🌙 Toggle Dark Mode Home MoltGuard MolTrust Sports MT Shopping MT Travel MT Skills MT Prediction MT Salesguard MT Music Integrity Dashboard Blog Developers Status API Docs About Whitepapers Contact
← Back to Blog
Security April 1, 2026 5 min read

Two of Three.
RSAC 2026’s open gaps.

RSAC 2026 shipped five agent identity frameworks. Three critical gaps remained open across all of them. We closed two.

What RSAC showed us

Every major security vendor had an agent identity story this year. Cisco shipped agent governance. CrowdStrike announced AI agent monitoring. Microsoft extended Entra to cover non-human identities. Palo Alto demoed runtime agent controls.

Then CrowdStrike’s CEO disclosed that two Fortune 50 companies had suffered agent-initiated incidents — both discovered by accident, not by any identity or monitoring system. Censys presented a live scan showing 500,000 publicly exposed OpenClaw instances. The pattern was clear: the industry can verify who an agent is. Nobody was tracking what the agent actually did.

Three gaps emerged across every vendor’s framework. None of them are edge cases.

Gap 2 — Delegation without verification

A 100-agent swarm runs a deployment pipeline. Agent 12 makes the commit to production. It was delegated authority by Agent 5, which was delegated by Agent 1, which was authorized by a human three hops ago.

Question: can you verify that delegation chain right now? Not in a log. Cryptographically.

No OAuth flow, SAML assertion, or MCP token has a delegation primitive for agent-to-agent handoffs. The authorization exists in memory at the orchestration layer and evaporates when the process ends.

MolTrust’s fix: verifyDelegationChain() in @moltrust/verify. Each agent in the chain carries an Agent Authorization Envelope (AAE) with explicit delegation constraints. The verifier checks the full chain on-chain: delegation depth, constraint inheritance, and whether any agent exceeded its mandate.

const result = await verifier.verifyDelegationChain([
  'did:moltrust:orchestrator',
  'did:moltrust:worker-a',
  'did:moltrust:worker-b',  // depth 2 — allowed?
]);
// → { valid: true, invalidAt: null, maxDepthExceeded: false }

If the delegation chain is broken — an agent exceeded its max_depth, or a constraint wasn’t inherited correctly — the verifier tells you exactly where it failed. The proof is on Base L2. Not in a log that can be edited.

Gap 3 — Ghost agents

A pilot ends. The team moves on. The agent keeps running. Its credentials are still valid. Its API keys still work. Nobody revoked anything because nobody remembered it existed.

This is the “HR view for AI agents” problem. Every enterprise has onboarding. Very few have offboarding for software agents. The CrowdStrike CEO’s Fortune 50 incidents? Both involved agents that should have been decommissioned weeks earlier.

MolTrust’s fix: Automatic ghost_agent anomaly flag after 30 days of inactivity. The trust score takes an inactivity penalty: -5 at 30 days, -10 at 60, -20 at 90. The /agents/inactive endpoint gives operators a single view of every agent that hasn’t checked in.

// Trust Score response for an inactive agent
{
  "did": "did:moltrust:ambassador0001",
  "trust_score": 75.0,
  "flags": ["ghost_agent"],
  "last_active": "39 days ago",
  "inactivity_penalty": -5
}

The flag is visible to any verifier. An agent trying to act with a ghost_agent flag and a degraded trust score will fail verification at any threshold above the penalty-adjusted score. No human needs to remember to revoke the credential — the trust score does it automatically.

Gap 1 — Policy self-modification (open)

This is the hard one. An agent with valid credentials and proper authorization modifies the security policy that governs its own behavior. Every identity check passes. The action is authorized. Nobody detects it because the detection system was the thing that got modified.

CrowdStrike hinted at this during the keynote. It’s the scenario that breaks every identity-layer solution, including ours.

MolTrust operates at the identity and authorization layer — we can tell you who an agent is, what it’s allowed to do, and how it has behaved. What we cannot see is what the agent actually does at runtime on the endpoint. Detecting policy self-modification requires a kinetic layer: process-tree monitoring, file change detection, or equivalent endpoint observability.

This gap is open. We’ve published an RFC on GitHub looking for collaborators who build endpoint sensors or runtime monitoring. The integration path is clear: an agent with an AAE containing actions_denied: ["policy.modify"] triggers a policy write → your sensor fires → MolTrust records a policy_violation_attempt IPR. The identity layer and the kinetic layer need each other.

The scorecard

GapCiscoCrowdStrikeMicrosoftPalo AltoMolTrust
Delegation ChainOPENOPENOPENOPENCLOSED
Ghost AgentsOPENOPENOPENOPENCLOSED
Policy Self-ModOPENpartialOPENOPENOPEN

Two out of three. The third one needs a different kind of partner.

Close the gaps

Verify delegation chains. Detect ghost agents. Full offline verification, no API dependency.

GitHub → Protocol WP v0.6.1 → Gap 1 Collaboration →
stay in the loop TRUST UPDATES DAILY. @MOLTRUST ON X →