The Open-Source Path to Decentralized Identity for AI Agents

Microsoft released the Agent Governance Toolkit on April 2, 2026, an open-source project that gives every AI agent a cryptographic identity based on the W3C’s decentralised identifier standard. The toolkit lands six months before the European Union AI Act’s high-risk obligations become enforceable in August 2026, and it lands the same year that the Open Web Application Security Project published the first formal taxonomy of risks specific to autonomous agents. The architecture for trusted agents, in other words, is being written in code, in standards, and in regulation at the same time.

The question every enterprise architect is asking is the one the May 2026 article on agentic identity put on the cover: who is performing this action, and who authorised it? Traditional identity and access management, built for human users and static service accounts, cannot answer it for a workforce of ephemeral, high-velocity AI agents. The reckoning inside enterprise security in 2026 is the move from “Can the agent log in?” to “Can the agent prove who it is, and what it has been told to do?” The open-source answer emerging this year is rooted in a ten-year-old W3C standard, a re-purposed wallet stack, and a Microsoft monorepo with more than 9,500 tests.

The Agent Workforce Is Already Here, and IAM Cannot Tell Who They Are

They’re no longer just answering questions in chat windows, they’re booking flights, executing trades, writing code, and managing infrastructure autonomously.

That sentence is from Imran Siddique, the Principal Group Engineering Manager at Microsoft who led the Agent Governance Toolkit project, in the project’s April 2026 runtime security release. It captures the gap: agents have moved from assistants to actors faster than the identity plumbing has moved to support them, even as frameworks like LangChain, AutoGen, CrewAI, the Microsoft Agent Framework, and Microsoft Foundry Agent Service have made it easy to build agents that reason, plan, and act.

A typical agentic workflow today, the kind one recent briefing on managing AI agents like employees describes, can pull a customer record from a sales database, call an external API, draft a contract, and ask another agent to countersign it, all inside a single session, with no human clicking “approve” between steps. The pattern is spreading. The OWASP GenAI Security Project, which released its Top 10 for Agentic Applications in December 2025, named “Identity and Privilege Abuse” as one of the highlighted threats in the new taxonomy and warned that “Companies are already exposed to Agentic AI attacks, often without realizing that agents are running in their environments.” The full taxonomy is in the December 2025 agentic risks taxonomy.

What W3C Decentralized Identifiers Actually Do for an AI Agent

A decentralised identifier, or DID, is a string that resolves to a public key on a distributed ledger, controlled by the entity that owns it, with no central directory standing between the issuer and the verifier. Paired with a Verifiable Credential, a cryptographically signed attestation issued by a trusted authority, a DID gives an AI agent a passport, a wallet, and a notary in one package.

The May 2026 article on agentic identity makes a sharper point that most identity discussions miss, one it calls credentialed reasoning. The piece argues that an agent must prove not only who it is, but also provide a cryptographically signed reasoning trace, the chain of thought that led to a high-value action, before the action is authorised. The verbatim phrase in the article is: ‘Most AI identity discussions stop at “Can the agent log in?” You can differentiate by introducing “credentialed reasoning.”‘ That turns the DID from a passport into a flight recorder, and it is the difference between trusting an agent and reconstructing what it did after the fact.

Microsoft’s Agent Mesh package, the identity layer inside the Agent Governance Toolkit, follows that pattern. It binds DIDs to the agent at start-up, signs every action with an Ed25519 key, and runs a dynamic trust score on a 0 to 1000 scale with five behavioural tiers, with a drop in the score triggering an automated revocation. The May 2026 article on agentic identity calls the underlying failure mode “agentic drift” and recommends that revocation happen at the same speed a corporate credit card is frozen.

The 2026 Stack: Microsoft, AWS, and the Open-Source Glue

The Agent Governance Toolkit is the largest signal that 2026 is the year identity gets a new architectural layer for agents. Released under the MIT licence on April 2, 2026, it is a monorepo of seven packages, available in Python, TypeScript, Rust, Go, and .NET, with more than 9,500 tests and continuous fuzzing through ClusterFuzzLite. Its Agent OS package acts as a stateless policy engine that intercepts every agent action before execution at a reported p99 latency of <0.1ms, supporting YAML rules, OPA Rego, and Cedar. Microsoft has stated that it intends to move the project to a foundation for community governance, and the team’s GitHub repository is already accepting outside contributions.

• <0.1ms p99 policy enforcement latency in Agent OS
• 9,500+ tests across all packages with continuous fuzzing
• 5 language SDKs: Python, TypeScript, Rust, Go, and .NET
• 7 packages in the Agent Governance Toolkit monorepo
• 10 OWASP Agentic AI risks covered in the Agent Compliance package

Amazon answered with its own identity service in the same quarter. Amazon Bedrock AgentCore Identity, AWS’s IAM stack purpose-built for AI agents, ships a token vault for OAuth 2.0 access tokens, preconfigured integrations with GitHub, Slack, and Salesforce, and a dual authentication model that supports AWS SigV4, OAuth 2.0, OpenID Connect, and JSON Web Token validation. The two stacks are not symmetric: Microsoft’s contribution is open source and built around W3C DIDs, while AWS’s is a managed service built around OAuth 2.0 and OIDC, converging on the same problem from opposite directions.

Okta, Cisco, and a long list of identity vendors are filling in the middle of the stack. Okta for AI Agents, announced in 2026, adds an identity governance layer for customer-deployed agents built on Amazon Bedrock AgentCore and works with any identity provider. The Cloud Security Alliance published its own IAM framework for agentic AI in 2026, explicitly built around DIDs and Zero Trust. The market is converging on a layered design: a vendor-neutral identity primitive underneath, a vendor-specific integration on top.

The shared language underneath is the W3C’s DID specification and the OWASP taxonomy. The two reference designs in the field, Microsoft’s monorepo and AWS’s managed identity service, are listed side by side in the table above, and the rest of the post breaks down the architectural pattern that ties them together.

Reference Architecture: The Verified Agent Mesh

The architecture the May 2026 article on agentic identity proposes, and that Microsoft’s release now operationalises, separates the “brain” (the LLM) from the “passport” (the DID). At the core sits the agent sovereign layer, a thin identity sidecar, typically built on Hyperledger Aries, that runs alongside the model. The sidecar holds the agent’s private keys and manages its wallet of Verifiable Credentials, so a swap from one model provider to another, say, from a proprietary API to an on-premises Llama 4, does not strip the agent of its corporate identity or its historical audit trail. That decoupling is the architectural move that makes the rest of the system composable. The reference design is what the article calls the “verified agent mesh.”

Above the sovereign layer sits the governance orchestration layer, the policy enforcement point. Before an AI agent can call an enterprise tool, whether an ERP system or a payment gateway, the request passes through an Open Policy Agent or a Cedar engine, and the agent has to prove it possesses a specific, time-bound credential signed by a human supervisor. That creates a zero trust environment where no agent is trusted because of its network location, only because of its proven, decentralised identity. The toolkit’s Agent Compliance package maps the same enforcement logic to the European Union AI Act, HIPAA, and SOC 2.

The communication layer is where the work gets done. The May 2026 article singles out three building blocks: Hyperledger Aries and Indy as the wallet infrastructure, LangGraph for defining the stateful logic of agents, and the Model Context Protocol (MCP) for connecting identified agents to enterprise tools and data sources. Microsoft’s Agent Runtime package layers execution rings and a kill switch on top, so an agent that drifts out of policy can be cut off at the privilege level rather than the network level.

Why 2026 Is the Reckoning Year

Two regulatory deadlines are doing the work of a forcing function. The European Union AI Act’s high-risk AI obligations, including obligations on logging, human oversight, and technical robustness, take effect in August 2026, and the Colorado AI Act becomes enforceable in June 2026.

Companies are already exposed to Agentic AI attacks, often without realizing that agents are running in their environments.

That quote is from Keren Katz, the OWASP GenAI Security Project’s Top 10 for Agentic AI Applications Co-Lead and Senior Group Manager of AI Security at Tenable, in the December 2025 release. The strategic use cases the May 2026 article on agentic identity highlights are the ones that hit the deadlines first. In autonomous procurement, agents receive spending credentials linked to a department’s DID and execute purchases inside strict cryptographic guardrails. In regulated data access, a “researcher agent” presents a Verifiable Credential to a data lake, proving it has passed a specific bias audit or security clearance before it is allowed to ingest sensitive information.

In financial close, an external auditor’s agent presents a DID-backed credential, the internal ledger agent verifies the signature against the external firm’s public key on a distributed ledger, grants temporary scoped access, and logs the interaction. None of these workflows are hypotheticals for 2026; they are the same workflows auditors and procurement teams already run by email, just with a credential the regulator can read. The auditor can keep the same tool and add a credential the regulator can verify.

Microsoft’s roadmap hints at where the open-source gravity is moving. The April 2026 release post says the company intends to “move it into a foundation home where it can be governed by the broader community,” and the team is engaging with the OWASP Agent Security Initiative and the LF AI & Data Foundation to make that happen. If the project lands at a foundation in 2026, the practical effect is that no single vendor can revoke the standard an enterprise has bet its compliance posture on, particularly with the EU AI Act’s August 2026 deadline on the horizon. The pattern, in other words, is that the open-source standards outlast any single vendor’s roadmap, and Hyperledger Aries and Indy went through the same transition in the late 2010s and remain the wallet default in 2026.

Do’s and Don’ts for Engineering Teams

The May 2026 article on agentic identity and the Microsoft release agree on the same short list of practical guardrails for the next 12 months. Engineering teams building agentic systems should treat the following as the floor, not the ceiling, of what 2026 compliance will accept. The point is to make the AGT kernel‘s stance your default: actions the governance layer denies are structurally impossible, not merely unlikely. Teams that want to operationalise that stance often start by installing the toolkit from the open-source repository and wiring it into their CI pipeline.

• DO: prioritise W3C standards for DIDs to ensure future interoperability between different AI agents.
• DO: start with read-only agents to prove the identity framework before moving to write or execute agents.
• DO: use Zero-Knowledge Proofs to allow agents to prove they have authorisation without revealing sensitive backend data.
• DO: treat agent identity as ephemeral: issue short-lived, task-specific credentials, not persistent administrative rights.
• DO NOT: build on closed-source identity silos that charge per-agent fees; the costs will scale exponentially with every new agent you spin up.
• DO NOT: rely on static API keys or hard-coded secrets, the single greatest vulnerability in automated workflows.
• DO NOT: remove the human-in-the-loop for high-value transactions; use multi-signature requirements where an agent’s decentralised identity is co-signed by a human supervisor.
• DO NOT: ignore the liveness problem; ensure the architecture can rotate or revoke an AI’s identity instantly when its behaviour signature drifts.

Those eight rules read like a compliance checklist, but they are also a hiring guide. The skills a 2026 agentic security team needs, DID architecture, OPA policy authoring, Verifiable Credential issuance, MCP security gateway design, are not the same skills a 2023 application security team had. Teams that started the migration in 2024, when the W3C’s DID specification first stabilised, are the ones that will be ready when the August 2026 enforcement letters go out.

Some teams are already using agent behaviour tests in release pipelines to catch drift before it ships, the same way unit tests catch regressions in regular software. Microsoft’s Agent Compliance package gives an “OWASP verify” command that fails CI when the evidence of compliance is thin, and the OpenSSF Scorecard tracking on the toolkit’s repository gives auditors a single page to read. The shift from prompt-level safety to runtime enforcement is happening in the open, with public tests, public scores, and public commitments. That is the standard the open-source stack is being measured against in 2026, and the standard the regulators are writing their enforcement letters against in August.

Frequently Asked Questions

What is a decentralised identifier (DID)?

A decentralised identifier is a globally unique string that resolves to a public key on a distributed ledger, with no central directory standing between the issuer and the verifier. Paired with a Verifiable Credential, a DID gives an AI agent a portable, cryptographically verifiable identity it can present across cloud boundaries and enterprise tools without phoning home to a corporate directory first.

Why can’t traditional IAM handle AI agents?

Traditional IAM was designed for human employees and static service accounts whose permissions change slowly and persist for years. Agentic workloads create thousands of short-lived identities per hour, each one needing fresh credentials, scoped authority, and an audit trail. Centralised identity providers become a bottleneck and a single point of failure at that scale, which is why Microsoft’s Agent Governance Toolkit and AWS Bedrock AgentCore Identity both ship alternatives built for agentic throughput rather than employee provisioning.

Is Microsoft’s Agent Governance Toolkit open source?

Yes. Microsoft released the Agent Governance Toolkit on April 2, 2026 under the MIT licence. It is structured as a monorepo of seven packages with SDKs in Python, TypeScript, Rust, Go, and .NET, and Microsoft has said it intends to move the project to a foundation for community governance. The codebase is publicly available on GitHub, with more than 9,500 tests, SLSA-compatible build provenance, and OpenSSF Scorecard tracking. Teams can install it with a single pip install and integrate it into LangChain, AutoGen, CrewAI, or any other supported framework.

What is the OWASP Agentic AI Top 10?

The OWASP Top 10 for Agentic Applications is the first formal taxonomy of risks specific to autonomous AI agents, published by the OWASP GenAI Security Project in December 2025. It names risks like Agent Goal Hijacking, Tool Misuse and Exploitation, and Identity and Privilege Abuse, and it maps each risk to mitigations spanning policy enforcement, cryptographic identity, and runtime sandboxing.

When do the EU AI Act agent rules kick in?

The European Union AI Act’s high-risk AI obligations, including obligations on logging, human oversight, and technical robustness for AI systems that sign contracts, move funds, or process sensitive personal data, take effect in August 2026. The Colorado AI Act becomes enforceable in June 2026. Both regulations treat the autonomous agent as the regulated artifact, which is what makes the agent identity question a compliance question rather than a feature request.

Disclaimer: This article is informational and does not constitute legal, regulatory, or compliance advice. Figures and dates are accurate as of publication (June 2026), and the regulatory environment is moving quickly. Consult a qualified professional before making architectural decisions that touch the EU AI Act, the Colorado AI Act, or sector-specific obligations in your jurisdiction. The named vendors and products in this article are described for context, not as endorsements.