Verifiable identity. Runtime policy enforcement that bounds agent misbehavior to denied calls. Audit evidence anchored to signed AXIS identity, suitable for HIPAA and the EU AI Act. One foundation, three product surfaces.
Registering an agent? axisprime.ai
Across enterprises operating AI agents, 65% experienced an agent-related security incident in the past 12 months (Cloud Security Alliance, January 2026, n=418). 82% have unknown agents running in their infrastructure. The failure modes break into three classes that today's tooling does not address.
An autonomous agent with infrastructure access can delete a production database in nine seconds. No intermediary policy enforcement point stands between the agent's decision and the irreversible action. The blast radius equals the agent's effective permissions.
Most agent actions present a service account or bearer token. Nothing in the request chain ties back to a named operator. When a regulator, insurer, or counterparty asks who authorized the action, the answer is infrastructure.
Article 12 of the EU AI Act wants tamper-evident records. HIPAA §164.312(b) wants audit controls. Timestamped JSON with a service account does not satisfy either. It describes what happened, not who authorized it.
Five public cases from 2024 through Q1 2026. Each illustrates a failure mode our products address. The 9-second PocketOps incident is the canonical case for our runtime enforcement story; see the live walk-through.
A Cursor agent deleted a production database and all backups in nine seconds, after finding an unscoped credential in a configuration file. No chokepoint stood between the agent's decision and the destructive call. Runtime egress enforcement bounds this class of incident to a denied call.
April 2026 · Runtime enforcement caseAn autonomous agent from a third-party platform submitted contributions to the matplotlib library, was rejected, and retaliated against the named maintainer with a personalized attack post on a public blog. Cross-operator scope-bound delegation prevents this; AXIS identity makes the operator accountable when scope is violated.
February 2026 · Cross-operator abuseAn autonomous offensive agent selected its own target, found a SQL injection in 22 unauthenticated API endpoints, and exfiltrated 46.5M chat messages, 728K files, and 57K accounts in two hours for $20. Receiver-side AXIS verification rejects unauthenticated agent requests at the boundary.
February 2026 · Autonomous attackerAn AI agent social network reached 1.5M registered agents managed by 17K human operators (88-to-1 ratio) before security failure exposed 1.5M API tokens and revealed that the platform could not verify which actors were agents at all. Meta acquired the concept of verified-agent-tied-to-operator three weeks later.
January to March 2026 · Identity collapse at scaleAn autonomous trading agent executed a $250,000 wallet transfer in 15 seconds when its decision logic encountered an unhandled parsing edge case. Per-agent transaction caps enforced at the egress chokepoint bound this class of incident before the call reaches the chain.
February 2026 · Financial transactionThe BC Civil Resolution Tribunal found that Air Canada "did not take reasonable care" to ensure its AI chatbot was accurate, rejecting the argument that the chatbot was a separate legal entity. Operators own their agents' output. AXIS makes that ownership cryptographically traceable.
2024 · Regulatory precedentAcross 34 documented incidents from January 2024 through May 2026, our current product architecture directly addresses 17. A further 14 fall within roadmap capabilities on the same AXIS foundation. The remaining three are conventional infrastructure failures outside the agent-behavior surface.
AXIS is an open cross-operator identity protocol. Agents carry Ed25519 identity tokens and signed delegation credentials. Any platform receiving an agent request verifies the chain without calling a central authority. The reference registry runs at axisprime.ai. Anyone can run another.
Who is this agent?
Every agent has a keypair. Every action carries a signature. Every signature resolves to an identity record in a registry. Standard cryptography, no proprietary custody.
What is this agent allowed to do?
Delegation credentials encode scope. The chain roots at a human operator. Every link signs the one below it. Scope narrows down the chain. It cannot widen.
What has this agent done?
Signed attestations about past behavior. Stored by whoever issued them, not the registry. v0.1 does not specify aggregation. v0.3 will.
Running now. AXIS Prime is the reference registry at registry.axisprime.ai. Verification, registration, and revocation endpoints are live. The v0.1 spec is on GitHub.
Runtime products sit between the agent and the systems it can reach. Misbehavior bounds to a denied call and an audit event anchored to signed AXIS identity instead of a destroyed database. The PocketOps incident is the canonical case.
A policy enforcement point at the network egress boundary between agent runtimes and external systems. Enforces delegation scope at request time, capability allowlists, destination allowlists, and spending ceilings. Produces an audit stream anchored to signed AXIS identity for every permitted and denied call.
In active development · Q3 2026Host-embedded enforcement at the tool-call layer for agents whose risky operations stay local. Intercepts tool invocations before execution, logs intent with the same audit properties as the Gateway, and either permits or denies based on the agent's active delegation. Deployed with the Gateway for defense in depth.
In active development · Q3 2026Our attribution products tie what an agent did to signed evidence of under whose authority, with what scope, reviewed by whom. The same chain that bounds runtime misbehavior produces the audit artifact that holds up in front of a regulator, an insurer, or a court.
Every agent action bound to a signed delegation. Every delegation traced to a human operator. Every signature verifiable without prior relationship. The AXIS credential chain is the forensic difference between a hypothetical and a defense.
v0.1 shipping · Apache 2.0Signed records binding specific content to the agent that produced it, the delegation it operated under, and the party that reviewed it. Third-party platforms verify the governance chain without prior relationship. Specified in AXIS v0.1.
v0.1 specifiedOur compliance products wrap runtime enforcement and attribution into the documentation, control mappings, and evidence packages that auditors and regulators expect. Each maps a recognized framework to the AXIS credential chain.
Article 12 of the EU AI Act requires automatic event logging for high-risk AI systems. Penalty for failure: €15M or 3% of global turnover. The Kit produces the log, maps it to Annex III risk classes, and generates the technical documentation regulators expect.
Shipping Q2 2026 · Design partners openEvery AI agent touching ePHI needs a named human behind it. §164.312(b) wants audit controls. §164.312(d) wants authentication. §164.502(e) wants BAA flow-down. AXIS provides the cryptographic version of all three. The Kit wraps it for Covered Entities and Business Associates.
In developmentFinancial services obligations. Federal contracting controls. Industry-specific audits. Internal trust-and-safety programs. We build compliance mappings and audit kits to whatever framework your organization operates under, using the same AXIS credential chains that power our HIPAA and EU AI Act kits.
One engagement covers the mapping, the evidence pipeline, and the documentation your auditor will accept.
Independent forecasts converge on agent deployment crossing from experiment to operating posture in 2026. The infrastructure underneath has to scale with it.
Of enterprises operating AI agents, 65% experienced an agent-related security incident in the past 12 months, 53% reported agents exceeding their intended permissions, and 82% have unknown agents running in their infrastructure. Convergent finding across three Cloud Security Alliance surveys, September 2025 through January 2026.
Cloud Security Alliance · n=1,148Mature-security enterprises deploying AI agents in production number an estimated 8,000 to 10,000 organizations globally today, growing to 15,000 to 30,000 within 24 months as production agent adoption rises from 31% to 50% across industries. McKinsey alone operates 25,000 internal agents.
Gartner, McKinsey, IDC consensusThe IDC and McKinsey consensus puts global enterprise AI agent spend at $1.4 trillion by 2027. The cybersecurity market reached $227B in 2025, projected to $352B by 2030. Agent infrastructure is on track to be roughly six times the size of the entire cybersecurity market within three years.
IDC · McKinsey · MarketsandMarketsAt RSAC 2026, 228 vendors announced agent identity and security products. Every one operates inside a single trust boundary. Microsoft Entra Agent ID and Okta for AI Agents extend human IAM to agents within one company's perimeter. ERC-8004 addresses on-chain identity for blockchain agents only. EIP-7702 covers scoped permission delegation for Ethereum transactions only. Coinbase Agentic Wallets with Stripe x402 cover agent payment authority only. AWS Bedrock AgentCore Payments covers managed payments for AWS-hosted agents only. GitHub's response to the agent contribution flood is platform-level closure of pull requests.
AXIS is the open cross-operator protocol layer that none of these address. The same way DNS is not Verisign and TCP is not Cisco, agent identity needs an open protocol layer that no single vendor owns. We built one. The commercial products on top are how we pay for it.
Linux is open; Red Hat, SUSE, Canonical, Amazon Linux, and every cloud distribution are commercial. PostgreSQL is open; Crunchy Data, EDB, Supabase, Aiven, and every major managed offering are commercial. DNS is open; Verisign, Cloudflare, Route 53, Google Cloud DNS, and GoDaddy are commercial. Protocol-layer interoperability produces network effects. Product-layer competition produces commercial defensibility. The two reinforce each other.
AXIS is Apache 2.0 and will transfer to independent governance once AXIS Prime can pay for itself. Our revenue comes from the runtime, attribution, and compliance products built on top. Our protocol belongs to the ecosystem.
We run an autonomous news organization. Five agents, real editorial boundaries, real deadlines. When our agents had to hire external agents with scoped authority and verifiable identity, no existing protocol could represent the chain. We specified it. We built it. We published it.
The publication is still the testbed.