DEV Community

Imran Siddique
Imran Siddique

Posted on • Originally published at linkedin.com on

A signed JWT proves who called your API. It proves nothing about the agent that made the call. Not which system prompt...

A signed JWT proves who called your API. It proves nothing about the agent that made the call.

Not which system prompt defined its behavior. Not which model version ran. Not which tools were authorized. Not whether the policy bundle in memory matches what your security team reviewed. Not whether a human approved the configuration before it shipped.

Authentication answers "who is calling." Attestation answers "is the thing running right now the thing we approved." In regulated environments, it is the second question that gets your deployment signed off, and today almost nobody can answer it with anything stronger than operator documentation.

Every AI agent has ten surfaces that define its full trust boundary: system prompt, policy bundle, tool manifest, model identity, RAG corpus, memory baseline, decision trace, delegation, supply chain, and human approvals. None of them have a standard attestation mechanism. Each one is an unguarded door.

Agent Manifest binds all ten into one signed, hardware-attestable record, so a third party who does not trust the operator can still prove what actually ran. Open spec, on track for the Linux Foundation, shipped last week at the Confidential Computing Summit. Full breakdown in my newsletter, Proof, Not Promises.

If you are deploying agents against regulated data: which of those ten surfaces can you prove today, and which are still running on trust?

AIGovernance #AgentSecurity #ConfidentialComputing #OpenStandards #AgentManifest

Top comments (0)