AIDA: How Cryptographic Identity Works for AI Agents

AIDA (AI Agent Identity and Delegated Authority) is a cryptographic protocol for binding AI agents to human principals with exact action scopes, transaction limits, and account allowlists. It answers the question regulators are now asking: who authorized this AI agent, what was it permitted to do, and did it stay within those boundaries? AIDA is a capability of SmartFlow, APERION's AI governance control plane.

The Problem: AI Agents Without Identity

AI agents are no longer limited to generating text. They initiate wire transfers, execute trades, access customer records, connect to enterprise systems through MCP and A2A protocols, and take actions with real-world consequences. In financial services alone, AI agents are now involved in payment processing, compliance reporting, portfolio rebalancing, and customer communication.

Yet there is no widely adopted standard for AI agent identity. When an AI agent accesses a system, there is typically no cryptographic proof of who authorized it, what it was permitted to do, or whether it exceeded its authority. Traditional identity and access management was designed for humans clicking buttons and applications calling APIs. AI agents are neither.

The March 2026 OpenClaw incident demonstrated the consequences. Over 21,000 exposed AI agent instances connected to enterprise systems through OAuth tokens with broad permissions. Agents moving laterally across Slack, Google Workspace, and internal APIs without triggering security alerts. The problem was not malicious intent. It was architectural: agents with access but no governance.

How AIDA Works

AIDA introduces the concept of an Agent Credential: a signed, revocable authorization document that binds an AI agent to a human or institutional principal. The credential encodes exactly what the agent may do.

Each credential contains: a unique identifier (the audit trail anchor), the principal who authorized the agent (maps to the human's identity in the enterprise directory), enumerated action scopes (ReadOnly, InitiatePayments, ExecuteTrades, SubmitFilings, or custom), per-transaction dollar limits, an explicit account allowlist, a hard expiry timestamp, and a SHA-256 fingerprint for tamper detection.

Enforcement runs inside SmartFlow's proxy before any LLM call or tool invocation executes. The ScopeEnforcer checks revocation, expiry, fingerprint integrity, scope authorization, transaction limits, and account allowlists in sequence, failing closed on any error. Every enforcement decision is recorded in the VAS audit log.

Why This Matters for Regulated Industries

Financial regulators are already asking about AI agent governance. The OCC issued examination guidance in 2025 requiring banks to demonstrate AI governance controls equivalent to those for traditional model risk. FINRA published guidance on AI-assisted supervision failures. The EU AI Act's high-risk system provisions took effect in August 2025.

AIDA maps directly to these requirements. The credential's principal_id establishes the liability chain. The authorized_scopes define delegated authority comparable to a power of attorney. The transaction limits address BSA/AML requirements. And the immutable audit log provides the examination evidence that compliance teams currently spend months assembling manually.

AIDA vs. Traditional IAM

Traditional IAM (Okta, Auth0, Entra ID) authenticates users and authorizes application access. AIDA operates at a different layer: it authorizes specific actions by specific agents on behalf of specific humans, with specific limits, and logs every decision. IAM answers "can this user access this application?" AIDA answers "can this agent, acting on behalf of this user, execute this specific action, on this specific account, up to this dollar amount, right now?"

The two systems are complementary. Enterprise SSO authenticates the human. AIDA authorizes the agent the human deploys. SmartFlow integrates both.

Getting Started

AIDA is available in SmartFlow 1.6+ and requires no code changes to existing AI applications. Agent credentials are issued through the AIDA API or the Maestro dashboard. Enforcement is automatic for all traffic flowing through SmartFlow.

For the complete API reference and implementation guide, see the AIDA documentation and the AI Governance for Regulated Industries whitepaper in SmartFlow docs.