Federal and Public Sector

Put AI agents to work. Keep control of every action. Proof, consent, and an audit trail on each one.

Every agent gets a cryptographic identity. Every consequential action gets human or agent consent, logged to an audit trail you can verify. The same proof reaches your workforce, including the contractors and help desks PIV never did, federated into your ICAM.

Steal one signing key, forge tokens for months.
Per-call signing leaves no key to steal.

This is the mechanism, not a screen. One standing signing key, stolen once, minted tokens that opened federal email for months. Give every agent and service a per-call signed identity instead, and there's no standing key to forge.

WITHOUT SCRAMBLEIDWITH SCRAMBLEIDstanding signing keystolen once, never rotatedFORGED TOKENSagency mailM2MagentPER-CALL SIGNING RAILcallerper-call signed, short-livedNO STANDING KEY TO STEALThe private key never leaves the caller.stolen key?nothing standing to forge

Machine·The key

Per-call signed identity (RFC 7523). No standing signing secret sits anywhere to be stolen.

Agent·The blast radius

Every assertion is scoped and short-lived, so one compromise can't mint tokens across systems.

[1]

The case this reconstructs (one stolen signing key forged tokens into multiple agencies' email, which the federal review board called preventable) is cited in the evidence rail, not drawn here. The agencies aren't named.

The consequential action

An authenticated agent can still act beyond its authority.
We gate the action, and sign the record.

A valid credential gets an agent in the door. It says nothing about what the agent may do next. So every consequential action takes consent, human or agent in the loop, bound to that exact intent, and lands in a verifiable, tamper-evident ledger.

Consent gate and tamper-evident ledgerAn AI agent's requested action meets a consent gate bound to the action's exact intent. With consent from a human or a supervising agent, the action proceeds and a signed entry is written to a tamper-evident, customer-verifiable ledger. An over-scoped request with no consent is held at the gate and goes no further.AI agentREQUESTED ACTION · INTENT-BOUNDCONSENT GATECONSENTACTION PROCEEDSsigned to ledgerIndependently verifiable.TAMPER-EVIDENT LEDGERHELDOut of scope. No consent, no action.

Actions·The consent

A human-in-the-loop or a supervising agent approves the action, bound to its exact intent. No blanket authority.

Actions·The record

Every action and approval is signed into a tamper-evident ledger you can verify independently.

The next surface

The agent surge is already under way.
Attackers' AI is racing you to it.

Gartner expects task-specific AI agents in 40 percent of enterprise apps by 2026, up from under 5 percent today. Agencies are standing them up now, and a static credential was never built to authenticate one.

Enterprise apps with task-specific AI agents

2025 against Gartner's 2026 projection.

Task-specific AI agents in enterprise apps: 2025 to a 2026 projectionBar chart projecting the share of enterprise applications with task-specific AI agents. Under 5 percent in 2025, 40 percent in 2026, a Gartner prediction.50%40%30%20%10%0%<5%40%20252026

And attackers' own AI is closing the gap. Gartner expects it to halve the time to exploit an exposed account by 2027, so a standing credential has even less time to survive.[8]

SOURCE . GARTNER PREDICTS, 2025[7]

The kill chain

Walk the attacker's path.
We break it at every step.

The red-team view, not a scare story. Three steps, the way the real intrusions run, and the surface that closes each.

  1. 01

    A phished credential, or a session cookie lifted by an attacker-in-the-middle proxy, sails past the MFA in place.[2]

    Intercept
    Web/Frontline

    Origin-bound FIDO2/WebAuthn that reaches the contractors and mobile users PIV never could. The proof is welded to the device and origin, so a proxy has nothing to replay.

  2. 02

    A call to the agency or contractor help desk. A locked-out "cleared employee", leaked PII, and the knowledge-based questions all check out.[3]

    Intercept
    People

    Cryptographic person-to-person proofing instead of knowledge questions an attacker already bought. The caller proves who they are, or doesn't.

  3. 03

    A forged token, or a static service-account secret, walks into agency machine-to-machine and AI-agent systems.[1][4]

    Intercept
    Machine/Bot/Agent

    Per-call signed identity (RFC 7523). There's no standing key to forge and no static secret to steal, and every assertion is scoped and short-lived.

The next token forged into a federal system won't come from a key someone left lying around.

Coverage

Phishing-resistant on every surface, human and not.
Especially the agents and machines.

Agents, machines, and service accounts carry the new risk, so they lead. The human surfaces are covered too, including the ones PIV never reached.

Agent

Government AI agents. Scoped, revocable, signed per call.

Machine

Agency machine-to-machine. Every call signed, no standing key to forge.

ActionsPer-action signing and a tamper-evident ledger for agent and high-risk actions.
Bot

RPA and automation. Ephemeral tokens, full attribution.

Workload

Agency workloads. Bound to where they run.

Web

Contractors, partners, and mobile. Phishing-resistant access PIV can't reach.

Frontline

Shared kiosks and field terminals. One tap, no card, no reader.

People

Help-desk proofing. A locked-out "cleared employee" has to prove it.

Voice

Citizen and constituent lines. Proof without the PII an attacker already has.

The regulatory picture

The mandate already requires phishing-resistant proof.
We meet it, and reach past it.

Three federal requirements, what each asks for, and where we line up.

IN FORCE

OMB . M-22-09[2]

The federal zero-trust strategy requires phishing-resistant MFA for staff, contractors, and partners, and the end of SMS, voice-OTP, and simple push. CISA recognizes only FIDO/WebAuthn and PIV/PKI as meeting the bar.

Origin-bound FIDO2/WebAuthn that meets the bar and reaches the contractors, mobile users, and help desks PIV can't, federated into your ICAM.

GUIDANCE

CISA . Zero Trust Maturity Model v2.0[5]

Sets phishing-resistant MFA and passwordless as Advanced, and continuous validation as Optimal, in the identity pillar.

Phishing-resistant, passwordless identity across human and non-human surfaces, verified per call rather than once at login.

IN FORCE

NIST . SP 800-63-4[6]

The current digital identity guidelines. AAL3 requires a phishing-resistant, hardware-bound authenticator. (800-63-3 was withdrawn in August 2025.)

Authentication aligned to NIST SP 800-63-4 AAL3.

Why now

Compliance is settled. Security isn't.

The mandate, the intrusions that tested it, and what we cover against each.

  1. Jan 2022Regulation

    OMB's zero-trust strategy made phishing-resistant MFA mandatory for staff, contractors, and partners.

    Phishing-resistant proof, every populationWhite House, OMB M-22-09
  2. April 2023Regulation

    CISA's maturity model pushed the bar to phishing-resistant, passwordless, and validation that continues past login.

    Verified per call, not once at loginCISA Zero Trust Maturity Model v2.0
  3. 2023, updated 2025Incident

    A documented group calls federal and contractor help desks, impersonates locked-out staff, and talks the desk into resetting MFA.

    Cryptographic caller proofingCISA / FBI advisory AA23-320A
  4. March 2024Incident

    One stolen signing key forged tokens into multiple agencies' email for months. The federal review board called it preventable.

    Per-call signing, no key to stealCISA Cyber Safety Review Board

Additional sources

  • The Hacker News (citing Rubrik Zero Labs 45:1 and Entro Labs 144:1)2025-2026Estimate

    Non-human identities (service accounts, API keys, tokens, workloads) outnumber humans by a wide margin, with reported ratios from about 45:1 to 144:1.

    The Hacker News (citing Rubrik Zero Labs 45:1 and Entro Labs 144:1)
  • NIST CSRC, SP 800-63-4Final 2025

    NIST SP 800-63-4 is the current digital identity guidelines. AAL3 requires a phishing-resistant, hardware-bound authenticator. The prior revision, 800-63-3, was withdrawn in August 2025.

    NIST CSRC, SP 800-63-4
  • Gartner (prediction)2025Estimate

    Gartner predicts task-specific AI agents will be embedded in 40 percent of enterprise software applications by 2026, up from less than 5 percent in 2025.

    Gartner (prediction)
  • Gartner (prediction)2025Estimate

    Gartner predicts AI agents will reduce the time it takes to exploit account exposures by 50 percent by 2027, automating steps in account takeover from deepfake-voice social engineering to credential abuse.

    Gartner (prediction)

How we fit

We make every identity provable.

A skeptical agency CISO has heard the pitch. Here's how we slot in.

  • 01

    We authenticate people and machines. First-time identity proofing, the document-and-biometric check that onboards a citizen, is a separate control we sit alongside.

  • 02

    We add to PIV and CAC. Where the card works, keep it. We reach the contractors, mobile, and help desks it never could.

  • 03

    We federate into the ICAM and IdP you already run, and make every identity on them cryptographic.

  • 04

    We secure who gets in and what they sign. Your SIEM, endpoint, and network controls each own their layer, alongside us.

Next step

Map every agent, machine, and human you need to prove.
Book a 30-minute technical review.

Bring your AI-agent and non-human inventory, your PIV and CAC coverage map, your contractor and mobile population, and your help-desk reset flow. We'll show you exactly what we cover, and where you still need it.

Book a Technical ReviewSee the method
Reach beyond the cardWeb, contractors and mobileKiosks and the fieldFrontline tap-to-authHelp-desk proofingPeople, prove the callerMachine and agent identityNon-human, per-call signedHow the rail worksThe method