pith. sign in

arxiv: 2604.26997 · v1 · submitted 2026-04-29 · 💻 cs.CR · cs.AI· cs.MA

Agent Name Service (ANS): A Proof-of-Concept Trust Layer for Secure AI Agent Discovery, Identity, and Governance in Kubernetes

Pith reviewed 2026-05-07 13:31 UTC · model grok-4.3

classification 💻 cs.CR cs.AIcs.MA
keywords Agent Name ServiceKubernetesDecentralized IdentifiersVerifiable CredentialsAI agentsTrust layerPolicy-as-codeSecure discovery
0
0 comments X

The pith

The Agent Name Service implements a DNS-inspired trust layer in Kubernetes using DIDs, VCs, and OPA to secure AI agent discovery, authentication, and governance.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

This paper establishes that current AI agent deployments lack uniform discovery, cryptographic authentication, secret-protecting capability proofs, and enforceable policies, and shows these gaps can be closed by a practical Kubernetes implementation of the Agent Name Service protocol. A sympathetic reader cares because autonomous multi-agent systems cannot operate reliably or safely without verifiable identities and controls that prevent impersonation or policy bypass. The work delivers an engineering pathway by combining Decentralized Identifiers for identity, Verifiable Credentials for attestation, Open Policy Agent for policy-as-code, and native Kubernetes primitives such as CRDs and admission controllers, with measured sub-10ms responses in a scripted 3-node, 50-agent demo. Findings are explicitly limited to proof-of-concept evidence rather than production validation.

Core claim

The Agent Name Service provides a DNS-inspired trust layer for AI agents in Kubernetes by integrating Decentralized Identifiers for identity, Verifiable Credentials for capability attestation that protects secrets, Open Policy Agent for policy-as-code enforcement, and Kubernetes-native patterns including CRDs, admission controls, and service mesh integration, achieving sub-10ms response times and full success in scripted deployment scenarios within a 3-node cluster simulating 50 agents.

What carries the argument

The Agent Name Service (ANS) protocol layer, which functions as a registry and resolver that binds cryptographic agent identities to discoverable endpoints while enforcing policies through Kubernetes admission controls and OPA.

If this is right

  • Uniform agent discovery becomes available across Kubernetes clusters without custom per-framework solutions.
  • Cryptographic authentication via DIDs protects multi-agent systems against impersonation.
  • Verifiable Credentials enable agents to prove capabilities while keeping sensitive secrets protected.
  • Policy-as-code with OPA supplies enforceable, auditable governance that can adapt without code changes.
  • Native Kubernetes integration allows existing cluster operators to manage agent security through familiar tools.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The pattern could extend to non-Kubernetes platforms to create cross-environment agent interoperability standards.
  • Dynamic agent behaviors beyond the scripted demo would likely require additional threat-model extensions for full coverage.
  • Performance observations invite direct comparison against production AI workloads that include model serving and inter-agent messaging.
  • Adoption might reduce dependence on closed agent platforms by offering an open, verifiable identity foundation.

Load-bearing premise

The 3-node demo cluster and scripted 50-agent workflows accurately represent the security threats, performance demands, and interoperability issues of real-world production multi-agent deployments.

What would settle it

A production-scale Kubernetes cluster with unscripted agents performing adversarial discovery attempts, policy violations, or high-load workflows where response times exceed 10ms or enforcement fails would falsify the central claim.

Figures

Figures reproduced from arXiv: 2604.26997 by Akshay Mittal, Elyson De La Cruz.

Figure 1
Figure 1. Figure 1: ANS System Architecture showing agent interactions, registry view at source ↗
Figure 2
Figure 2. Figure 2: GitOps Integration Workflow showing automated deployment view at source ↗
read the original abstract

Autonomous AI agent ecosystems require stronger mechanisms for secure discovery, identity verification, capability attestation, and policy governance. Current deployments frequently lack (1) uniform agent discovery, (2) cryptographic agent authentication, (3) capability proofs that protect secrets, and (4) enforceable policy controls. This paper presents an implementation-oriented proof of concept for the Agent Name Service (ANS), a DNS-inspired trust layer for AI agent discovery and interoperability in Kubernetes, grounded in the ANS protocol specification~\cite{huang2025ans}. The implementation uses Decentralized Identifiers (DIDs), Verifiable Credentials (VCs), policy-as-code enforcement with Open Policy Agent (OPA), and Kubernetes-native integration patterns (CRDs, admission controls, service mesh integration). In a demo research environment (3-node cluster, 50-agent workflow simulation), we observe sub-10ms response in demonstrated service paths and full success for scripted demo deployment scenarios. We explicitly scope these findings as proof-of-concept evidence rather than production certification. We further provide a threat model, assumptions, and limitations to separate implemented evidence from protocol-defined and roadmap capabilities. The result is an evidence-grounded pathway from ANS protocol concepts to reproducible engineering practice for secure multi-agent systems.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

0 major / 4 minor

Summary. The paper presents an implementation-oriented proof-of-concept for the Agent Name Service (ANS), a DNS-inspired trust layer for secure AI agent discovery, identity verification, capability attestation, and policy governance in Kubernetes. Grounded in the cited ANS protocol specification, the work integrates Decentralized Identifiers (DIDs), Verifiable Credentials (VCs), Open Policy Agent (OPA) for policy-as-code enforcement, and Kubernetes-native patterns including Custom Resource Definitions (CRDs), admission controls, and service mesh integration. In a demo research environment (3-node cluster, 50-agent workflow simulation), it reports sub-10ms response times in demonstrated service paths and full success for scripted deployment scenarios. The manuscript explicitly scopes these as proof-of-concept evidence, provides a threat model with assumptions, and includes a limitations section to separate implemented results from unproven protocol elements and roadmap items.

Significance. If the scoped results hold, the paper offers a practical, evidence-grounded pathway from abstract protocol concepts to reproducible engineering practice for secure multi-agent systems in containerized environments. Strengths include the explicit scoping of claims, inclusion of a threat model and limitations, and focus on native Kubernetes integration patterns that lower barriers for practitioners. The demo provides initial feasibility evidence for low-latency secure discovery and enforceable governance without overclaiming production readiness.

minor comments (4)
  1. [Abstract] Abstract: the claim of 'sub-10ms response in demonstrated service paths' would be clearer if it specified the exact paths measured (e.g., DID resolution, VC verification, or OPA policy query) and noted the measurement conditions.
  2. [Demo and Evaluation] Demo section: while the 3-node/50-agent simulation is appropriately scoped as PoC, adding a brief note on the scripted scenarios' coverage of the threat model (e.g., which attacks were explicitly exercised) would improve traceability without altering the PoC framing.
  3. The manuscript would benefit from a summary table listing the core components (DIDs, VCs, OPA, CRDs) alongside their specific roles and integration points to aid reader comprehension.
  4. [Limitations] Limitations section: cross-reference each stated limitation directly to the corresponding implementation choice or missing feature to make the boundary between evidence and future work more explicit.

Simulated Author's Rebuttal

0 responses · 0 unresolved

We thank the referee for the constructive and positive review, including the recommendation for minor revision. The assessment correctly identifies the paper's focus on a scoped proof-of-concept, Kubernetes-native patterns, threat model, and limitations section. No specific major comments were raised in the report, so we have no point-by-point rebuttals to provide. We will incorporate any minor suggestions during revision.

Circularity Check

0 steps flagged

No significant circularity detected

full rationale

The paper is an implementation-oriented proof-of-concept for the Agent Name Service (ANS) protocol in Kubernetes, explicitly grounded in the external specification cited as huang2025ans (distinct authors). Central claims are confined to measured sub-10 ms responses and scripted deployment success inside a 3-node/50-agent demo environment, with repeated explicit scoping as PoC evidence rather than production certification. No equations, parameter fittings, performance extrapolations, or predictions appear; the work describes integration of standard external components (DIDs, VCs, OPA, Kubernetes CRDs) without self-definitional reductions or load-bearing self-citations. The included threat model, assumptions, and limitations section further separates implemented evidence from protocol elements, rendering the derivation chain self-contained against external benchmarks.

Axiom & Free-Parameter Ledger

0 free parameters · 2 axioms · 0 invented entities

The paper rests on standard assumptions from Kubernetes and decentralized identity technologies rather than introducing new free parameters or invented entities.

axioms (2)
  • domain assumption Kubernetes reliably supports CRDs, admission controllers, and service mesh integration for the described patterns.
    Implementation depends on these platform primitives being available and stable.
  • domain assumption DIDs and Verifiable Credentials provide adequate cryptographic identity and capability attestation for the threat model.
    Security claims rely on the established properties of these standards.

pith-pipeline@v0.9.0 · 5530 in / 1301 out tokens · 67106 ms · 2026-05-07T13:31:13.748177+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

24 extracted references · 24 canonical work pages

  1. [1]

    Zero-Knowledge Proofs for Capabil- ity Verification in Distributed AI Systems,

    L. Chen and Y . Zhang, “Zero-Knowledge Proofs for Capabil- ity Verification in Distributed AI Systems,”IEEE Trans. Inf. Forensics Security, vol. 19, no. 3, pp. 1456–1470, 2024

  2. [2]

    Cryptographic Identity Management for Autonomous AI Agents,

    R. Kumar et al., “Cryptographic Identity Management for Autonomous AI Agents,” inProc. 2024 ACM SIGSAC Conf. Comput. Commun. Security, 2024, pp. 2341–2355

  3. [3]

    Policy-as-Code Enforcement in Kubernetes: A Comprehensive Survey,

    S. Wang and M. Johnson, “Policy-as-Code Enforcement in Kubernetes: A Comprehensive Survey,”ACM Comput. Surveys, vol. 56, no. 2, pp. 1–35, 2023

  4. [4]

    Concept Drift Detection in Production ML Systems: A Systematic Review,

    P. Rodriguez et al., “Concept Drift Detection in Production ML Systems: A Systematic Review,”Mach. Learn., vol. 112, no. 8, pp. 3125–3158, 2023

  5. [5]

    Service Mesh Security: A Com- prehensive Analysis of mTLS Implementation,

    K. Thompson and J. Lee, “Service Mesh Security: A Com- prehensive Analysis of mTLS Implementation,”IEEE Security Privacy, vol. 21, no. 4, pp. 45–52, 2023

  6. [6]

    Distributed Identity Management in Cloud- Native Applications,

    M. Garcia et al., “Distributed Identity Management in Cloud- Native Applications,”ACM Trans. Privacy Security, vol. 25, no. 3, pp. 1–28, 2022

  7. [7]

    Zero-Trust Architecture for Microser- vices: Design Patterns and Implementation,

    N. Patel and S. Kim, “Zero-Trust Architecture for Microser- vices: Design Patterns and Implementation,”IEEE Trans. De- pendable Secure Comput., vol. 19, no. 5, pp. 3124–3137, 2022

  8. [8]

    Decentralized Identifiers (DIDs) v1.0,

    W3C, “Decentralized Identifiers (DIDs) v1.0,”World Wide Web Consortium Recommendation, 2022. [Online]. Available: https: //www.w3.org/TR/did-core/

  9. [9]

    Verifiable Credentials Data Model v1.1,

    W3C, “Verifiable Credentials Data Model v1.1,”World Wide Web Consortium Recommendation, 2022. [Online]. Available: https://www.w3.org/TR/vc-data-model/

  10. [10]

    Post-Quantum Cryptography in Production Systems: Challenges and Solutions,

    R. Anderson and T. Moore, “Post-Quantum Cryptography in Production Systems: Challenges and Solutions,”Cryptology ePrint Archive, Paper 2024/123, 2024

  11. [11]

    Certificate Transparency in Distributed Sys- tems: A Survey,

    A. Brown et al., “Certificate Transparency in Distributed Sys- tems: A Survey,”IEEE Commun. Surveys Tutorials, vol. 25, no. 2, pp. 1234–1256, 2023

  12. [12]

    Open Policy Agent Documentation,

    OPA, “Open Policy Agent Documentation,”Open Pol- icy Agent Project, 2024. [Online]. Available: https://www. openpolicyagent.org/docs/

  13. [13]

    Service Mesh for Microservices,

    Istio, “Service Mesh for Microservices,”Cloud Native Comput- ing Foundation, 2024. [Online]. Available: https://istio.io/

  14. [14]

    MLOps Security Framework for Production Machine Learning Systems,

    L. Zhang et al., “MLOps Security Framework for Production Machine Learning Systems,”IEEE Trans. Dependable Secure Comput., vol. 21, no. 2, pp. 1234–1256, 2024

  15. [15]

    Secure Multi-Agent Communication Protocols for Distributed AI Systems,

    M. Johnson and S. Davis, “Secure Multi-Agent Communication Protocols for Distributed AI Systems,” inProc. 2024 IEEE Int. Conf. Commun. (ICC), 2024, pp. 1–6

  16. [16]

    Zero-Trust Security Models for Kubernetes: A Comprehensive Analysis,

    J. Smith et al., “Zero-Trust Security Models for Kubernetes: A Comprehensive Analysis,”IEEE Security Privacy, vol. 21, no. 6, pp. 34–42, 2023

  17. [17]

    Decentralized Identity Management in Edge Computing Environments,

    K. Lee and A. Chen, “Decentralized Identity Management in Edge Computing Environments,”IEEE Internet Things J., vol. 11, no. 8, pp. 6789–6801, 2024

  18. [18]

    Agent Name Service (ANS) Live Demo Implemen- tation,

    A. Mittal, “Agent Name Service (ANS) Live Demo Implemen- tation,”GitHub Repository, 2025. [Online]. Available: https: //github.com/akshaymittal143/ans-live-demo/

  19. [19]

    ANS Live Demo Slides Directory,

    A. Mittal, “ANS Live Demo Slides Directory,”GitHub Repository, 2025. [Online]. Available: https://github.com/ akshaymittal143/ans-live-demo/tree/main/slides

  20. [20]

    Agent name service (ans): A universal directory for secure ai agent discovery and interoperability,

    K. Huang, V . S. Narajala, I. Habler, and A. Sheriff, “Agent Name Service (ANS): A Universal Directory for Secure AI Agent Discovery and Interoperability,”arXiv preprint arXiv:2505.10609v1, 2025. [Online]. Available: https://arxiv. org/abs/2505.10609

  21. [21]

    Agent Name Service (ANS): A Universal Directory for Secure AI Agent Discovery and Interoperability,

    K. Huang, V . S. Narajala, I. Habler, and A. Sheriff, “Agent Name Service (ANS): A Universal Directory for Secure AI Agent Discovery and Interoperability,”ResearchGate, 2025. [Online]. Available: https://www.researchgate.net/publication/ 401124108

  22. [22]

    ans-registry,

    GoDaddy, “ans-registry,”GitHub Repository, 2025. [Online]. Available: https://github.com/godaddy/ans-registry

  23. [23]

    Public ANS Registry,

    Agent Name Registry, “Public ANS Registry,” 2025. [Online]. Available: https://www.agentnameregistry.org/

  24. [24]

    ANS Demo Guide Verification Report,

    A. Mittal, “ANS Demo Guide Verification Report,”Project Documentation, 2025. [Online]. Available: https://github.com/ akshaymittal143/ans-live-demo/blob/main/DEMO GUIDE.md