Your AI is next-gen. The front door it walks through is legacy. ScrambleID for non-humans gives every AI agent, machine, bot, and workload its own cryptographic identity. Signed at the point of call, not delegated to a static token. The front door is proof, not credential.
Every non-human identity you run is a shared secret, copied into every place it executes. ScrambleID makes it a signature instead. Nothing to copy. Nothing to steal.
Today . the secret
An agent needs to call an API. It carries one shared secret.
copied into six places
One secret. Six copies. Six ways to leak, and you can't rotate them fast enough to stay ahead.
With ScrambleID . the signature
The same agent holds one private key that never leaves the runtime. Per request, it signs.
Nothing to copy. Nothing to steal. The signature is the credential.
One key . four runtimes
Not four products. One signing model on one rail, deployed four ways. Machines and workloads aren't a versus: they're different form factors of the same primitive.
The agent is where it starts and where the risk is highest. The same primitive holds for everything else that acts on its own.
signed payload
sub agent.7f3c
owner emp.4d7a
runtime llm.prod/inv-svc
ttl 90s
signed
Service accounts aren't a fifth runtime. They're a use case. A service account is the IAM identity a machine, bot, or workload carries. Same primitive, same signature. Replacing the static service-account credential is one of the most common reasons teams start here.
Industry reports have shown the same pattern for years. Credential-led breaches run longer and cost more than breaches that start any other way. With agents, that credential now lives inside a runtime that takes direction from its inputs. The risks below are not new. Agents just give them more reach.
THREAT . 01
An agent's static API key, OAuth client secret, or service-account token is the longest-lived credential in your stack. When it leaks, whoever holds it presents as the agent until the next rotation. A password manager's vault breach in 2022. Storm-0558's forged tokens in 2023. A wave of data-warehouse customer breaches in 2024. Same pattern, same broken primitive.
THREAT . 02
OWASP LLM01: Prompt Injection. Hostile data in a webpage, a document, or a tool output reshapes the agent's intent. The agent still holds its own credentials. The call looks normal at the network layer. The runtime has no way to tell. Public research from Microsoft and others has documented how little input it takes to redirect an agent.
THREAT . 03
When the log says "agent X did Y," that is a claim, not evidence. The authentication carried no signature, no runtime fingerprint, nothing in the request itself that proves which agent or which runtime made the call. In a forensic review, a compliance audit, or a customer dispute, an unsigned log line isn't proof of who acted. The agent's identity needed to be in the request, signed at the point of call, not assumed from the bearer token after the fact. That's the difference between a log entry and non-repudiable proof.
What's coming . the window collapses
50% faster
Gartner predicts AI agents will halve the time it takes to exploit exposed accounts by 2027. The window between a leaked credential and a takeover is collapsing.
45:1 and rising
Non-human identities already outnumber humans, with reported ratios from 45:1 to 144:1. The estate an attacker's AI gets to work on keeps growing.
SOURCES . GARTNER, 2025 (PREDICTION) . RUBRIK ZERO LABS, 2025 . ENTRO LABS, H1 2025
The next breach probably won't look like a breach. It will look like a normal call from a process you already trust. With per-call cryptographic authentication, there is no static secret in the call for the attacker to inherit. Three places that matters.
SCENARIO . 01
A service account's static API key is exfiltrated from a CI logs bucket made publicly readable for two hours. The service account is the IAM identity a machine runtime carries, and its static credential is exactly the kind ScrambleID replaces. The attacker harvests the key and attempts to replay it against the production API. ScrambleID for non-humans never let the static key authenticate in the first place. The runtime presents a per-call signature with an ephemeral key bound to the request context. The exfiltrated string is not the credential. The signature is the credential, and the signature can't be stolen because nothing about it sits at rest. The attacker's replay attempt fails verification because the signature doesn't bind to a request the attacker can construct.
SCENARIO . 02
A vendor-supplied RPA agent runtime is silently patched by a supply-chain attacker. The patched runtime claims to be the same agent ID (agent.C547, rpa.uipath/24) but the patched binary's fingerprint doesn't match what was registered. Every Non-humans signature includes a runtime fingerprint as part of the signed payload. The verifier sees the mismatch on the first call after the patch. The signature is structurally valid (the ephemeral key was generated correctly) but the runtime attribution doesn't match the registered binding. The verifier rejects on attribution drift, not on signature failure.
SCENARIO . 03
A vendor agent's OAuth client secret leaks via an internal misconfiguration. The attacker uses the leaked client_id and client_secret to request a bearer token from the IdP. The IdP issues the token. The attacker presents the token to a downstream API expecting to authenticate as the vendor agent. The downstream API is ScrambleID-verified and requires a per-call Non-humans signature in addition to the bearer token. The attacker has the token but cannot produce a valid signature because the signing key is held in the registered runtime, not derived from the OAuth secret. The bearer token gets the request through the IdP layer. The signature requirement blocks it at the application layer.
Boards approve the AI strategy. CIOs fund the platform. Then CISOs ask what happens when an autonomous agent presents the same static API key that ten other processes share, and the answers fall apart. ScrambleID gives the CISO real answers for every non-human in the stack. Per-call cryptographic identity. One primitive across every runtime. Attribution that survives a credential revocation, because the credential was never the authentication.
UNLOCK . 01
Defensible identity for every non-human in the stack. Cryptographic per-call authentication across AI agents, machines, bots, and workloads. Security review gets the controls it needs without diluting the AI roadmap. The agents the platform team has been waiting to ship can ship.
UNLOCK . 02
The same primitive holds at 100 non-humans and at 100 million. AI agents, machines, bots, and workloads. Vendor-supplied, internally-built, federated across organizations. One identity model. One verification path. Federated trust roots let you accept signed assertions from outside organizations.
UNLOCK . 03
When the board asks which non-human took an action, the answer is the signature, not the audit log. Identity-by-signature, not identity-by-token. Attribution holds even after the credential is revoked, because the signature was the credential. AI autonomy that survives outside scrutiny.
API KEYS
A long-lived bearer token. If it leaks, the holder presents as the agent until rotation.
OAUTH / mTLS
Strong runtime auth. A static secret still sits at the root of trust.
CLOUD IAM
Rotated tokens, but a persistent role identity backs every issuance. The root credential is still static.
Every other primitive depends on a static secret. ScrambleID for non-humans doesn't have one to depend on.
Five primitives . four depend on a static secret . one doesn't
Swipe sideways to compare. ScrambleID is the highlighted column.
| Method | Static secret in the loop | Per-call signature | Runtime-portable across NHIs | Attribution post-revocation |
|---|---|---|---|---|
| API keysLong-lived bearer tokens stored as the agent's identity | YesLong-lived bearer; the agent is the key. | NoBearer presentation only, no signature per call. | PartialSame shape across runtimes but every runtime needs its own key. | NoPast auths cannot be reattributed after rotation. No proof attached. |
| OAuth Client Credentialsclient_id and client_secret exchanged for bearer tokens | Yesclient_secret persists between rotations. | NoBound to client, not the call being made. | PartialWorkable for M2M; awkward for AI agents and RPA. | NoBearer tokens, no signature trail. |
| mTLSClient certificate plus private key on each call | YesPrivate key on disk, cert-managed. | NoAuthenticates the channel, not the call. | NoChannel-level primitive; doesn't span AI runtimes naturally. | PartialCert chain is verifiable but channel scope, not action scope. |
| Cloud IAMAWS, GCP, Azure principals with STS-issued tokens | PartialSTS-rotated, but a persistent role identity backs it. | NoPer-call within one cloud only; no cross-cloud or cross-runtime form. | NoPer-cloud only, doesn't cross AI runtimes or vendor agents. | PartialCloudTrail-style logs, no signature per call. |
| ScrambleID Non-humansPer-call signed assertion, no shared secret in the stack | NoEphemeral keys, signed at the point of call. | YesCryptographic signature on every request, bound to the runtime and the call. | YesSame primitive across AI agents, machines, bots, and workloads. | YesPast signatures remain verifiable; the credential is the signature, not a token. |
Looking for the per-action accountability story (cosign, policy binding, hash chain)? See the Actions product.
Edge cases
// the agent's signing key gets exfiltrated?
Keys are ephemeral and per-runtime. A leaked key is a window measured in minutes, not months. Revocation is instant and the runtime's next call signs with a new ephemeral key.
// the agent runtime is patched mid-flight?
The signed payload includes runtime metadata and a parent invocation hash. Patches don't break the chain. They produce a new signature with the new runtime fingerprint, verifiable in audit.
// the verifier service goes down?
Verifier failure is a fail-closed event by default. Your team chooses the SLO. The same uptime guarantees you give your IdP apply, with the same operational primitives.
// the agent moves between runtimes mid-deployment?
Each runtime registers its own binding. The signing key is per-runtime. A migration between runtimes is a re-binding event, not a credential rotation. The audit trail shows the binding change as a signed event, not a token reissue.
ScrambleID for non-humans doesn't replace your IdP. It adds the per-call signature layer your IdP can't deliver. The agent's identity binding can derive from your IdP's principal model, federated via OIDC or SAML. The signing keys are scoped to the runtime and per-call, not to the IdP session.
No. The signing primitive runs as a library in your agent runtime. Enclave-backed signing is supported as a hardening option but not required for production. Most pilots ship without it and add it later when threat-model maturity demands.
The agent still constructs the signed authentication request, even when steered. The signature binds the request to the runtime fingerprint and the request context, not to the agent's reasoning. The verifier sees the runtime fingerprint and the context hash on every call; a compromised reasoning loop doesn't change either. The credential isn't a token the attacker can replay; it's a runtime-bound signature the runtime produces at the point of call. The compromise becomes detectable at the next call from that runtime, with attribution intact.
AI agents (any LLM runtime), machines (cron, batch, ETL, infrastructure callers), bots (UiPath, Automation Anywhere, Power Automate, RPA), and workloads (containers, functions, ephemeral compute). Anything that holds a credential and acts on its own behalf gets the same primitive. Service accounts aren't a separate runtime: they're a use case. A service account is the IAM identity one of these runtimes carries, and replacing its static credential is one of the most common reasons teams start here. The SDK targets are the runtimes; the model is uniform.
Yes. ScrambleID for non-humans is one cryptographic identity layer across all three. Enterprise AI deployments use it for internal agents acting on workforce behalf: IT automation, security operations, finance bots, and any LLM runtime that executes privileged actions inside the tenant. B2B agent-to-agent interactions use it for cross-organization agent calls, vendor agents acting in a customer tenancy, and federated supply-chain automation, with the same federated trust roots that govern human cross-org auth. Consumer-facing AI products use it for customer support agents, transactional shopping agents, and AI assistants that take actions on behalf of named end-users, signing with the same primitive regardless of who they act for. UiPath, Automation Anywhere, Power Automate, and any LLM runtime sign and verify against the same primitive. One identity model for every non-human caller, regardless of who they act for.
Agents from different organizations can verify each other's signatures via federated trust roots, the same model as TLS PKI. Your trust roots decide which outside-organization principals you accept and on what conditions. This makes vendor-integration agents attributable across the trust boundary.
Signing and verification add latency that fits inside the API call's existing SLO budget. Per-environment numbers depend on the key-management mode (in-process vs. enclave-backed) and the hardware profile. We can share specifics once your team's runtime profile is known.
Pilot: install the SDK in one runtime, point the verifier at your dev IdP, and validate the first signed requests. Time to first authenticated request: hours, not days. Production: extend across your other runtimes and federate the verifier into your CI/CD. Identity bindings are committed alongside the agent code, so every change is diff-able, versioned, and reviewable in the same repo. Time to full production: weeks.
Yes. Vendor agents register their runtime fingerprints with you under your federation policy. The signing primitive is the same. Your verifier accepts vendor signatures based on the trust roots you configure, the same way TLS PKI federates across organizations.
The signing key is held in the runtime, not on disk or in a config file. A compromised runtime is a credential exfiltration event scoped to that runtime instance, not a credential leak that spreads. The runtime fingerprint in the signed payload makes the compromise detectable on the next call from that runtime, before the compromise spreads.
The frameworks converged on the same demand: agents need their own identity, scoped authority, and an audit trail that holds up. The OWASP Top 10 for Agentic Applications puts identity and privilege abuse at ASI03 and rogue agents at ASI10; per-agent identity with per-call signatures answers both, because an agent that can't mint unsigned calls can't operate beyond its scope or off the books. A February 2026 NIST NCCoE concept paper on AI agent identity and authorization calls for tying every agent action back to an accountable identity, auditable and non-repudiable: that's the signature in the request, not a log line after it. And the Cloud Security Alliance's AI Controls Matrix, 243 control objectives across 18 domains, presses the same identity and accountability gaps. Zero static secrets closes the path ASI03 names; the signed call closes the attribution gap the rest of them circle.
ACTIONS PRODUCT
When the record needs to hold up in court
Per-action signature, policy-bound cosign, customer-verifiable hash chain. Where the Non-humans primitive meets regulated action.
VOICE CHANNEL
When the call sounds right but isn't
Deepfake-resistant voice authentication for contact centers and helpdesks. The handshake without the deepfake.
PEOPLE CHANNEL
Verifying strangers in 5 seconds
Selective-disclosure peer-to-peer ID for moments where you need to confirm who you're meeting, online or in person.
ARCHITECTURE
How the spine fits behind your IdP
The cryptographic primitive, the trust roots, the verifier topology, the audit ledger model. End-to-end.
Give every agent an identity, not a shared key. Then your AI promise delivers.
Pilot in days. Production in weeks. One identity primitive across every agent runtime, every NHI in your stack.
Pilot ScrambleID →