Agent security has become a priority as autonomous agents gain access to sensitive systems at superhuman speeds. Major industry moves include CrowdStrike's acquisition of identity security firm SGNL for roughly $740 million in January 2026, and Palo Alto Networks' $25 billion acquisition of CyberArk on February 11, 2026. Security professionals now view agentic identity as a multifaceted challenge spanning four distinct architectural layers.

The transport layer functions as the system's front door, managing how an agent connects to a server. Protocols like the Model Context Protocol (MCP) are central here, with 2025 updates mandating Resource Indicators (RFC 8707) and introducing Client ID Metadata Documents to replace dynamic client registration. While transport solutions handle connectivity and token validity, they lack visibility into specific user authorizations or agent intent.

The identity and delegation layer focuses on confirming the agent's identity and the principal it acts on behalf of. Standard primitives like RFC 8693 token exchange and emerging proposals like Transaction Tokens for Agents help define actor and principal roles. Workload identity tools such as SPIFFE and SPIRE provide cryptographic proof of an agent's environment, moving away from static API keys that risk over-privilege. Solutions like Keycard attempt to unify these identities by federating from OIDC providers and evaluating policy at the moment of credential issuance.

The policy layer acts as a decision point for specific actions on resources, distinct from identity verification. Established tools like Cedar, Open Policy Agent, and OpenFGA allow developers to define access rules. In a traditional Policy Decision Point/Policy Enforcement Point (PDP/PEP) pattern, access is evaluated against existing credentials. However, this separates policy from the issuance process.

The runtime and governance layer addresses behavioral monitoring, non-human identity inventories, and audit logging. Guardrails at this level can detect prompt injection or behavioral anomalies, while inventory tools manage existing API keys and service accounts. Because this layer operates post-issuance or on content behavior, it does not determine if an agent should initially receive access.

Navigating these layers requires distinguishing between protocols and products. Many agent security tools are coupled to specific transport protocols like MCP, making them vulnerable to spec changes. Protocol-agnostic architectures—which decouple security logic from the transport—offer more resilience by integrating identity and policy at the credential issuance stage, ensuring consistent authorization across complex chains of agents.

Agent security has become a priority as autonomous agents gain access to sensitive systems at superhuman speeds. Major industry moves include CrowdStrike's acquisition of identity security firm SGNL for roughly $740 million in January 2026, and Palo Alto Networks' $25 billion acquisition of CyberArk on February 11, 2026. Security professionals now view agentic identity as a multifaceted challenge spanning four distinct architectural layers.

The transport layer functions as the system's front door, managing how an agent connects to a server. Protocols like the Model Context Protocol (MCP) are central here, with 2025 updates mandating Resource Indicators (RFC 8707) and introducing Client ID Metadata Documents to replace dynamic client registration. While transport solutions handle connectivity and token validity, they lack visibility into specific user authorizations or agent intent.

The identity and delegation layer focuses on confirming the agent's identity and the principal it acts on behalf of. Standard primitives like RFC 8693 token exchange and emerging proposals like Transaction Tokens for Agents help define actor and principal roles. Workload identity tools such as SPIFFE and SPIRE provide cryptographic proof of an agent's environment, moving away from static API keys that risk over-privilege. Solutions like Keycard attempt to unify these identities by federating from OIDC providers and evaluating policy at the moment of credential issuance.

The policy layer acts as a decision point for specific actions on resources, distinct from identity verification. Established tools like Cedar, Open Policy Agent, and OpenFGA allow developers to define access rules. In a traditional Policy Decision Point/Policy Enforcement Point (PDP/PEP) pattern, access is evaluated against existing credentials. However, this separates policy from the issuance process.

The runtime and governance layer addresses behavioral monitoring, non-human identity inventories, and audit logging. Guardrails at this level can detect prompt injection or behavioral anomalies, while inventory tools manage existing API keys and service accounts. Because this layer operates post-issuance or on content behavior, it does not determine if an agent should initially receive access.

Navigating these layers requires distinguishing between protocols and products. Many agent security tools are coupled to specific transport protocols like MCP, making them vulnerable to spec changes. Protocol-agnostic architectures—which decouple security logic from the transport—offer more resilience by integrating identity and policy at the credential issuance stage, ensuring consistent authorization across complex chains of agents.