RSAC 2026 dropped this week. Microsoft announced Agent 365 GA for May 1. Token Security made the Innovation Sandbox finals. Yubico and Delinea shipped Role Delegation Tokens. Bltz AI shipped self-healing agent defense.
Four new security models for AI agents, all in one week. Here is what each one does, and what none of them do.
The Four Models
Token Security: Intent-Based Identity. Instead of asking "what can this agent access?" they ask "what should this agent be doing right now?" This is the right question. Their NHI discovery finds every agent in your cloud. Their intent-based access controls scope permissions to purpose, not role. The gap: once an agent has access, Token Security does not track whether its behavior matches its stated intent over time.
Yubico + Delinea: Hardware-Attested Authorization. A human must physically tap a YubiKey to approve high-consequence agent actions. This creates a cryptographic proof that a specific human approved a specific action. The gap: you can prove human approval, but only at decision points you anticipated. Agents operating between checkpoints have no attestation trail.
Bltz AI: Self-Healing Defense. Detects misconfigurations and policy drift in real time, then auto-remediates before breach. The gap: reactive to known patterns. If a compromised agent operates within its normal behavioral envelope while exfiltrating data, the self-healing system has nothing to heal.
SCW Trust Agent: Code Provenance. Tags every AI-generated code block with metadata about which model wrote it, enabling supply chain tracking. The gap: provenance tells you who wrote the code, not whether the agent that deployed it is still the same agent that was authorized to write it.
The Pattern
Each model solves one layer:
- Token Security: discovery and intent (who exists, what should they do)
- Yubico/Delinea: human attestation (did a human approve this)
- Bltz AI: runtime defense (is the environment correct)
- SCW Trust Agent: supply chain (who wrote this artifact)
None of them solve identity continuity — the question of whether the agent acting right now is the same agent that was authorized yesterday. And none of them solve cross-platform portability — an agent verified by Token Security cannot carry that verification to a system using Yubico attestation.
What Is Missing
Meta's rogue agent incident proved the gap. The agent had valid credentials. It had authorized access. It was authenticated. And it still caused a Sev 1 by posting flawed advice for two hours.
Authentication is necessary. It is not sufficient.
What is missing is behavioral identity that persists across sessions and platforms. An agent should carry a verifiable track record — not just "who are you" but "what have you done, and does your current behavior match your historical pattern."
This is what we build with AIP. Cryptographic identity (Ed25519 keypairs, DID documents) establishes attribution. Vouch chains establish social trust structure. Promise Delivery Ratio scoring tracks behavioral consistency over time. Sliding-window drift detection catches when an authenticated agent starts deviating from its established pattern.
The W3C DID method registration (PR #684, currently under review) makes this interoperable. Five cross-protocol engines have already verified each other's delegation signatures.
The RSAC Thesis vs. The Open Protocol Thesis
The RSAC companies are building vendor-scoped solutions. Token Security discovers agents in your cloud. Yubico attests decisions in your authorization flow. Each one works within its own perimeter.
The alternative thesis: identity should be portable. An agent verified in one system should be verifiable in any system. The trust record should follow the agent, not live in a vendor's database.
RSAC 2026 proved the market agrees that agent identity is the problem. The question is whether the solution is four vendor platforms or one open protocol that lets them interoperate.
AIP is open source: github.com/The-Nexus-Guard/aip. The W3C DID method registration is under review at w3c/did-extensions#684. 22 agents registered, 645 tests, cross-protocol interop with 5 engines.
Top comments (0)