Technical Requirements for Agent Identity Attribution
To: Technical Sales & Product Engineering Teams
As AI transitions from “Chat” to “Action,” the industry faces a critical visibility gap. In 2026, the Shanghai Model — where Parent Agents delegate tasks to autonomous Sub-Agents — has become the standard for industrial climate intelligence.
DWS IQ 6 has pioneered the KYA (Know Your Agent) framework to bridge this gap. We seek to integrate L1/L2 identity signals directly into our Firecracker MicroVM hypervisor to provide cryptographically verified accountability for autonomous agent chains.
Traditional KYC verifies humans at login. However, in industrial workflows, a verified human may authorize an Architect Agent, which then spawns a Compliance Agent, which in turn triggers a Sensor Bot.
The Risk: If a sub-agent executes an unauthorized transaction or data breach, who is liable?
The Solution: A recursive identity chain where every sub-agent inherits a “Leash” from a KYC-verified human. The chain is cryptographically bound and immutable.
Our v1.1 Security Standard implements four critical layers of agentic control:
Every agent execution generates a trust_chain_hash. This Merkle-style hash binds the Sub-Agent to the Parent Agent and, ultimately, to the IDV-verified Human Operator.
Human Operator (IDV Verified, KYA Score: 87)
|
+-- trust_chain_hash: 0xA3F...
|
+-- Architect Agent (L2 Provenance Verified)
|
+-- trust_chain_hash: 0xB7C...
|
+-- Compliance Agent (L3 Capability Gated)
|
+-- trust_chain_hash: 0xD1E...
|
+-- Sensor Bot (L4 Runtime Monitored)
Sub-Agent Sandbox = Parent Permissions ∩ Sub-Agent Manifest
An agent can never “outgrow” the permissions of its handler.
If the parent agent has egress to api.tencent.com and microsoft.com, but the child’s manifest only requests api.tencent.com, the child gets only api.tencent.com. The intersection is enforced at the Firecracker VMM layer — not in application code.
If the identity provider signals a risk change for a Human Operator (e.g., AML hit or credential theft), DWS IQ 6 triggers a Cascade Termination.
| Control | Requirement | SLA |
|---|---|---|
| TC-3 | Single agent session termination | < 50 ms |
| TC-4 | Cascade termination (all child agents, max 3 levels) | < 500 ms |
| TC-5 | Maximum delegation depth enforced | 3 levels |
IDV Risk Webhook --> DWS Policy Engine --> Firecracker SIGKILL
|
+-- Level 1: Parent Agent [FROZEN: 12ms]
+-- Level 2: Child Agent [FROZEN: 89ms]
+-- Level 3: Grandchild Bot [FROZEN: 340ms]
Total: < 500ms
Under NIS2 Art. 23, industrial platforms must provide sub-second telemetry for automated decisions. Our Firehorse Telemetry Schema captures full delegation chains:
| Layer | Data Captured | Retention |
|---|---|---|
| Parent/Child Linkage | Full delegation depth visibility (max 3 levels), trust_chain_hash | 5 years |
| Syscall Capture | Every file I/O and network request mapped to a Trust Hash | 90 days (configurable) |
| Identity Events | KYA score changes, permission adjustments, cascade terminations | 5 years (EU AI Act Art. 12) |
| MCP Tool Invocations | Tool calls, parameters, responses per agent per session | 1 year |
| Fault Attribution | LOGIC_FAULT, INTEGRATION_FAULT, MANIFEST_FAULT, OPERATOR_FAULT | 5 years (Supabase) |
The ATS is calculated before any external IDV API call, saving cost by killing low-trust sessions early.
Formula: ATS = max(0, 1.0 − V×0.25 − L − D×0.05)
Where V = KYA violations, L = latency penalty (0.10 if avg > 500ms), D = denied path attempts.
Hard kill: ATS = 0.0 if manifest unsigned or TTL expired. 4 violations = zero trust.
| ATS | KYA Score | Permission Level | Decision |
|---|---|---|---|
| ≥ 0.80 | ≥ 80 | Full sandbox — egress, all MCP tools | GO |
| 0.50–0.79 | 50–79 | Restricted sandbox — no egress, read-only | GO (limited) |
| < 0.50 | < 50 | Suspended — human review required | NO_GO |
| = 0.00 | = 0 | Frozen — agent terminated | NO_GO |
We propose a deep integration where the identity provider acts as the Identity Anchor for our Control Room:
Agent “Power-On” events require L1 verification: document + face match + AML screening. This gates the trust chain — no verification, no agent spawn.
Third-party BYO agents require organization verification. The agent’s provider (Microsoft, Tencent, OpenClaw) must pass KYB before their agents can register.
Continuous risk monitoring via webhook. When risk signals change, sandbox permissions adjust in < 5 seconds. Cascade termination within 500ms.
| Metric | Requirement |
|---|---|
| Max Delegation Depth | 3 Levels (TC-5) |
| Single Termination Latency | < 50ms (TC-3) |
| Cascade Termination Latency | < 500ms (TC-4) |
| Identity Event Retention | 5 Years (EU AI Act Art. 12) |
| Syscall Retention | 90 days (configurable) |
| Isolation Layer | Firecracker MicroVM (hardware-level) |
| ATS Formula | max(0, 1.0 - V×0.25 - L - D×0.05) |
| Fault Attribution Storage | Supabase (kya_fault_attribution) |
| Industrial Models | 16 EU-regulated industries (Fit for 55) |
We have prepared a Mock Telemetry Test environment on our Helsinki-based Acer Veriton nodes. We invite the partner technical team to witness a “Leash Snap” demonstration where a sub-agent is terminated mid-execution following a simulated identity revocation.
Lifetime Oy · Helsinki, Finland
risto@onelifetime.world
dws10.com/kya-standard/ · onelifetime.world