Enterprise · Agent Identity & Zero Trust
Agent identity and zero trust for AI
Every AI agent — Claude Desktop, ChatGPT Connectors, Copilot, MCP servers, custom CLIs — gets its own cryptographic identity. Every request re-authenticated, scoped, and recorded. Default deny, never trust.
Three pillars of enterprise AI governance
Per-agent identity, not user impersonation
Each AI client has its own JWT-backed identity, distinct from the human's OAuth grant. The agent never holds your customer's Google or Microsoft refresh token. Revoking one agent does not disrupt the rest of the user's AI stack.
Continuous verification on every request
No session trust. Every call re-validates the agent identity, the requested scope, the policy attribute set, and the device + environment posture. A compromised token has a blast radius of one request, not one session.
Microsegmentation by default
Smallest possible scope: one folder, one label, one verb, one expiry, one device posture, one AI client. Lateral movement is structurally impossible — there is no implicit "this agent can also reach Drive" path to exploit.
Compliance map
How agent identity & zero trust help you satisfy the controls your auditors read
| Requirement | What PortEden does | Evidence |
|---|---|---|
| NIST 800-207 — Zero Trust Architecture | Per-request authentication, encryption everywhere, dynamic policy evaluation. PortEden implements all seven ZT tenets at the AI/data boundary. | Per-request authn + dynamic policy · all seven ZT tenets at the AI boundary |
| CISA Zero Trust Maturity Model — Identity, Devices, Networks, Applications, Data | Identity pillar: per-agent JWTs. Devices: posture as a policy attribute. Networks: TLS 1.3 end-to-end. Applications: policy-checked per call. Data: redacted at egress. | Per-agent JWTs · device posture as policy attribute · per-call check |
| NIST 800-53 IA-2 / IA-4 / IA-5 / IA-8 — Identification & authentication | Unique agent identifiers (IA-2), identifier management (IA-4), authenticator strength via signed JWTs with short expiry (IA-5), non-organizational user authentication for cross-tenant agents (IA-8). | Unique per-agent identifiers · short-expiry signed JWTs · cross-tenant authn |
| NIST 800-53 AC-3 / AC-4 — Access enforcement & information flow | Six-layer enforcement on every request. Information flow controls prevent lateral movement between scopes; cross-scope reads require explicit policy. | Six-layer per-request enforcement · cross-scope reads require explicit policy |
| CMMC 2.0 IA.L2 — Identification & authentication (Level 2) | Multi-factor for users; device + environment attributes for agents. Per-agent identity supports IA.L2-3.5.1 and IA.L2-3.5.2 traceability. | Per-agent identity trail · device + environment attribute capture |
| FedRAMP — IA + AC control families | Per-agent identity, dynamic policy evaluation, and per-request audit-trail evidence at the AI/data boundary. Each AI client carries its own short-lived, scoped JWT — no shared service accounts, no implicit trust. | Per-agent JWT identity · dynamic policy per request · tamper-evident audit |
| EU AI Act Art. 14 — Human oversight | Every agent is identifiable, traceable, and revocable by a named human. Approval workflows route policy-uncertain requests to humans without breaking automation. | Per-agent revocation trail · human-in-the-loop approval workflows |
| ISO 27001 A.5.16 / A.5.17 — Identity management & authentication info | Documented identity lifecycle for both humans and agents. Authenticator material is rotated, revoked, and audited per the same process. | Documented identity lifecycle · rotation + revocation audit trail |
Built for procurement
DPA available
Subprocessor list
SIG / CAIQ pre-filled
Pen-test report on request
Book a demo
Talk to our enterprise team
30-minute discovery call. Bring your security questionnaire.
Frequently Asked Questions
What does "agent identity" mean for AI?
Agent identity treats each AI client — Claude Desktop, ChatGPT, Copilot, Gemini, an MCP server, a custom CLI agent — as a distinct principal with its own credentials, scopes, and audit trail. Today most AI integrations piggyback on the human user's OAuth grant, which means the AI inherits everything the user can see. Agent identity inverts that: the AI gets its own short-lived, narrowly-scoped JWT — issued, rotated, and revoked independently of the human's session.
How does zero trust apply to AI agents specifically?
Zero trust assumes no implicit trust based on network location or prior authentication. For AI agents, that means every prompt, every tool call, and every MCP request is re-authenticated against the agent's identity, re-authorized against current policy, and re-evaluated against environmental attributes (time, device, network). NIST 800-207 calls this per-request decision-making — PortEden implements it at the AI/data boundary so your existing zero-trust network architecture extends to the AI layer.
How is this different from OAuth?
OAuth grants the agent the user's refresh token, which can typically be exchanged for a long-lived access token with broad scopes. PortEden never lets the agent hold the upstream refresh token. The agent receives a short-lived JWT (typically minutes-to-hours) scoped to one resource, one set of verbs, and one AI client. The user's OAuth grant stays in PortEden's vault; the agent's JWT is what travels over the wire.
Do I need to issue a separate identity for every Claude Desktop user?
No. Identity is provisioned automatically when a user connects an AI client. Each (user × AI client) combination gets its own identity, derived from your IdP's user attributes. Joiner-mover-leaver events update or revoke the agent's identity in seconds, the same way they update the user's IdP record.
How does this work with hosted MCP servers?
MCP servers are first-class principals in the policy model. PortEden hosts MCP servers for Claude (Desktop and Web), ChatGPT (via Connectors), Cursor, and Gemini — each with its own server identity. Tool calls from an MCP server carry both the server identity and the user's agent identity, so policies can scope by either dimension ("only Claude Desktop can call delete_email", "only this user's agents can read this folder").
What's the relationship to NIST 800-207?
NIST 800-207 specifies seven tenets of zero trust architecture: per-resource access decisions, dynamic policy, least privilege, encrypted communications, integrity monitoring, dynamic authentication, and continuous verification. PortEden implements all seven at the AI/data boundary. Per-request decisions are recorded in the audit trail; the trust algorithm is documented; the policy evaluator is the policy enforcement point.
Can I revoke a single agent without disrupting others?
Yes — revocation is per-agent. Killing the Claude Desktop identity for one user doesn't affect their ChatGPT, Copilot, Gemini, or CLI agents, doesn't affect other users' Claude Desktop, and doesn't affect the upstream OAuth grant to Google or Microsoft. The next request from the revoked agent gets denied at layer 1 with a per-request audit record. There is no propagation delay.
Ready to govern AI across your organization?
Book a discovery call. Bring your security questionnaire — DPA, subprocessor list, and pen-test summary available on request.