Agent identity passports today are software-only — signed JWTs that anyone with the issuer's private key can forge. Real agent identity needs the same hardware-rooted attestation we already use for human FIDO authentication: TPM, HSM, or secure enclave bindings that make the passport impossible to clone. Vendors who ship hardware-backed agent attestation in 2026-2027 will lead the next wave of identity infrastructure.
At RSAC 2026, I worked the Feitian booth for four days. Three of every five CISOs who stopped at our table eventually asked the same question, unprompted: "what does FIDO do when an AI agent takes an action on behalf of a human?" None of them had a vendor answer. They'd been to Aembit's booth, Astrix's booth, Oasis's booth — software-only governance, no hardware story. They'd been to Cisco's RSAC keynote — agent identity mapped to human owners, but the passport itself was still software. That gap — hardware-rooted agent identity — is what this piece is about. It's the next decade of identity, and it's an open productization gap as of May 2026.
What's broken about agent identity passports today?
Every major agent identity system shipping in 2025-2026 is built on software-issued credentials: signed JWTs, OAuth tokens, API keys. The security property is only as strong as the issuer's key management. If the KMS is compromised — or if a developer accidentally commits a service account key — every agent "identity" that key ever issued is instantly forgeable.
OWASP NHI Top 10 2025 leads with exactly this: improperly secured credentials are the #1 non-human identity risk. A working agent identity demo today is essentially "trust the issuer's KMS." That's better than nothing — but it's not hardware-rooted, and it's not phishing-resistant for the agent.
The deeper problem: as agents gain privilege — rotating credentials, calling financial APIs, orchestrating infrastructure changes — the blast radius of a forged agent passport grows to match. Software-only attestation at human-level privilege is the architecture that gets us the first major AI-agent breach headline. The question isn't whether it will happen; it's whether vendors will have shipped hardware roots before it does.
What FIDO taught us about hardware-rooted identity
FIDO2/WebAuthn solved the phishing problem for humans by anchoring authentication to a hardware-bound key pair. The private key is generated inside the authenticator — a YubiKey, a TPM chip, a Secure Enclave — and never exported. An attacker who steals your password still cannot authenticate, because authentication requires a signed challenge from hardware they don't control.
This is what made passkeys credible to enterprise buyers. The property is not "better encryption" or "longer keys" — it's that the credential is physically uncloneable. Phishing-resistant by construction, not by policy. The private key never leaves the device: that sentence alone is worth several years of enterprise sales cycles.
The same primitive applies to agents. An agent's identity credential — its passport for calling APIs, taking actions, operating on behalf of a human — should be bound to hardware that cannot be extracted. Different consumer, same security model. FIDO already proved the market will pay for this property in the human context. The productization gap is applying it to non-human contexts.
Where current vendors stand (May 2026)
Here's the honest state of the market:
• Aembit, Astrix, Oasis Security, Veza: solving discovery, access policy, and lifecycle management for non-human identities. Excellent software-layer governance. None are leading with hardware-rooted attestation — that's not the product they've built.
• SPIFFE/SPIRE: workload identity with solid cryptographic primitives. SVIDs (X.509 or JWT) are issued by a trust root and cryptographically verifiable. But SPIRE's default trust root is KMS-backed, not hardware-enclave-backed. HSM-backed SPIRE is possible; it's not the default, and no vendor is packaging it as a turnkey agent identity story.
• Cisco Duo agent identity (announced at RSAC 2025): maps agents to human owners, extends Duo's trust model to AI-acting-as-human flows. Excellent for auditability. Doesn't address whether the agent passport itself is hardware-rooted — the identity is software-issued and software-verified.
• The gap: TPM 2.0 attestation key issuance for agent passports, HSM-signed SVIDs, secure-enclave-bound private keys for non-extractable workload credentials. This is the open productization space. None of the named vendors are leading with this message. Feitian builds the hardware half of this stack. The question is which identity vendor builds the other half.
What hardware-rooted agent identity actually looks like
The primitives already exist. TPM 2.0 has an Attestation Key (AK) that can sign identity claims on behalf of a workload running on that platform. An HSM can issue a SPIFFE SVID with a private key that never leaves the module. A secure enclave (Intel TDX, AMD SEV-SNP, AWS Nitro) can generate a key pair where the private key is hardware-bound to that specific enclave instance.
For the agent identity use case, this would look like: the agent runtime requests a credential from a hardware-backed attestation service; the attestation service verifies the platform measurement (PCR values from the TPM, or an enclave attestation report); if the measurement matches the expected workload identity, the attestation service issues a signed passport. That passport's private key cannot be extracted. An attacker who compromises the agent's memory still cannot forge a new signed credential.
This is not a research problem. Every component is available today. It's a productization and packaging problem — specifically, the work of making hardware-backed attestation as easy to deploy as "npm install" for a workload credential. That work is undone.
Why this matters for buyers in 2026
EU AI Act compliance will increasingly require auditable chains of custody for AI agent actions — and "the agent used a JWT we issued" is not an audit trail that survives regulatory scrutiny in a high-stakes environment. Hardware-rooted identity creates a cryptographic proof chain: this specific agent, running on this specific hardware, issued this specific action, at this specific time. That proof survives.
For federal buyers, NIST SP 800-207 Zero Trust Architecture establishes that "authentication and authorization of both subject and device are discrete functions" — meaning device attestation is not optional in a zero-trust posture. Agent identity without hardware attestation is not a zero-trust-compliant agent identity. Federal buyers buying into agentic AI will eventually hit this requirement.
For financial services and healthcare buyers, the audit story is the buying story. The question is not "can AI agents act autonomously" — it's "can I prove what they did, prove they were authorized, and prove no one could have forged that authorization." Hardware-rooted attestation is the answer to the third clause.
What I'm watching at Cisco Live and Identiverse
Specific signals I will be tracking on the floor at both conferences:
• At Cisco Live: whether Duo's agent identity roadmap mentions hardware attestation at all — even a reference to TPM or enclave-based issuance would be a meaningful signal that the product team is thinking past software-only.
• At Identiverse: whether any NHI vendor (Aembit, Astrix, Oasis) is pitching hardware-backed issuance. If they are, ask specifically: is the private key hardware-bound, or is it a software key stored in a hardware-adjacent service?
• SPIFFE/SPIRE sessions: whether any session covers HSM-backed trust roots for workload identity. The SPIFFE spec supports this; the question is whether anyone is packaging it.
• Feitian presence: Feitian builds the FIDO2 hardware that makes human authentication phishing-resistant. The bridge to agent attestation is a natural product extension. I will be watching for any signal that they or a partner is moving in this direction.
The bridge I'm building toward
My time at Feitian taught me the rigor hardware brings to identity. We sold YubiKey-equivalent hardware to banks, federal agencies, and healthcare systems — buyers who had been burned by phishing-resistant promises that were software-only under the hood. Hardware isn't harder because it sounds better. It's harder because it's actually better.
The next decade of identity belongs to vendors who apply that rigor to non-human and agent identities — not just humans. The buyer education moment is happening now: RSA 2026 already showed that CISOs are asking the question. The vendor who answers it credibly, with a hardware story, wins the next wave of identity infrastructure.
I'm building toward that bridge on my own portfolio — a set of AI agents that demonstrate hardware-adjacent identity patterns in practice. If you want to talk through this at Cisco Live, the calendar link is on /hire.
→ See the roadmap and book time: /hire
→ Related perspective: Cisco + Splunk + Agentic AI — identity buyers' guide to Cisco Live 2026
Get new posts in your inbox
No noise. Tactical field notes when something worth sharing comes up.