Agent Name Service (ANS): A Proof-of-Concept Trust Layer for Secure AI Agent Discovery, Identity, and Governance in Kubernetes
Pith reviewed 2026-05-07 13:31 UTC · model grok-4.3
The pith
The Agent Name Service implements a DNS-inspired trust layer in Kubernetes using DIDs, VCs, and OPA to secure AI agent discovery, authentication, and governance.
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
The Agent Name Service provides a DNS-inspired trust layer for AI agents in Kubernetes by integrating Decentralized Identifiers for identity, Verifiable Credentials for capability attestation that protects secrets, Open Policy Agent for policy-as-code enforcement, and Kubernetes-native patterns including CRDs, admission controls, and service mesh integration, achieving sub-10ms response times and full success in scripted deployment scenarios within a 3-node cluster simulating 50 agents.
What carries the argument
The Agent Name Service (ANS) protocol layer, which functions as a registry and resolver that binds cryptographic agent identities to discoverable endpoints while enforcing policies through Kubernetes admission controls and OPA.
If this is right
- Uniform agent discovery becomes available across Kubernetes clusters without custom per-framework solutions.
- Cryptographic authentication via DIDs protects multi-agent systems against impersonation.
- Verifiable Credentials enable agents to prove capabilities while keeping sensitive secrets protected.
- Policy-as-code with OPA supplies enforceable, auditable governance that can adapt without code changes.
- Native Kubernetes integration allows existing cluster operators to manage agent security through familiar tools.
Where Pith is reading between the lines
- The pattern could extend to non-Kubernetes platforms to create cross-environment agent interoperability standards.
- Dynamic agent behaviors beyond the scripted demo would likely require additional threat-model extensions for full coverage.
- Performance observations invite direct comparison against production AI workloads that include model serving and inter-agent messaging.
- Adoption might reduce dependence on closed agent platforms by offering an open, verifiable identity foundation.
Load-bearing premise
The 3-node demo cluster and scripted 50-agent workflows accurately represent the security threats, performance demands, and interoperability issues of real-world production multi-agent deployments.
What would settle it
A production-scale Kubernetes cluster with unscripted agents performing adversarial discovery attempts, policy violations, or high-load workflows where response times exceed 10ms or enforcement fails would falsify the central claim.
Figures
read the original abstract
Autonomous AI agent ecosystems require stronger mechanisms for secure discovery, identity verification, capability attestation, and policy governance. Current deployments frequently lack (1) uniform agent discovery, (2) cryptographic agent authentication, (3) capability proofs that protect secrets, and (4) enforceable policy controls. This paper presents an implementation-oriented proof of concept for the Agent Name Service (ANS), a DNS-inspired trust layer for AI agent discovery and interoperability in Kubernetes, grounded in the ANS protocol specification~\cite{huang2025ans}. The implementation uses Decentralized Identifiers (DIDs), Verifiable Credentials (VCs), policy-as-code enforcement with Open Policy Agent (OPA), and Kubernetes-native integration patterns (CRDs, admission controls, service mesh integration). In a demo research environment (3-node cluster, 50-agent workflow simulation), we observe sub-10ms response in demonstrated service paths and full success for scripted demo deployment scenarios. We explicitly scope these findings as proof-of-concept evidence rather than production certification. We further provide a threat model, assumptions, and limitations to separate implemented evidence from protocol-defined and roadmap capabilities. The result is an evidence-grounded pathway from ANS protocol concepts to reproducible engineering practice for secure multi-agent systems.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The paper presents an implementation-oriented proof-of-concept for the Agent Name Service (ANS), a DNS-inspired trust layer for secure AI agent discovery, identity verification, capability attestation, and policy governance in Kubernetes. Grounded in the cited ANS protocol specification, the work integrates Decentralized Identifiers (DIDs), Verifiable Credentials (VCs), Open Policy Agent (OPA) for policy-as-code enforcement, and Kubernetes-native patterns including Custom Resource Definitions (CRDs), admission controls, and service mesh integration. In a demo research environment (3-node cluster, 50-agent workflow simulation), it reports sub-10ms response times in demonstrated service paths and full success for scripted deployment scenarios. The manuscript explicitly scopes these as proof-of-concept evidence, provides a threat model with assumptions, and includes a limitations section to separate implemented results from unproven protocol elements and roadmap items.
Significance. If the scoped results hold, the paper offers a practical, evidence-grounded pathway from abstract protocol concepts to reproducible engineering practice for secure multi-agent systems in containerized environments. Strengths include the explicit scoping of claims, inclusion of a threat model and limitations, and focus on native Kubernetes integration patterns that lower barriers for practitioners. The demo provides initial feasibility evidence for low-latency secure discovery and enforceable governance without overclaiming production readiness.
minor comments (4)
- [Abstract] Abstract: the claim of 'sub-10ms response in demonstrated service paths' would be clearer if it specified the exact paths measured (e.g., DID resolution, VC verification, or OPA policy query) and noted the measurement conditions.
- [Demo and Evaluation] Demo section: while the 3-node/50-agent simulation is appropriately scoped as PoC, adding a brief note on the scripted scenarios' coverage of the threat model (e.g., which attacks were explicitly exercised) would improve traceability without altering the PoC framing.
- The manuscript would benefit from a summary table listing the core components (DIDs, VCs, OPA, CRDs) alongside their specific roles and integration points to aid reader comprehension.
- [Limitations] Limitations section: cross-reference each stated limitation directly to the corresponding implementation choice or missing feature to make the boundary between evidence and future work more explicit.
Simulated Author's Rebuttal
We thank the referee for the constructive and positive review, including the recommendation for minor revision. The assessment correctly identifies the paper's focus on a scoped proof-of-concept, Kubernetes-native patterns, threat model, and limitations section. No specific major comments were raised in the report, so we have no point-by-point rebuttals to provide. We will incorporate any minor suggestions during revision.
Circularity Check
No significant circularity detected
full rationale
The paper is an implementation-oriented proof-of-concept for the Agent Name Service (ANS) protocol in Kubernetes, explicitly grounded in the external specification cited as huang2025ans (distinct authors). Central claims are confined to measured sub-10 ms responses and scripted deployment success inside a 3-node/50-agent demo environment, with repeated explicit scoping as PoC evidence rather than production certification. No equations, parameter fittings, performance extrapolations, or predictions appear; the work describes integration of standard external components (DIDs, VCs, OPA, Kubernetes CRDs) without self-definitional reductions or load-bearing self-citations. The included threat model, assumptions, and limitations section further separates implemented evidence from protocol elements, rendering the derivation chain self-contained against external benchmarks.
Axiom & Free-Parameter Ledger
axioms (2)
- domain assumption Kubernetes reliably supports CRDs, admission controllers, and service mesh integration for the described patterns.
- domain assumption DIDs and Verifiable Credentials provide adequate cryptographic identity and capability attestation for the threat model.
Reference graph
Works this paper leans on
-
[1]
Zero-Knowledge Proofs for Capabil- ity Verification in Distributed AI Systems,
L. Chen and Y . Zhang, “Zero-Knowledge Proofs for Capabil- ity Verification in Distributed AI Systems,”IEEE Trans. Inf. Forensics Security, vol. 19, no. 3, pp. 1456–1470, 2024
work page 2024
-
[2]
Cryptographic Identity Management for Autonomous AI Agents,
R. Kumar et al., “Cryptographic Identity Management for Autonomous AI Agents,” inProc. 2024 ACM SIGSAC Conf. Comput. Commun. Security, 2024, pp. 2341–2355
work page 2024
-
[3]
Policy-as-Code Enforcement in Kubernetes: A Comprehensive Survey,
S. Wang and M. Johnson, “Policy-as-Code Enforcement in Kubernetes: A Comprehensive Survey,”ACM Comput. Surveys, vol. 56, no. 2, pp. 1–35, 2023
work page 2023
-
[4]
Concept Drift Detection in Production ML Systems: A Systematic Review,
P. Rodriguez et al., “Concept Drift Detection in Production ML Systems: A Systematic Review,”Mach. Learn., vol. 112, no. 8, pp. 3125–3158, 2023
work page 2023
-
[5]
Service Mesh Security: A Com- prehensive Analysis of mTLS Implementation,
K. Thompson and J. Lee, “Service Mesh Security: A Com- prehensive Analysis of mTLS Implementation,”IEEE Security Privacy, vol. 21, no. 4, pp. 45–52, 2023
work page 2023
-
[6]
Distributed Identity Management in Cloud- Native Applications,
M. Garcia et al., “Distributed Identity Management in Cloud- Native Applications,”ACM Trans. Privacy Security, vol. 25, no. 3, pp. 1–28, 2022
work page 2022
-
[7]
Zero-Trust Architecture for Microser- vices: Design Patterns and Implementation,
N. Patel and S. Kim, “Zero-Trust Architecture for Microser- vices: Design Patterns and Implementation,”IEEE Trans. De- pendable Secure Comput., vol. 19, no. 5, pp. 3124–3137, 2022
work page 2022
-
[8]
Decentralized Identifiers (DIDs) v1.0,
W3C, “Decentralized Identifiers (DIDs) v1.0,”World Wide Web Consortium Recommendation, 2022. [Online]. Available: https: //www.w3.org/TR/did-core/
work page 2022
-
[9]
Verifiable Credentials Data Model v1.1,
W3C, “Verifiable Credentials Data Model v1.1,”World Wide Web Consortium Recommendation, 2022. [Online]. Available: https://www.w3.org/TR/vc-data-model/
work page 2022
-
[10]
Post-Quantum Cryptography in Production Systems: Challenges and Solutions,
R. Anderson and T. Moore, “Post-Quantum Cryptography in Production Systems: Challenges and Solutions,”Cryptology ePrint Archive, Paper 2024/123, 2024
work page 2024
-
[11]
Certificate Transparency in Distributed Sys- tems: A Survey,
A. Brown et al., “Certificate Transparency in Distributed Sys- tems: A Survey,”IEEE Commun. Surveys Tutorials, vol. 25, no. 2, pp. 1234–1256, 2023
work page 2023
-
[12]
Open Policy Agent Documentation,
OPA, “Open Policy Agent Documentation,”Open Pol- icy Agent Project, 2024. [Online]. Available: https://www. openpolicyagent.org/docs/
work page 2024
-
[13]
Service Mesh for Microservices,
Istio, “Service Mesh for Microservices,”Cloud Native Comput- ing Foundation, 2024. [Online]. Available: https://istio.io/
work page 2024
-
[14]
MLOps Security Framework for Production Machine Learning Systems,
L. Zhang et al., “MLOps Security Framework for Production Machine Learning Systems,”IEEE Trans. Dependable Secure Comput., vol. 21, no. 2, pp. 1234–1256, 2024
work page 2024
-
[15]
Secure Multi-Agent Communication Protocols for Distributed AI Systems,
M. Johnson and S. Davis, “Secure Multi-Agent Communication Protocols for Distributed AI Systems,” inProc. 2024 IEEE Int. Conf. Commun. (ICC), 2024, pp. 1–6
work page 2024
-
[16]
Zero-Trust Security Models for Kubernetes: A Comprehensive Analysis,
J. Smith et al., “Zero-Trust Security Models for Kubernetes: A Comprehensive Analysis,”IEEE Security Privacy, vol. 21, no. 6, pp. 34–42, 2023
work page 2023
-
[17]
Decentralized Identity Management in Edge Computing Environments,
K. Lee and A. Chen, “Decentralized Identity Management in Edge Computing Environments,”IEEE Internet Things J., vol. 11, no. 8, pp. 6789–6801, 2024
work page 2024
-
[18]
Agent Name Service (ANS) Live Demo Implemen- tation,
A. Mittal, “Agent Name Service (ANS) Live Demo Implemen- tation,”GitHub Repository, 2025. [Online]. Available: https: //github.com/akshaymittal143/ans-live-demo/
work page 2025
-
[19]
ANS Live Demo Slides Directory,
A. Mittal, “ANS Live Demo Slides Directory,”GitHub Repository, 2025. [Online]. Available: https://github.com/ akshaymittal143/ans-live-demo/tree/main/slides
work page 2025
-
[20]
Agent name service (ans): A universal directory for secure ai agent discovery and interoperability,
K. Huang, V . S. Narajala, I. Habler, and A. Sheriff, “Agent Name Service (ANS): A Universal Directory for Secure AI Agent Discovery and Interoperability,”arXiv preprint arXiv:2505.10609v1, 2025. [Online]. Available: https://arxiv. org/abs/2505.10609
-
[21]
Agent Name Service (ANS): A Universal Directory for Secure AI Agent Discovery and Interoperability,
K. Huang, V . S. Narajala, I. Habler, and A. Sheriff, “Agent Name Service (ANS): A Universal Directory for Secure AI Agent Discovery and Interoperability,”ResearchGate, 2025. [Online]. Available: https://www.researchgate.net/publication/ 401124108
work page 2025
-
[22]
GoDaddy, “ans-registry,”GitHub Repository, 2025. [Online]. Available: https://github.com/godaddy/ans-registry
work page 2025
-
[23]
Agent Name Registry, “Public ANS Registry,” 2025. [Online]. Available: https://www.agentnameregistry.org/
work page 2025
-
[24]
ANS Demo Guide Verification Report,
A. Mittal, “ANS Demo Guide Verification Report,”Project Documentation, 2025. [Online]. Available: https://github.com/ akshaymittal143/ans-live-demo/blob/main/DEMO GUIDE.md
work page 2025
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.