Does your agent setup work when agents need to cross trust boundaries?

Most current approaches to agent identity and authority work within a single trust domain — your organisation, your infrastructure, your identity provider. That covers internal use cases but breaks the moment agents need to act across organisations, call external APIs, or coordinate with third-party agents.

When an agent crosses a trust boundary, the receiving system has no reason to trust it. The agent’s identity needs to be verifiable independently — not “the sending system says this agent is legitimate,” but “here is cryptographic proof of who I am, what authority I carry, and who delegated it.”

This is where decentralized identity comes in. Instead of a central authority vouching for agents, each agent carries verifiable credentials: proof of identity, proof of capabilities, proof of delegation chains. The receiving system can verify all of this without calling back to the sending system.

Standards are emerging for this: Trust Spanning Protocol (TSP) for cross-boundary trust, verifiable credentials for agent identity, and patterns like TA2A (Agent-to-Agent over TSP) that combine communication protocols with trust infrastructure.

Go deeper: Why Traditional IAM Breaks Down covers the cross-boundary problem. The TSP explainer walks through the protocol step by step.