← marwandiallo.comlabs

Agent inventory + drift detector

A fixture inventory of seven agents across four attestation surfaces. Eight drift rules (AGT01–AGT08) flag the failure modes that come up most often in consulting engagements: long-lived secrets, missing attestation, scope drift since baseline, dormant agents, audit gaps, and shared workload identities.

Inventory

AgentOwnerAttestationScopesLast seenLong-lived secretEmits act
code-reviewer (GitHub Actions)
spiffe://prod/agent/code-reviewer/v3		platform-enggithub-oidcread:repo write:issues2026-05-10noyes
calendar-assistant (Azure MI)
spiffe://prod/agent/calendar-assistant/v1		productivityazure-managed-idread:calendar write:calendar read:mail2026-05-08noyes
finance-summarizer (Nitro Enclave)
spiffe://prod/agent/finance-summarizer/v2		finance-platformaws-nitroread:reports2026-05-05noyes
legacy-bot (no attestation)
legacy://bot-7		unknownnone*2026-05-09yesno
old-summarizer (dormant)
spiffe://prod/agent/old-summarizer/v1		former-teamgithub-oidcread:repo write:repo2025-12-19nono
support-helper-A (shared cred)
shared://support-helpers		support-engnoneread:tickets write:tickets2026-05-10yesno
support-helper-B (shared cred)
shared://support-helpers		support-engnoneread:tickets write:tickets2026-05-10yesno

Drift findings (18)

CRITICALAGT01

Long-lived secret in use

agent: agt-legacy-bot

Agent legacy-bot (no attestation) authenticates with a long-lived API key or static credential. A leaked secret is reusable indefinitely; nothing about the request is bound to the workload that issued it. This is the dominant agent-identity failure mode in 2026.

fix: Replace with a federated workload identity: GitHub Actions OIDC, AWS IAM Roles Anywhere, Azure managed identity, or GCP workload identity federation. Issue short-lived tokens (5–15 minutes), re-exchange on demand.

standards: NIST SP 800-63-4 (NPE) · CIS Controls v8 5.5 · OWASP NHI Top 10 NHI04

CRITICALAGT06

Delegating user no longer active

agent: agt-legacy-bot

Agent legacy-bot (no attestation) is configured to act on behalf of a user whose account is inactive. The agent retains effective authority that the human-side offboarding process did not retract.

fix: Tie agent identity lifecycle to the lifecycle of its delegating principal. Disable the agent at the same time the user is offboarded; require explicit re-binding to a current user before re-enabling.

standards: NIST SP 800-63-4 (NPE) · NIST CSF 2.0 GV.RR · CIS Controls v8 5

CRITICALAGT01

Long-lived secret in use

agent: agt-shared-credential

Agent support-helper-A (shared cred) authenticates with a long-lived API key or static credential. A leaked secret is reusable indefinitely; nothing about the request is bound to the workload that issued it. This is the dominant agent-identity failure mode in 2026.

fix: Replace with a federated workload identity: GitHub Actions OIDC, AWS IAM Roles Anywhere, Azure managed identity, or GCP workload identity federation. Issue short-lived tokens (5–15 minutes), re-exchange on demand.

standards: NIST SP 800-63-4 (NPE) · CIS Controls v8 5.5 · OWASP NHI Top 10 NHI04

CRITICALAGT01

Long-lived secret in use

agent: agt-shared-credential-b

Agent support-helper-B (shared cred) authenticates with a long-lived API key or static credential. A leaked secret is reusable indefinitely; nothing about the request is bound to the workload that issued it. This is the dominant agent-identity failure mode in 2026.

fix: Replace with a federated workload identity: GitHub Actions OIDC, AWS IAM Roles Anywhere, Azure managed identity, or GCP workload identity federation. Issue short-lived tokens (5–15 minutes), re-exchange on demand.

standards: NIST SP 800-63-4 (NPE) · CIS Controls v8 5.5 · OWASP NHI Top 10 NHI04

HIGHAGT03

Scope drift since baseline

agent: agt-calendar-assistant

Agent calendar-assistant (Azure MI) now holds scopes that were not in its onboarding baseline: read:mail. Scope accretion is the agent-side equivalent of a human user accumulating permissions across role changes.

fix: Re-baseline against current task requirements. Remove scopes the agent does not actively use. Add a quarterly access review for non-human identities.

standards: CIS Controls v8 6.8 · NIST SP 800-53 AC-2 / AC-6

HIGHAGT02

No workload attestation

agent: agt-legacy-bot

Agent legacy-bot (no attestation) has no platform attestation. The audit trail cannot distinguish "this workload" from "anything that holds the secret." Compromise of the runner is indistinguishable from legitimate use.

fix: Move the workload onto a platform with built-in attestation (GitHub Actions, Azure managed identity, AWS Nitro, GCP WIF, TPM-backed host). Bind the agent token's cnf claim to the attested key.

standards: NIST AI 600-1 §2.5 · CSA AI Controls Matrix · NIST CSF 2.0 PR.AA

HIGHAGT03

Scope drift since baseline

agent: agt-legacy-bot

Agent legacy-bot (no attestation) now holds scopes that were not in its onboarding baseline: *. Scope accretion is the agent-side equivalent of a human user accumulating permissions across role changes.

fix: Re-baseline against current task requirements. Remove scopes the agent does not actively use. Add a quarterly access review for non-human identities.

standards: CIS Controls v8 6.8 · NIST SP 800-53 AC-2 / AC-6

HIGHAGT04

Wildcard scope on agent identity

agent: agt-legacy-bot

Agent legacy-bot (no attestation) holds a wildcard scope. RFC 8693 token exchange is intended to issue the smallest possible scope per task, not preserve admin-equivalent authority across delegations.

fix: Enumerate the actual scopes the agent requires per task type. Issue a different token per task. Revisit any tooling that requires wildcard scope.

standards: OWASP API Top 10 API5 · CIS Controls v8 6.8

HIGHAGT03

Scope drift since baseline

agent: agt-dormant-summarizer

Agent old-summarizer (dormant) now holds scopes that were not in its onboarding baseline: write:repo. Scope accretion is the agent-side equivalent of a human user accumulating permissions across role changes.

fix: Re-baseline against current task requirements. Remove scopes the agent does not actively use. Add a quarterly access review for non-human identities.

standards: CIS Controls v8 6.8 · NIST SP 800-53 AC-2 / AC-6

HIGHAGT02

No workload attestation

agent: agt-shared-credential

Agent support-helper-A (shared cred) has no platform attestation. The audit trail cannot distinguish "this workload" from "anything that holds the secret." Compromise of the runner is indistinguishable from legitimate use.

fix: Move the workload onto a platform with built-in attestation (GitHub Actions, Azure managed identity, AWS Nitro, GCP WIF, TPM-backed host). Bind the agent token's cnf claim to the attested key.

standards: NIST AI 600-1 §2.5 · CSA AI Controls Matrix · NIST CSF 2.0 PR.AA

HIGHAGT08

Workload identity shared across agents

agent: agt-shared-credential

Agent support-helper-A (shared cred) shares a credential or workload identity with: agt-shared-credential-b. Audit logs cannot distinguish which agent took which action; revocation of one disables the others.

fix: Provision a distinct workload identity per agent. Use SPIFFE IDs or provider-native per-workload identities. Never share a credential across agents 'because it was easier'.

standards: NIST SP 800-53 AC-2(9) · CIS Controls v8 5.4 · SPIFFE workload identity

HIGHAGT02

No workload attestation

agent: agt-shared-credential-b

Agent support-helper-B (shared cred) has no platform attestation. The audit trail cannot distinguish "this workload" from "anything that holds the secret." Compromise of the runner is indistinguishable from legitimate use.

fix: Move the workload onto a platform with built-in attestation (GitHub Actions, Azure managed identity, AWS Nitro, GCP WIF, TPM-backed host). Bind the agent token's cnf claim to the attested key.

standards: NIST AI 600-1 §2.5 · CSA AI Controls Matrix · NIST CSF 2.0 PR.AA

HIGHAGT08

Workload identity shared across agents

agent: agt-shared-credential-b

Agent support-helper-B (shared cred) shares a credential or workload identity with: agt-shared-credential. Audit logs cannot distinguish which agent took which action; revocation of one disables the others.

fix: Provision a distinct workload identity per agent. Use SPIFFE IDs or provider-native per-workload identities. Never share a credential across agents 'because it was easier'.

standards: NIST SP 800-53 AC-2(9) · CIS Controls v8 5.4 · SPIFFE workload identity

MEDIUMAGT07

Tokens issued without act claim

agent: agt-legacy-bot

Agent legacy-bot (no attestation) produces tokens that do not include the RFC 8693 `act` claim. Audit logs on the receiving service record the human user as the actor, even though the agent is the one executing — making post-incident attribution impossible.

fix: Switch the agent token issuer to RFC 8693 token exchange. Populate `sub` with the user, `act` with the agent workload identity. Confirm receiving services log both.

standards: OAuth RFC 8693 (act claim) · NIST SP 800-92 audit guidance · NIST CSF 2.0 DE.AE

MEDIUMAGT05

Dormant agent (last seen 142d ago)

agent: agt-dormant-summarizer

Agent old-summarizer (dormant) has not been observed acting in 142 days. Dormant agents accumulate access without producing detection signal. They are also the agent population most likely to be quietly resurrected by an attacker.

fix: Treat any non-human identity dormant beyond your threshold (typically 90 days) as a leaver. Disable the workload, revoke the credential, document the retirement.

standards: CIS Controls v8 5.3 · NIST SP 800-53 AC-2(3)

MEDIUMAGT07

Tokens issued without act claim

agent: agt-dormant-summarizer

Agent old-summarizer (dormant) produces tokens that do not include the RFC 8693 `act` claim. Audit logs on the receiving service record the human user as the actor, even though the agent is the one executing — making post-incident attribution impossible.

fix: Switch the agent token issuer to RFC 8693 token exchange. Populate `sub` with the user, `act` with the agent workload identity. Confirm receiving services log both.

standards: OAuth RFC 8693 (act claim) · NIST SP 800-92 audit guidance · NIST CSF 2.0 DE.AE

MEDIUMAGT07

Tokens issued without act claim

agent: agt-shared-credential

Agent support-helper-A (shared cred) produces tokens that do not include the RFC 8693 `act` claim. Audit logs on the receiving service record the human user as the actor, even though the agent is the one executing — making post-incident attribution impossible.

fix: Switch the agent token issuer to RFC 8693 token exchange. Populate `sub` with the user, `act` with the agent workload identity. Confirm receiving services log both.

standards: OAuth RFC 8693 (act claim) · NIST SP 800-92 audit guidance · NIST CSF 2.0 DE.AE

MEDIUMAGT07

Tokens issued without act claim

agent: agt-shared-credential-b

Agent support-helper-B (shared cred) produces tokens that do not include the RFC 8693 `act` claim. Audit logs on the receiving service record the human user as the actor, even though the agent is the one executing — making post-incident attribution impossible.

fix: Switch the agent token issuer to RFC 8693 token exchange. Populate `sub` with the user, `act` with the agent workload identity. Confirm receiving services log both.

standards: OAuth RFC 8693 (act claim) · NIST SP 800-92 audit guidance · NIST CSF 2.0 DE.AE

Two questions to ask any agent in your environment

  1. Whose authority does this agent hold, and how is that recorded in the audit log? If the answer is "the user's, and the log doesn't say it was the agent" — that's AGT07.
  2. What stops the credential from being reused if the container is compromised? If the answer is "nothing, it's a long-lived API key" — that's AGT01, and it's the single most common finding.