Heartbeat-Bound Hierarchical Credentials: Cryptographic Revocation for AI Agent Swarms

Saurabh Deochake

arxiv: 2605.20704 · v1 · pith:7SQ45WX2new · submitted 2026-05-20 · 💻 cs.CR · cs.AI· cs.MA

Heartbeat-Bound Hierarchical Credentials: Cryptographic Revocation for AI Agent Swarms

Saurabh Deochake This is my paper

Pith reviewed 2026-05-21 04:38 UTC · model grok-4.3

classification 💻 cs.CR cs.AIcs.MA

keywords AI agent revocationhierarchical credentialsheartbeat protocolcryptographic revocationzombie agentssecure enclavesmulti-agent systemsliveness proofs

0 comments

The pith

Heartbeat-Bound Hierarchical Credentials bind AI agent validity to periodic parent liveness proofs so verifiers detect shutdown with only a cached public key and local clock.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper establishes a cryptographic method to close the safety gap created when autonomous AI agents spawn sub-agent swarms. Current revocation systems such as OAuth 2.0 introspection or certificate status lists depend on network contact with a central authority, allowing zombie agents to keep executing privileged actions long after an operator stops. HBHC instead requires each credential in the hierarchy to be refreshed by heartbeat messages from its parent. Any verifier checks freshness locally using a cached public key and its own clock, without sending or receiving network packets. If the central claim holds, shutdown of a parent automatically renders all descendant credentials unusable after a fixed, predictable interval.

Core claim

Heartbeat-Bound Hierarchical Credentials bind credential validity to periodic parent liveness proofs. Verifiers enforce freshness using only a cached public key and local clock with no network round-trip required. When heartbeat generation ceases, all descendant credentials become unusable within a deterministically bounded window W_z ≤ W_max + Δ_h + ε, conditional on bounded clock skew and parent keys held in secure enclaves.

What carries the argument

Heartbeat-Bound Hierarchical Credentials (HBHC), a protocol that ties each credential's validity window to periodic heartbeat messages from its immediate parent.

If this is right

Zombie window shrinks by a factor of 90 compared with OAuth 2.0 introspection.
Full authentication finishes in 0.26 ms in Rust while sustaining over 18,000 verifications per second under load.
Cascading revocation propagates through a four-level 49-agent hierarchy inside the theoretical time bound.
Real LLM-backed agent swarms incur only 0.71 percent end-to-end overhead on tool calls.
No tool calls succeed after revocation even when prompt injection bypasses application guardrails.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

The same local-clock check could be applied to revocation in non-AI distributed systems that already use hierarchical key material.
Integration points with existing PKI or status-list formats could let operators adopt the scheme incrementally.
Empirical measurement of clock skew under realistic network jitter would tighten or refute the concrete bound W_z.

Load-bearing premise

Parent keys remain protected inside secure enclaves and clock differences across the swarm stay within a known bound.

What would settle it

A descendant credential that continues to accept operations more than W_max + Δ_h + ε after its parent stops emitting heartbeats, under the stated conditions of bounded skew and enclave storage.

Figures

Figures reproduced from arXiv: 2605.20704 by Saurabh Deochake.

**Figure 1.** Figure 1: Post-revocation tool calls by defense. OAuth 2.0 (bearer tokens) permits 175 calls until expiry; prompt-injected guardrails permit 20; HBHC blocks all calls at the cryptographic layer once the zombie window closes. within the 20 s bound: Level 1 max 16.0 s, Level 2 max 16.0 s, Level 3 max 15.4 s, validating R3 (Hierarchical Revocation) at realistic depth. Credential theft. An adversary extracts a child’s d… view at source ↗

**Figure 2.** Figure 2: Zombie window as partition duration increases. Network-dependent mechanisms degrade linearly or plateau at token lifetime; HBHC maintains a constant 40 s bound regardless of partition length. alternative: the parent embeds a sequence number s; the verifier tracks slast and accepts only if s > slast and s − slast ≤ k. Under in-order delivery (TCP or gRPC), Wseq z ≤ k · ∆h (30 s at k=3, ∆h=10s). Experiment … view at source ↗

read the original abstract

Autonomous AI agents that spawn sub-agent swarms create a safety gap: existing credential revocation mechanisms, OAuth~2.0 introspection, OCSP, and W3C Status Lists, require network connectivity to a central authority, leaving ``zombie agents'' executing privileged operations for minutes to hours after operator shutdown. We present Heartbeat-Bound Hierarchical Credentials (HBHC), a cryptographic protocol that binds credential validity to periodic parent liveness proofs. Verifiers enforce freshness using only a cached public key and local clock; no network round-trip is required. When heartbeat generation ceases, all descendant credentials become unusable within a deterministically bounded window $W_z \le W_{\max} + \Delta_h + \epsilon$, conditional on bounded clock skew and parent keys held in secure enclaves. Evaluation at the protocol layer and with real LLM-backed agent swarms (GPT-4o-mini) demonstrates a 90$\times$ reduction in the zombie window over OAuth~2.0, 0.26~ms full authentication in Rust, 18,000+ verifications per second under concurrent HTTP load, and stable per-verification latency from 10 to 10,000 agents. Real-agent experiments show 0.71\% end-to-end overhead on tool calls, zero post-revocation tool calls under prompt injection that bypasses application-layer guardrails, and cascading revocation across a 49-agent four-level hierarchy within the theoretical bound.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

HBHC shows a workable offline revocation scheme for AI agent hierarchies using heartbeats, with solid practical results on LLM swarms, but the core bound still rests on enclave and clock-skew assumptions that lack detailed threat analysis.

read the letter

The paper's main contribution is a protocol that binds hierarchical credentials to periodic parent heartbeats so local verifiers can reject stale descendant credentials without any network call. When the parent stops sending heartbeats, the window until all children are unusable is claimed to be bounded by W_max plus heartbeat interval plus clock skew. They report this cuts the zombie window by 90x compared with OAuth 2.0 introspection in their tests with GPT-4o-mini agents, plus 0.26 ms authentication, 18k verifications per second, and only 0.71% overhead on tool calls. The cascading revocation across a four-level 49-agent hierarchy stayed inside the stated bound. Those numbers are the concrete part worth noting for anyone running multi-agent systems that need fast shutdown after compromise or operator intervention. The experiments with real LLM-backed agents and concurrent load give it more weight than a pure protocol sketch. The soft spots are exactly where the stress-test flagged. The deterministic bound only holds if parent keys stay inside secure enclaves and clock skew stays under epsilon; the abstract states these conditions but the provided description does not include a formal threat model, side-channel analysis, or reduction showing the bound survives enclave compromise or supply-chain attacks on the agents. Performance figures are given without raw traces, variance numbers, or derivation steps for the theoretical bound. That makes the central claim harder to verify from the text alone. This work is aimed at researchers and engineers building revocation for autonomous agent swarms where network access cannot be guaranteed. It deserves a serious referee because it identifies a practical gap and supplies end-to-end measurements on actual LLM agents, even though the security argument would benefit from more formal grounding and adversarial analysis.

Referee Report

2 major / 1 minor

Summary. The paper introduces Heartbeat-Bound Hierarchical Credentials (HBHC), a cryptographic protocol for revoking credentials in AI agent swarms. It binds credential validity to periodic parent liveness proofs (heartbeats) so that verifiers can enforce freshness using only a cached public key and local clock, without network access. The central claim is that when heartbeat generation ceases, all descendant credentials become unusable within a deterministically bounded window W_z ≤ W_max + Δ_h + ε, conditional on bounded clock skew and parent keys held in secure enclaves. The manuscript reports a 90× reduction in the zombie window versus OAuth 2.0, 0.26 ms full authentication latency in Rust, over 18,000 verifications per second under load, 0.71% end-to-end overhead on LLM tool calls, zero post-revocation tool calls under prompt injection, and successful cascading revocation across a 49-agent four-level hierarchy within the theoretical bound.

Significance. If the central claims hold, the work addresses a practical safety gap in autonomous multi-agent systems by enabling network-independent, deterministic revocation that existing mechanisms (OAuth introspection, OCSP, W3C status lists) cannot provide. Credit is due for the concrete evaluation with real LLM-backed agent swarms (GPT-4o-mini), the reported performance numbers (0.26 ms authentication, 18k+ verifications/sec, 0.71% overhead), and the demonstration of zero post-revocation actions plus hierarchy-wide cascading revocation. These elements make the result potentially impactful for secure AI agent deployments if the enclave and clock-skew assumptions can be substantiated.

major comments (2)

[Abstract and Security Analysis] Abstract (final paragraph) and Security Analysis section: The bound W_z ≤ W_max + Δ_h + ε is presented as deterministic yet rests on the unverified assumptions that parent keys remain in secure enclaves and clock skew stays bounded by ε. No formal threat model, reduction, or analysis of enclave compromise vectors (side-channel attacks, supply-chain issues on LLM-hosted agents) is provided, which is load-bearing for the central revocation claim.
[Evaluation] Evaluation section: Performance claims (90× zombie-window reduction, 0.26 ms authentication, 18,000+ verifications/sec) are stated without derivation steps, error analysis, raw data, or statistical details on how measurements were obtained under concurrent load or with the 49-agent hierarchy. This undermines verification of the reported overhead and revocation effectiveness.

minor comments (1)

[Abstract] Notation for parameters (W_max, Δ_h, ε) is introduced in the abstract without an early dedicated definitions subsection, which could improve readability for readers unfamiliar with the protocol.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive feedback and for recognizing the potential impact of HBHC on AI agent security. We address each major comment below with clarifications and commit to targeted revisions that strengthen the presentation of assumptions and experimental details.

read point-by-point responses

Referee: [Abstract and Security Analysis] Abstract (final paragraph) and Security Analysis section: The bound W_z ≤ W_max + Δ_h + ε is presented as deterministic yet rests on the unverified assumptions that parent keys remain in secure enclaves and clock skew stays bounded by ε. No formal threat model, reduction, or analysis of enclave compromise vectors (side-channel attacks, supply-chain issues on LLM-hosted agents) is provided, which is load-bearing for the central revocation claim.

Authors: We agree that the bound is conditional on the stated assumptions of secure enclaves and bounded clock skew, which are explicitly noted in the abstract and Security Analysis section. The section argues these are realistic for LLM-backed agents using trusted execution environments. To strengthen the manuscript, we will revise the Security Analysis section to add a dedicated threat model subsection. This will enumerate enclave compromise vectors (side-channel attacks, supply-chain risks) with discussion of mitigations and the conditions under which the deterministic bound holds. No changes to the protocol or core claims are needed. revision: yes
Referee: [Evaluation] Evaluation section: Performance claims (90× zombie-window reduction, 0.26 ms authentication, 18,000+ verifications/sec) are stated without derivation steps, error analysis, raw data, or statistical details on how measurements were obtained under concurrent load or with the 49-agent hierarchy. This undermines verification of the reported overhead and revocation effectiveness.

Authors: The 90× reduction follows directly from comparing HBHC's bounded window (W_max + Δ_h + ε, typically seconds) to OAuth 2.0 revocation delays documented in the literature (minutes to hours). Latency and throughput were measured in the Rust implementation using high-resolution timers over repeated trials under concurrent load, with the 49-agent hierarchy experiments reporting observed revocation times. We will add an appendix with experimental methodology, hardware details, trial counts, error analysis, and summarized data tables to support verification. This is a presentation improvement only. revision: yes

Circularity Check

0 steps flagged

No circularity: bound follows from protocol construction under explicit assumptions

full rationale

The abstract states the zombie window bound W_z ≤ W_max + Δ_h + ε directly as a consequence of the heartbeat protocol when heartbeats cease, conditional on secure-enclave parent keys and bounded clock skew. No equations, fitted parameters, or self-citations appear that would make this bound equivalent to its inputs by construction. The claim rests on the described cryptographic mechanism and reported measurements rather than renaming a known result or smuggling an ansatz. The derivation chain is therefore self-contained as a protocol guarantee.

Axiom & Free-Parameter Ledger

2 free parameters · 2 axioms · 0 invented entities

The protocol rests on standard cryptographic assumptions plus domain-specific requirements for secure hardware and bounded timing; no new particles or forces are introduced.

free parameters (2)

W_max
Maximum heartbeat interval chosen by system designer to set the revocation bound.
Δ_h
Heartbeat transmission delay parameter in the bound equation.

axioms (2)

domain assumption Parent keys remain protected inside secure enclaves
Invoked to ensure heartbeat authenticity without network checks.
domain assumption Clock skew between verifiers and parents is bounded by ε
Required for the deterministic window W_z to hold.

pith-pipeline@v0.9.0 · 5791 in / 1239 out tokens · 31334 ms · 2026-05-21T04:38:16.065619+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

35 extracted references · 35 canonical work pages · 1 internal anchor

[1]

Concrete Problems in AI Safety

Amodei, D., Olah, C., Steinhardt, J., Christiano, P., Schulman, J., Mané, D.: Concrete problems in AI safety. arXiv preprint arXiv:1606.06565 (2016). https://doi.org/10.48550/arXiv.1606.06565

work page internal anchor Pith review Pith/arXiv arXiv doi:10.48550/arxiv.1606.06565 2016
[2]

Babo, Z.: ZombieAgent: A zero-click AI agent vulnerability. Radware Threat Advisory (2026),https://www.radware.com/security/threat- advisories- and- attack- reports/zombieagent/, reported to OpenAI via BugCrowd, September 2025; patched December 2025

work page 2026
[3]

In: Proceedings of the Network and Distributed System Security Symposium (NDSS) (2014)

Birgisson, A., Politz, J.G., Úlfar Erlingsson, Taly, A., Vrable, M., Lentczner, M.:Macaroons:Cookieswithcontextualcaveatsfordecentralizedauthoriza- tion in the cloud. In: Proceedings of the Network and Distributed System Security Symposium (NDSS) (2014)

work page 2014
[4]

In: Proceedings of the 7th USENIX Symposium on Operating Sys- tems Design and Implementation (OSDI)

Burrows, M.: The chubby lock service for loosely-coupled distributed sys- tems. In: Proceedings of the 7th USENIX Symposium on Operating Sys- tems Design and Implementation (OSDI). pp. 335–350. USENIX Associa- tion (2006)

work page 2006
[5]

In: Advances in Cryptology – CRYPTO 2002

Camenisch, J., Lysyanskaya, A.: Dynamic accumulators and application to efficient revocation of anonymous credentials. In: Advances in Cryptology – CRYPTO 2002. LNCS, vol. 2442, pp. 61–76. Springer (2002).https: //doi.org/10.1007/3-540-45708-9_5

work page doi:10.1007/3-540-45708-9_5 2002
[6]

Journal of the ACM43(2), 225–267 (1996).https: //doi.org/10.1145/226643.226647

Chandra, T.D., Toueg, S.: Unreliable failure detectors for reliable dis- tributed systems. Journal of the ACM43(2), 225–267 (1996).https: //doi.org/10.1145/226643.226647

work page doi:10.1145/226643.226647 1996
[7]

In: 2020 IEEE European Symposium on Security and Privacy (EuroS&P), pp

Chuat, L., Abdou, A., Sasse, R., Sprenger, C., Basin, D., Perrig, A.: SoK: Delegation and revocation, the missing links in the web’s chain of trust. In: Proceedings of the IEEE European Symposium on Security and Pri- vacy (EuroS&P). pp. 624–638. IEEE (2020).https://doi.org/10.1109/ EuroSP48549.2020.00046

work page arXiv 2020
[8]

In: Proceedings of the 19th International Conference on Availability, Reliability and Security (ARES)

Colombatto, A., Giorgino, L., Vesco, A.: An identity key management sys- tem with deterministic key hierarchy for SSI-native Internet of Things. In: Proceedings of the 19th International Conference on Availability, Reliability and Security (ARES). ACM (2024).https://doi.org/10.1145/3664476. 3669929

work page doi:10.1145/3664476 2024
[9]

IACR Cryptology ePrint Archive2016, 86 (2016),https://eprint.iacr.org/2016/086

Costan, V., Devadas, S.: Intel SGX explained. IACR Cryptology ePrint Archive2016, 86 (2016),https://eprint.iacr.org/2016/086

work page 2016
[10]

ACM Computing Surveys57(7), 182 (2025).https://doi.org/10

Deng, Z., Guo, Y., Han, C., Ma, W., Xiong, J., Wen, S., Xiang, Y.: AI agents under threat: A survey of key security challenges and future path- ways. ACM Computing Surveys57(7), 182 (2025).https://doi.org/10. 1145/3716628

work page 2025
[11]

In: Proceedings of the 17th International Conference on Availability, Reliability and Security (ARES)

Deochake, S., Channapattan, V.: Identity and access management frame- work for multi-tenant resources in hybrid cloud computing. In: Proceedings of the 17th International Conference on Availability, Reliability and Security (ARES). ACM (2022).https://doi.org/10.1145/3538969.3544896 Heartbeat-Bound Hierarchical Credentials 25

work page doi:10.1145/3538969.3544896 2022
[12]

https://doi.org/10.48550/arXiv.2510.16067

Deochake, S., Murphy, R., Gearheart, J.: A multi-cloud framework for zero-trustworkloadauthentication.arXivpreprintarXiv:2510.16067(2025). https://doi.org/10.48550/arXiv.2510.16067

work page doi:10.48550/arxiv.2510.16067 2025
[13]

Internet-draft draft-dijkhuis-cfrg-hdkeys-01, IETF (2024), work in progress

Dijkhuis, S.: Hierarchical deterministic keys for the IETF. Internet-draft draft-dijkhuis-cfrg-hdkeys-01, IETF (2024), work in progress

work page 2024
[14]

IEEE Trans- actions on Information Theory29(2), 198–208 (1983).https://doi.org/ 10.1109/TIT.1983.1056650

Dolev, D., Yao, A.C.: On the security of public key protocols. IEEE Trans- actions on Information Theory29(2), 198–208 (1983).https://doi.org/ 10.1109/TIT.1983.1056650

work page doi:10.1109/tit.1983.1056650 1983
[15]

Official Journal of the European Union (2024), article 9: Risk Management; Article 14: Human Oversight

European Parliament and Council of the European Union: Regulation (EU) 2024/1689 laying down harmonised rules on artificial intelligence (AI act). Official Journal of the European Union (2024), article 9: Risk Management; Article 14: Human Oversight

work page 2024
[16]

arXiv preprint arXiv:2404.16244 (2024).https://doi.org/10.48550/arXiv.2404.16244

Gabriel, I., Manzini, A., Keeling, G., Hendricks, L.A., Rieser, V., Iqbal, H., Tomašev, N., Ktena, I., Kenton, Z., Rodriguez, M., El-Sayed, S., Brown, S., Blunsom, P., Isaac, W.: The ethics of advanced AI assistants. arXiv preprint arXiv:2404.16244 (2024).https://doi.org/10.48550/arXiv.2404.16244

work page doi:10.48550/arxiv.2404.16244 2024
[17]

arXiv preprint arXiv:2511.02841 (2025)

Garzon, S.R., Vaziry, A., Kuzu, E.M., Gehrmann, D.E., Varkan, B., Ga- balla, A., Küpper, A.: AI agents with decentralized identifiers and verifiable credentials. arXiv preprint arXiv:2511.02841 (2025)

work page arXiv 2025
[18]

arXiv preprint arXiv:2509.13597 (2025).https://doi.org/10

Goswami, A.: Agentic JWT: A secure delegation protocol for autonomous AI agents. arXiv preprint arXiv:2509.13597 (2025).https://doi.org/10. 48550/arXiv.2509.13597

work page arXiv 2025
[19]

In: Proceedings of the 12th ACM Symposium on Operating Systems Principles (SOSP)

Gray, C.G., Cheriton, D.R.: Leases: An efficient fault-tolerant mechanism for distributed file cache consistency. In: Proceedings of the 12th ACM Symposium on Operating Systems Principles (SOSP). pp. 202–210. ACM (1989).https://doi.org/10.1145/74851.74870

work page doi:10.1145/74851.74870 1989
[20]

In: Proceedings of the 41st International Confer- ence on Machine Learning (ICML) (2024)

Gu, X., Zheng, X., Pang, T., Du, C., Liu, Q., Wang, Y., Jiang, J., Lin, M.: Agent smith: A single image can jailbreak one million multimodal LLM agents exponentially fast. In: Proceedings of the 41st International Confer- ence on Machine Learning (ICML) (2024)

work page 2024
[21]

Multi-agent risks from advanced ai,

Hammond, L., Chan, A., Clifton, J., Hoelscher-Obermaier, J., Khan, A., McLean, E., Smith, C., Barfuss, W., Foerster, J., Gavenčiak, T., Han, T.A., Hughes, E., Kovařík, V., Kulveit, J., Leibo, J.Z., Oesterheld, C., de Witt, C.S., Shah, N., Wellman, M., Bova, P., Cimpeanu, T., Ezell, C., Feuillade- Montixi, Q., Franklin, M., Kran, E., Krawczuk, I., Lamparth...

work page doi:10.48550/arxiv.2502.14143 2025
[22]

In: Proceedings of the 2010 USENIX Annual Technical Conference (USENIX ATC)

Hunt, P., Konar, M., Junqueira, F.P., Reed, B.: ZooKeeper: Wait-free co- ordination for internet-scale systems. In: Proceedings of the 2010 USENIX Annual Technical Conference (USENIX ATC). USENIX Association (2010)

work page 2010
[23]

International Journal of Information Security1(1), 36–63 (2001).https://doi.org/10.1007/s102070100002 26 S

Johnson, D., Menezes, A., Vanstone, S.: The elliptic curve digital signature algorithm (ECDSA). International Journal of Information Security1(1), 36–63 (2001).https://doi.org/10.1007/s102070100002 26 S. Deochake

work page doi:10.1007/s102070100002 2001
[24]

Internet-draft draft-klrc-aiagent- auth-01, IETF (2026), work in progress; authors from Defakto Security, AWS, Zscaler, Ping Identity, OpenAI

Kasselman, P., Lombardo, J., Rosomakho, Y., Campbell, B., Steele, N.: AI agent authentication and authorization. Internet-draft draft-klrc-aiagent- auth-01, IETF (2026), work in progress; authors from Defakto Security, AWS, Zscaler, Ping Identity, OpenAI

work page 2026
[25]

RFC 5869, IETF (2010)

Krawczyk, H., Eronen, P.: HMAC-based extract-and-expand key derivation function (HKDF). RFC 5869, IETF (2010)

work page 2010
[26]

Filtered modules with coefficients

Ménétrey, J., Göttel, C., Khurshid, A., Pasin, M., Felber, P., Schiavoni, V., Raza, S.: Attestation mechanisms for trusted execution environments demystified. In: Proceedings of the 22nd International Conference on Dis- tributed Applications and Interoperable Systems (DAIS). LNCS, vol. 13272, pp. 95–113. Springer (2022).https://doi.org/10.1007/978- 3- 031...

work page doi:10.1007/978- 2022
[27]

In: Proceedings of the 46th IEEE Symposium on Security and Privacy (S&P)

Muid, M.R.A., Chung, T., Hoang, T.: AccuRevoke: Enhancing certificate revocation with distributed cryptographic accumulators. In: Proceedings of the 46th IEEE Symposium on Security and Privacy (S&P). IEEE (2025)

work page 2025
[28]

Internet-draft draft-oauth- transaction-tokens-for-agents-00, IETF (2025), work in progress

Raut, A.: Transaction tokens for agents. Internet-draft draft-oauth- transaction-tokens-for-agents-00, IETF (2025), work in progress

work page 2025
[29]

RFC 7662, IETF (2015)

Richer, J.: OAuth 2.0 token introspection. RFC 7662, IETF (2015)

work page 2015
[30]

Specialpublication800-207,NationalInstituteofStandardsandTechnology (NIST) (2020).https://doi.org/10.6028/NIST.SP.800-207

Rose, S., Borchert, O., Mitchell, S., Connelly, S.: Zero trust architecture. Specialpublication800-207,NationalInstituteofStandardsandTechnology (NIST) (2020).https://doi.org/10.6028/NIST.SP.800-207

work page doi:10.6028/nist.sp.800-207 2020
[31]

RFC 6960, IETF (2013)

Santesson, S., Myers, M., Ankney, R., Malpani, A., Galperin, S., Adams, C.: X.509 internet public key infrastructure online certificate status protocol – OCSP. RFC 6960, IETF (2013)

work page 2013
[32]

In: Pro- ceedings of the 42nd International Conference on Machine Learning (ICML) (2025), position Paper Track (Oral)

South, T., Marro, S., Hardjono, T., Mahari, R., Whitney, C., Chan, A., Pentland, A.: Position: AI agents need authenticated delegation. In: Pro- ceedings of the 42nd International Conference on Machine Learning (ICML) (2025), position Paper Track (Oral)

work page 2025
[33]

W3C recommendation, World Wide Web Consortium (W3C) (2025),https://www.w3.org/TR/vc-data-model-2.0/

Sporny, M., Longley, D., Chadwick, D., Herman, I.: Verifiable credentials data model v2.0. W3C recommendation, World Wide Web Consortium (W3C) (2025),https://www.w3.org/TR/vc-data-model-2.0/

work page 2025
[34]

W3C recommendation, World Wide Web Consortium (W3C) (May 2025),https://www.w3.org/TR/2025/REC-vc-bitstring-status-list- 20250515/

Sporny, M., Longley, D., Prorock, M., Alkhraishi, M.: Bitstring status list v1.0. W3C recommendation, World Wide Web Consortium (W3C) (May 2025),https://www.w3.org/TR/2025/REC-vc-bitstring-status-list- 20250515/

work page 2025
[35]

Bitcoin Improvement Proposal (2012),https://github.com/bitcoin/bips/blob/master/bip- 0032.mediawiki

Wuille, P.: BIP-32: Hierarchical deterministic wallets. Bitcoin Improvement Proposal (2012),https://github.com/bitcoin/bips/blob/master/bip- 0032.mediawiki

work page 2012

[1] [1]

Concrete Problems in AI Safety

Amodei, D., Olah, C., Steinhardt, J., Christiano, P., Schulman, J., Mané, D.: Concrete problems in AI safety. arXiv preprint arXiv:1606.06565 (2016). https://doi.org/10.48550/arXiv.1606.06565

work page internal anchor Pith review Pith/arXiv arXiv doi:10.48550/arxiv.1606.06565 2016

[2] [2]

Babo, Z.: ZombieAgent: A zero-click AI agent vulnerability. Radware Threat Advisory (2026),https://www.radware.com/security/threat- advisories- and- attack- reports/zombieagent/, reported to OpenAI via BugCrowd, September 2025; patched December 2025

work page 2026

[3] [3]

In: Proceedings of the Network and Distributed System Security Symposium (NDSS) (2014)

Birgisson, A., Politz, J.G., Úlfar Erlingsson, Taly, A., Vrable, M., Lentczner, M.:Macaroons:Cookieswithcontextualcaveatsfordecentralizedauthoriza- tion in the cloud. In: Proceedings of the Network and Distributed System Security Symposium (NDSS) (2014)

work page 2014

[4] [4]

In: Proceedings of the 7th USENIX Symposium on Operating Sys- tems Design and Implementation (OSDI)

Burrows, M.: The chubby lock service for loosely-coupled distributed sys- tems. In: Proceedings of the 7th USENIX Symposium on Operating Sys- tems Design and Implementation (OSDI). pp. 335–350. USENIX Associa- tion (2006)

work page 2006

[5] [5]

In: Advances in Cryptology – CRYPTO 2002

Camenisch, J., Lysyanskaya, A.: Dynamic accumulators and application to efficient revocation of anonymous credentials. In: Advances in Cryptology – CRYPTO 2002. LNCS, vol. 2442, pp. 61–76. Springer (2002).https: //doi.org/10.1007/3-540-45708-9_5

work page doi:10.1007/3-540-45708-9_5 2002

[6] [6]

Journal of the ACM43(2), 225–267 (1996).https: //doi.org/10.1145/226643.226647

Chandra, T.D., Toueg, S.: Unreliable failure detectors for reliable dis- tributed systems. Journal of the ACM43(2), 225–267 (1996).https: //doi.org/10.1145/226643.226647

work page doi:10.1145/226643.226647 1996

[7] [7]

In: 2020 IEEE European Symposium on Security and Privacy (EuroS&P), pp

Chuat, L., Abdou, A., Sasse, R., Sprenger, C., Basin, D., Perrig, A.: SoK: Delegation and revocation, the missing links in the web’s chain of trust. In: Proceedings of the IEEE European Symposium on Security and Pri- vacy (EuroS&P). pp. 624–638. IEEE (2020).https://doi.org/10.1109/ EuroSP48549.2020.00046

work page arXiv 2020

[8] [8]

In: Proceedings of the 19th International Conference on Availability, Reliability and Security (ARES)

Colombatto, A., Giorgino, L., Vesco, A.: An identity key management sys- tem with deterministic key hierarchy for SSI-native Internet of Things. In: Proceedings of the 19th International Conference on Availability, Reliability and Security (ARES). ACM (2024).https://doi.org/10.1145/3664476. 3669929

work page doi:10.1145/3664476 2024

[9] [9]

IACR Cryptology ePrint Archive2016, 86 (2016),https://eprint.iacr.org/2016/086

Costan, V., Devadas, S.: Intel SGX explained. IACR Cryptology ePrint Archive2016, 86 (2016),https://eprint.iacr.org/2016/086

work page 2016

[10] [10]

ACM Computing Surveys57(7), 182 (2025).https://doi.org/10

Deng, Z., Guo, Y., Han, C., Ma, W., Xiong, J., Wen, S., Xiang, Y.: AI agents under threat: A survey of key security challenges and future path- ways. ACM Computing Surveys57(7), 182 (2025).https://doi.org/10. 1145/3716628

work page 2025

[11] [11]

In: Proceedings of the 17th International Conference on Availability, Reliability and Security (ARES)

Deochake, S., Channapattan, V.: Identity and access management frame- work for multi-tenant resources in hybrid cloud computing. In: Proceedings of the 17th International Conference on Availability, Reliability and Security (ARES). ACM (2022).https://doi.org/10.1145/3538969.3544896 Heartbeat-Bound Hierarchical Credentials 25

work page doi:10.1145/3538969.3544896 2022

[12] [12]

https://doi.org/10.48550/arXiv.2510.16067

Deochake, S., Murphy, R., Gearheart, J.: A multi-cloud framework for zero-trustworkloadauthentication.arXivpreprintarXiv:2510.16067(2025). https://doi.org/10.48550/arXiv.2510.16067

work page doi:10.48550/arxiv.2510.16067 2025

[13] [13]

Internet-draft draft-dijkhuis-cfrg-hdkeys-01, IETF (2024), work in progress

Dijkhuis, S.: Hierarchical deterministic keys for the IETF. Internet-draft draft-dijkhuis-cfrg-hdkeys-01, IETF (2024), work in progress

work page 2024

[14] [14]

IEEE Trans- actions on Information Theory29(2), 198–208 (1983).https://doi.org/ 10.1109/TIT.1983.1056650

Dolev, D., Yao, A.C.: On the security of public key protocols. IEEE Trans- actions on Information Theory29(2), 198–208 (1983).https://doi.org/ 10.1109/TIT.1983.1056650

work page doi:10.1109/tit.1983.1056650 1983

[15] [15]

Official Journal of the European Union (2024), article 9: Risk Management; Article 14: Human Oversight

European Parliament and Council of the European Union: Regulation (EU) 2024/1689 laying down harmonised rules on artificial intelligence (AI act). Official Journal of the European Union (2024), article 9: Risk Management; Article 14: Human Oversight

work page 2024

[16] [16]

arXiv preprint arXiv:2404.16244 (2024).https://doi.org/10.48550/arXiv.2404.16244

Gabriel, I., Manzini, A., Keeling, G., Hendricks, L.A., Rieser, V., Iqbal, H., Tomašev, N., Ktena, I., Kenton, Z., Rodriguez, M., El-Sayed, S., Brown, S., Blunsom, P., Isaac, W.: The ethics of advanced AI assistants. arXiv preprint arXiv:2404.16244 (2024).https://doi.org/10.48550/arXiv.2404.16244

work page doi:10.48550/arxiv.2404.16244 2024

[17] [17]

arXiv preprint arXiv:2511.02841 (2025)

Garzon, S.R., Vaziry, A., Kuzu, E.M., Gehrmann, D.E., Varkan, B., Ga- balla, A., Küpper, A.: AI agents with decentralized identifiers and verifiable credentials. arXiv preprint arXiv:2511.02841 (2025)

work page arXiv 2025

[18] [18]

arXiv preprint arXiv:2509.13597 (2025).https://doi.org/10

Goswami, A.: Agentic JWT: A secure delegation protocol for autonomous AI agents. arXiv preprint arXiv:2509.13597 (2025).https://doi.org/10. 48550/arXiv.2509.13597

work page arXiv 2025

[19] [19]

In: Proceedings of the 12th ACM Symposium on Operating Systems Principles (SOSP)

Gray, C.G., Cheriton, D.R.: Leases: An efficient fault-tolerant mechanism for distributed file cache consistency. In: Proceedings of the 12th ACM Symposium on Operating Systems Principles (SOSP). pp. 202–210. ACM (1989).https://doi.org/10.1145/74851.74870

work page doi:10.1145/74851.74870 1989

[20] [20]

In: Proceedings of the 41st International Confer- ence on Machine Learning (ICML) (2024)

Gu, X., Zheng, X., Pang, T., Du, C., Liu, Q., Wang, Y., Jiang, J., Lin, M.: Agent smith: A single image can jailbreak one million multimodal LLM agents exponentially fast. In: Proceedings of the 41st International Confer- ence on Machine Learning (ICML) (2024)

work page 2024

[21] [21]

Multi-agent risks from advanced ai,

Hammond, L., Chan, A., Clifton, J., Hoelscher-Obermaier, J., Khan, A., McLean, E., Smith, C., Barfuss, W., Foerster, J., Gavenčiak, T., Han, T.A., Hughes, E., Kovařík, V., Kulveit, J., Leibo, J.Z., Oesterheld, C., de Witt, C.S., Shah, N., Wellman, M., Bova, P., Cimpeanu, T., Ezell, C., Feuillade- Montixi, Q., Franklin, M., Kran, E., Krawczuk, I., Lamparth...

work page doi:10.48550/arxiv.2502.14143 2025

[22] [22]

In: Proceedings of the 2010 USENIX Annual Technical Conference (USENIX ATC)

Hunt, P., Konar, M., Junqueira, F.P., Reed, B.: ZooKeeper: Wait-free co- ordination for internet-scale systems. In: Proceedings of the 2010 USENIX Annual Technical Conference (USENIX ATC). USENIX Association (2010)

work page 2010

[23] [23]

International Journal of Information Security1(1), 36–63 (2001).https://doi.org/10.1007/s102070100002 26 S

Johnson, D., Menezes, A., Vanstone, S.: The elliptic curve digital signature algorithm (ECDSA). International Journal of Information Security1(1), 36–63 (2001).https://doi.org/10.1007/s102070100002 26 S. Deochake

work page doi:10.1007/s102070100002 2001

[24] [24]

Internet-draft draft-klrc-aiagent- auth-01, IETF (2026), work in progress; authors from Defakto Security, AWS, Zscaler, Ping Identity, OpenAI

Kasselman, P., Lombardo, J., Rosomakho, Y., Campbell, B., Steele, N.: AI agent authentication and authorization. Internet-draft draft-klrc-aiagent- auth-01, IETF (2026), work in progress; authors from Defakto Security, AWS, Zscaler, Ping Identity, OpenAI

work page 2026

[25] [25]

RFC 5869, IETF (2010)

Krawczyk, H., Eronen, P.: HMAC-based extract-and-expand key derivation function (HKDF). RFC 5869, IETF (2010)

work page 2010

[26] [26]

Filtered modules with coefficients

Ménétrey, J., Göttel, C., Khurshid, A., Pasin, M., Felber, P., Schiavoni, V., Raza, S.: Attestation mechanisms for trusted execution environments demystified. In: Proceedings of the 22nd International Conference on Dis- tributed Applications and Interoperable Systems (DAIS). LNCS, vol. 13272, pp. 95–113. Springer (2022).https://doi.org/10.1007/978- 3- 031...

work page doi:10.1007/978- 2022

[27] [27]

In: Proceedings of the 46th IEEE Symposium on Security and Privacy (S&P)

Muid, M.R.A., Chung, T., Hoang, T.: AccuRevoke: Enhancing certificate revocation with distributed cryptographic accumulators. In: Proceedings of the 46th IEEE Symposium on Security and Privacy (S&P). IEEE (2025)

work page 2025

[28] [28]

Internet-draft draft-oauth- transaction-tokens-for-agents-00, IETF (2025), work in progress

Raut, A.: Transaction tokens for agents. Internet-draft draft-oauth- transaction-tokens-for-agents-00, IETF (2025), work in progress

work page 2025

[29] [29]

RFC 7662, IETF (2015)

Richer, J.: OAuth 2.0 token introspection. RFC 7662, IETF (2015)

work page 2015

[30] [30]

Specialpublication800-207,NationalInstituteofStandardsandTechnology (NIST) (2020).https://doi.org/10.6028/NIST.SP.800-207

Rose, S., Borchert, O., Mitchell, S., Connelly, S.: Zero trust architecture. Specialpublication800-207,NationalInstituteofStandardsandTechnology (NIST) (2020).https://doi.org/10.6028/NIST.SP.800-207

work page doi:10.6028/nist.sp.800-207 2020

[31] [31]

RFC 6960, IETF (2013)

Santesson, S., Myers, M., Ankney, R., Malpani, A., Galperin, S., Adams, C.: X.509 internet public key infrastructure online certificate status protocol – OCSP. RFC 6960, IETF (2013)

work page 2013

[32] [32]

In: Pro- ceedings of the 42nd International Conference on Machine Learning (ICML) (2025), position Paper Track (Oral)

South, T., Marro, S., Hardjono, T., Mahari, R., Whitney, C., Chan, A., Pentland, A.: Position: AI agents need authenticated delegation. In: Pro- ceedings of the 42nd International Conference on Machine Learning (ICML) (2025), position Paper Track (Oral)

work page 2025

[33] [33]

W3C recommendation, World Wide Web Consortium (W3C) (2025),https://www.w3.org/TR/vc-data-model-2.0/

Sporny, M., Longley, D., Chadwick, D., Herman, I.: Verifiable credentials data model v2.0. W3C recommendation, World Wide Web Consortium (W3C) (2025),https://www.w3.org/TR/vc-data-model-2.0/

work page 2025

[34] [34]

W3C recommendation, World Wide Web Consortium (W3C) (May 2025),https://www.w3.org/TR/2025/REC-vc-bitstring-status-list- 20250515/

Sporny, M., Longley, D., Prorock, M., Alkhraishi, M.: Bitstring status list v1.0. W3C recommendation, World Wide Web Consortium (W3C) (May 2025),https://www.w3.org/TR/2025/REC-vc-bitstring-status-list- 20250515/

work page 2025

[35] [35]

Bitcoin Improvement Proposal (2012),https://github.com/bitcoin/bips/blob/master/bip- 0032.mediawiki

Wuille, P.: BIP-32: Hierarchical deterministic wallets. Bitcoin Improvement Proposal (2012),https://github.com/bitcoin/bips/blob/master/bip- 0032.mediawiki

work page 2012