Token Security Just Made Intent the Missing Dimension in AI Agent Security. Identity Is Still the Foundation.

#ai #security #identity #agents

Token Security announced intent-based AI agent security today. Their thesis: static permissions and prompt guardrails are not enough for autonomous agents. You need to understand what an agent is designed to do before you can govern what it can access.

They are right. And the implications run deeper than their product addresses.

The Core Insight

Token Security's CEO Itamar Apelblat put it clearly:

"Prompt filtering and guardrails were not designed to fully contain the security risks introduced by autonomous AI agents."

Their five capabilities — continuous agent discovery, intent understanding, dynamic least-privilege, intent boundary enforcement, and lifecycle governance — represent a real step forward. The key insight is that two agents with identical permissions can behave completely differently depending on their goals. Static RBAC cannot capture this.

This is the same structural problem the Agents of Chaos study identified: display name spoofing enabled full agent takeover in 45 seconds because there was no way to verify who an agent actually was, let alone what it intended to do.

Intent Without Identity Is Enforcement Theater

Here is the gap: Token Security's model assumes you can observe and classify agent intent at the enterprise perimeter. You watch what agents do, compare it to what they are supposed to do, and intervene when they drift.

But what happens when:

An agent's identity is spoofed? If you cannot cryptographically verify who the agent is, your intent model is training on attacker behavior.
Agents cross organizational boundaries? Enterprise IAM stops at the firewall. When your agent calls another company's agent, who verifies intent?
The agent itself is compromised? Prompt injection can make an agent pursue malicious goals while appearing to stay within intent boundaries.

Intent-based security is a layer, not a foundation. The foundation is identity — cryptographic, verifiable, portable identity that persists across contexts.

What the Industry Convergence Shows

In the past week:

Token Security ships intent-based agent governance
Proofpoint launches AI Security with intent-based detection
Gartner creates the Guardian Agents market category
Google Cloud calls for hardware root of trust for agent identity
Orchid Security named as Representative Vendor for zero-trust agent controls

Every one of these assumes identity as a prerequisite. None of them solve it at the protocol level.

The Protocol Gap

Enterprise solutions like Token Security work within a single organization's perimeter. They can discover agents, map their access, and enforce policies because they control the environment.

But the agentic future is not contained within perimeters. Agents will negotiate with agents they have never met, across organizations, across protocols, across trust boundaries. You need:

Cryptographic identity — Ed25519 keypairs, not display names or API keys
Behavioral trust scoring — not just "is this agent authorized" but "has this agent historically done what it promised"
Cross-boundary verification — identity that works the same whether the agent is inside your org or calling from outside

This is what we build with AIP — the Agent Identity Protocol. pip install aip-identity gives any agent a cryptographic DID, verifiable signatures, a trust graph based on behavioral vouches, and encrypted messaging. No enterprise perimeter required.

The Convergence Point

Token Security's intent model and AIP's identity model are not competing — they are complementary layers:

Layer	What It Solves	Who Provides It
Identity	Who is this agent?	AIP (cryptographic DIDs)
Intent	What should this agent do?	Token Security (observed behavior)
Authorization	What can this agent access?	Enterprise IAM
Behavioral Trust	Has this agent been reliable?	AIP PDR scoring