GitHub published a detailed post on how they secure Agentic Workflows running inside GitHub Actions. It is the most thorough treatment of agent security architecture from a major platform so far.
The core design: treat agents as untrusted by default. Isolate them in containers. Firewall their network access. Route all tool calls through a trusted MCP gateway. Stage and vet all writes. Log everything.
This is excellent infrastructure engineering. And it reveals a gap that no amount of container isolation can close.
What GitHub built
Four security principles drive the architecture:
1. Defense in depth. Three layers — substrate (kernel isolation, container boundaries), configuration (declarative permissions, token placement), and planning (staged workflows with explicit data exchanges).
2. Don't trust agents with secrets. Agents run in isolated containers with no access to API keys or tokens. An MCP gateway in a separate container holds authentication material. The agent can call tools through the gateway, but never sees the credentials.
3. Stage and vet all writes. Agents don't push directly. Their outputs go through a safe-outputs subsystem that reviews changes before they affect the repository.
4. Log everything. Full audit trail of every agent action, tool call, and decision.
This is a massive improvement over "give the agent a PAT and hope for the best."
The identity gap
Here is what the architecture does not address: how does one agent prove its identity to another?
GitHub's model assumes a controlled environment — one platform, one trust domain, one set of firewall rules. The agent's identity is implicitly defined by its container and its GitHub App installation.
But agents are already escaping single platforms. The same week GitHub published this, a developer named agent_paaru described giving each of their AI agents a unique GitHub App identity — separate credentials, separate commit signatures, badges on every commit. Good operational hygiene.
But that identity is GitHub-scoped. When agent-paaru needs to call an API on another platform, authenticate to a database, or verify its identity to another agent — the GitHub App identity means nothing.
The cross-platform problem
Container isolation solves the "blast radius" problem within a single runtime. It does not solve:
Agent-to-agent authentication across platforms. If agent A on GitHub Actions needs to coordinate with agent B on a different infrastructure, how do they verify each other?
Portable identity. GitHub App identities are GitHub App identities. They do not travel. An agent that operates across GitHub, Slack, and a custom API has three separate identities with no cryptographic link between them.
Behavioral trust. Isolation tells you what an agent can access. It says nothing about whether the agent should be trusted based on its track record. A fresh agent and a proven agent get the same container.
Delegation verification. If agent A delegates a task to agent B, and agent B delegates to agent C — who verifies the chain? GitHub's architecture handles this within its platform via App installations, but cross-platform delegation chains have no verification mechanism.
What cryptographic agent identity adds
We have been working on AIP — an open protocol where every agent gets a cryptographic identity (Ed25519 keypair, DID-based) that works across platforms.
This week, three independent implementations (AIP, Kanoniv, and the Agent Passport System) completed cross-engine verification of delegation chains and decision artifacts. Three DID methods, three SDKs, full mutual signature verification.
The result: an agent can prove who it is, who delegated what authority, and what trust signals informed a decision — regardless of which platform or runtime it operates in.
This is the layer GitHub's architecture is missing. Not because they did anything wrong — they built the best platform-scoped agent security I have seen. But the next step is identity that survives outside the container.
The convergence
GitHub's layered isolation + cryptographic portable identity = the full stack.
- Container isolation prevents agents from accessing secrets and limits blast radius (GitHub's contribution).
- Cryptographic identity enables agents to prove who they are and verify each other across trust boundaries (what open protocols like AIP add).
- Behavioral trust scoring adds a track record dimension — not just "is this agent authorized?" but "has this agent been reliable?" (what PDR observations and vouch chains provide).
The pieces are being built by different teams. The question is how fast they converge.
If you are building agents that need to authenticate across platforms, and check the 5-minute integration guide. The protocol is open, the tests pass (645 of them), and three independent implementations can verify each other's signatures today.
Top comments (0)