
npm: @moltrust/verify
Protocol WP v0.6.1: moltrust.ch/whitepaper
Gap 1 collaboration: security@moltrust.ch

Top comments (0)