In Trustworthy Agents in Practice (April 9, 2026), Anthropic made an observation the rest of the security industry has been reluctant to make plainly: “agents’ behavior depends on all four layers working together. A well-trained model can still be exploited through a poorly configured harness, an overly permissive tool, or an exposed environment.” The paper closes with a call for “infrastructure that no single company can build alone” — open protocols designed so that security properties are built into the infrastructure once, rather than patched together one deployment at a time.
This paper is a response to that call. It is not a product pitch. It is an architectural argument from a company that has spent twenty-eight years building the layer the agentic ecosystem now needs: the layer at which identity is established before any token, any session, or any tool call exists.
The argument has three parts. First, the four-layer framework Anthropic has published is correct as far as it goes, but it leaves a fifth question unanswered — the identity question. Second, that question has an architectural answer that already exists today, on standards already universally deployed. Third, the same architecture that secures human identity for agents secures machine and AI-agent identity under one model. The architecture does not change when the actor changes; only the actor changes.
1. The Fifth Question
Anthropic’s framework names four components: the model, the harness, the tools, and the environment. Each layer has a different owner and a different failure mode. The framework correctly observes that model-level safeguards alone cannot secure agentic systems.
But across all four layers, one question is taken for granted: when an agent acts, on whose behalf is it acting, and how is that verified? Today the answer is an OAuth bearer token, scoped per connector, refreshed at intervals. That answer is the same answer the human-identity industry has been giving for fifteen years, and it is the same answer that produces the adversary-in-the-middle session-hijacking attacks now dominating breach reports.
The comfortable answer is that OAuth is the existing standard, that scopes and refresh tokens are good enough, and that the harness and tools layers can compensate for any residual identity weakness. That answer is real. It is also partial.
The deeper answer is that the destination service — QuickBooks, DocuSign, PayPal, Salesforce — cannot cryptographically distinguish between an authorized agent acting on a verified endpoint and an attacker presenting a stolen bearer credential. The same problem that defines AiTM attacks for human sessions defines the agentic attack surface, except that agents act at machine speed and machine scale. A stolen agent token is not a compromised user session; it is a compromised actor running for as long as the token is valid, in parallel, across every system the token can reach.
Nation-state actors no longer try to crack passwords or bypass MFA — they simply steal the active session cookie. The agentic equivalent is the OAuth bearer token, and it is about to become the most valuable credential class in the threat landscape.
MCP, like every modern integration protocol, assumes that an authenticated token equals a verified actor. That equivalence is the load-bearing assumption of the current architecture. It is also the assumption that breaks first under attack.
2. The Architecture That Already Exists
WinMagic has spent twenty-eight years building full-disk encryption and pre-boot authentication — the layer at which identity is established before any operating system loads. From that foundation, we have developed a complete identity architecture that we believe directly addresses the gap the four-layer framework leaves open. It rests on three load-bearing claims.
2.1 Identity is established at the source, not the destination
Today, identity is verified at the destination: the server receives a credential and attempts to determine whether it is legitimate. This is probabilistic. The server is guessing. The entire compensating-control industry — risk engines, behavioral analytics, anomaly detection — exists because verification happens at the destination, where certainty is impossible.
The alternative is to verify at the source. The endpoint already knows who is using it. It verified the user at power-on, through whatever multi-factor combination policy required. It holds the hardware-bound keys. It knows posture, compliance, and environmental conditions. Every piece of information needed to establish identity with certainty already exists at the source.
When identity is verified at the source and carried forward as a continuous cryptographic signal, identity becomes deterministic rather than probabilistic. There is nothing for the destination to guess about.
2.2 Identity is three components, not one
We define identity as three inseparable components, unified into a continuous cryptographic signal:
The actor — human, machine, or AI agent.
The platform — the verified device or virtual machine on which the actor is operating, with hardware-rooted attestation of integrity.
The conditions — security posture, policy compliance, environmental context (location, network, time, peripheral state).
The architecture does not change when the actor changes. A human authenticating to a SaaS application, a service account calling a microservice, and an AI agent acting inside QuickBooks on a user’s behalf are not three different identity problems requiring three different architectures. They are one problem, expressed through three different actor values, against the same cryptographic substrate.
This unification matters specifically for the agentic era. The industry today has no coherent architectural answer for verifying an AI agent acting on a user’s behalf. The three-part identity definition collapses that question into the same architecture that already verifies humans and machines.
2.3 Continuous verification, not point-in-time
The long-lived session is the load-bearing fiction of the current architecture. The user authenticates once — strongly, often with multi-factor — and is then trusted on the basis of a bearer credential for hours or days. The agent receives an OAuth token and is trusted on the basis of that token for the lifetime of the refresh cycle.
WinMagic’s MagicEndpoint replaces this model with Short Session Time (SST): credentials refresh every few minutes, and at every refresh the endpoint silently and cryptographically validates the user and device identity, along with conditions, ensuring security with zero user friction. A stolen credential is rendered useless within minutes, not hours.
This is the practical, deployable answer available today on standards that already exist like SAML and OIDC. No new protocol is required. No forklift upgrade. The standards are already universally deployed; what is missing is an architecture that uses them as they were intended to be used.
The architectural endpoint is mTLS-per-session, in which every packet of every session carries continuous identity verification at the transport layer. We call the architecture LIT (Live Identity in Transaction). Our submissions to W3C, IETF, and DIF describe this in detail. The key insight: TLS already carries the cryptographic primitives needed for continuous identity binding. The standards bodies are the right venue for completing what was left half-built.
3. Why This Matters for the Agentic Era
Anthropic’s framework correctly identifies that the model is no longer the right unit of policy attention. The four layers each contribute to the security posture of the deployed agent. We would propose that there is a fifth question, prior to all four: how is the identity of the actor — human, machine, or agent — established and continuously maintained? The four-layer model treats this as a property of the harness or the tools. We would argue it is a property of the substrate on which all four layers rest.
Three specific implications follow.
3.1 The OAuth bearer token is the wrong primitive for agentic actors
OAuth was designed for human-mediated delegation: a user, present at a browser, granting a specific application scoped access for a bounded period. Agents are not human-mediated. They act autonomously, at machine speed, often in parallel, across many tools simultaneously. A long-lived bearer token in that environment is exactly the artifact AI-driven attacks will exploit at scale. The next generation of agent attacks will not be model-jailbreaks; they will be token theft and replay.
The architectural answer is to bind the agent’s identity to the verified endpoint on which it runs, cryptographically and continuously, and to make the credential ephemeral and policy-conditioned. If the endpoint’s posture changes, the agent’s identity ceases to exist. There is no revocation message to send. The capability simply ceases to exist.
3.2 Human-in-the-loop is failing at production scale, for a reason
Anthropic’s paper notes that Claude’s rate of checking in roughly doubles on complex tasks, and introduces Plan Mode precisely because per-action approval doesn’t scale — users tune out repeated prompts. Plan Mode is a thoughtful response to that structural pressure: it lifts oversight from the individual step to the overall strategy. We would build on that observation rather than dispute it. When the security model demands that a human adjudicate a decision the system itself cannot make, the human becomes the rate-limiting step — and under productivity pressure, the human approves.
Endpoint-anchored identity changes this. The endpoint is the part of the system that can answer questions the user cannot: Is the device in compliance? Is the user the verified one? Is the policy condition met? When these questions are answered cryptographically, at the source, in real time, the prompts that remain are the prompts that genuinely require human judgment. The signal-to-noise ratio of human-in-the-loop oversight improves not because users get more careful, but because the system stops asking them to adjudicate decisions that should never have reached them.
3.3 Audit becomes deterministic
In the current architecture, attributing an action to an actor is a reconstruction — a forensic exercise of correlating log entries, IP addresses, token presentations, and behavioral signals. When the bearer token model breaks, the attribution breaks with it.
Under endpoint-anchored, hardware-rooted identity, attribution becomes a property of the system itself rather than a reconstruction. Every action carries, at the transport layer, the cryptographic signal of who or what initiated it, on what verified platform, under what conditions. Audit becomes deterministic. Accountability stops being a reconstruction and becomes a property of the system itself.
For the agentic era, this is not a marginal improvement. It is the difference between a future in which we can credibly answer the question “did an agent do this, and was it authorized to?” and a future in which we cannot.
4. What We Would Contribute
Anthropic’s paper explicitly invites contribution from “industry, standards bodies, and governments” toward shared infrastructure for agent security. We would propose three specific contributions, in increasing order of scope.
4.1 A position paper at the AAIF / MCP working group
With MCP’s donation to the Linux Foundation’s Agentic AI Foundation, the protocol’s evolution is now an open standards conversation. We would submit a position paper on the identity layer for MCP — proposing how endpoint-anchored, three-part identity could be expressed in MCP’s authorization model. This paper would not require any change to Anthropic’s product; it would describe what the protocol could be, in the same standards-body venue Anthropic has chosen for its evolution.
4.2 A reference implementation for endpoint-anchored MCP authorization
MagicEndpoint already integrates with SAML, OIDC, WS-FED, RADIUS, and LDAP. Extending the same architecture to authorize MCP-mediated agent actions is a deployable engineering project, not a research problem. We would propose a reference implementation — open, documented, and available to the AAIF community — showing how an MCP server can verify the requesting agent against the endpoint-anchored identity of the user on whose behalf the agent is acting. Independent verification of MCP user identity, beyond what OAuth alone provides.
4.3 Joint standards work on transport-layer identity
Our submissions to the W3C and IETF on transport-layer identity binding (continuous cryptographic identity in TLS 1.3) directly address what the agentic ecosystem will need at protocol scale. We would welcome the opportunity to work alongside Anthropic’s security and policy teams in the same standards forums — not as a vendor, but as a contributor to the open infrastructure Anthropic has correctly identified as necessary.
Closing
Anthropic’s paper is the clearest statement we have seen from a major AI company that the security of agentic systems is an architectural problem, not a product problem. We agree. We have also been making this argument for some time, from the endpoint-security side rather than the model side.
The convergence is not coincidence. The agentic era forces the unification that the human-identity industry has resisted for a decade: human, machine, and AI-agent identity all require the same architecture. They all require verification at the source rather than the destination. They all require continuous cryptographic binding rather than point-in-time credentials. They all require that the cryptographic signal of identity be carried at the transport layer, not reconstructed at the application layer.
This is what we mean by LIT (Live Identity in Transaction) — our contribution toward the Secure Internet. We would be glad to keep building it alongside Anthropic and the broader community Anthropic has called on.
You can find our open source LIT (Live Identity in Transaction) repository on GitHub via the link below:
https://github.com/WinMagic/LIT




