Framework Evaluation Tool
Eleven Commandments of the
Secure Agentic AI Framework
Affirmed Identity — July 22, 2026
Continuous monitoring is key to securing the agentic AI framework and business accounts in general. The question is: what does continuous monitoring mean in this context, and how well do present or planned solutions actually meet the need?
Session Security, guided by these Commandments
Securing a session, especially an agentic AI session, takes the combined efforts of two related frameworks, the session security framework these commandments specifically apply to, and the separate yet equally important action security framework taking place within the authorized session, also covered by commandment X. A subtle distinction that can be confusing.
All commandments apply when evaluating the security of agentic AI sessions. For non-agentic sessions, focus on commandments I, III, V, VII, IX, X, and XI.
Submitting that question to your favorite AI agent promptly delivers an answer. It's best done while sitting with heart medications at hand.
Try this prompt with your AI agent of choice, paste it in directly. Fill in your identity provider's product name in place of [identity provider name here] and its website domain address in place of [its website domain here]. For example: “Cisco Identity” at “https://Cisco.com” or “Entra ID” at “https://microsoft.com/”. Copy and paste the Eleven Commandments after or “below this line] “, and let the scoring begin.
Your AI Evaluation Prompt
Replace [identity provider name here] with IdP name and [its website domain here] with the website describing it. For example “Entra ID” and “Microsoft.com”. Then copy the plain text commandments.
A review of the Eleven Commandments demonstrates that they are vendor-neutral and technology-agnostic, addressing the security principles that matter most when protecting agentic AI sessions. They are intended to provide an objective framework for evaluating any solution, including our own.
We welcome comments, constructive criticism, and suggestions for improving the framework as the threat landscape and agentic AI continue to evolve.
Use AI to Compare Providers
Replace the [identity provider name here] and [its website domain here] with product names and their websites to be compared. The Pulse CA + Sentinel and AffirmedId.com defaults can be replaced. Then copy the plain text commandments.
The Eleven Commandments
Each commandment identifies a specific security measure that should be in place to reduce cyber risk in agentic AI deployments and business account security generally. Some will be fully met by your current solution. Some partially. Some not at all. That's normal, and expected.
This is not a pass/fail test. It's a diagnostic. The scoring paints a security picture, one with shades of gray in most real-world environments. What matters is seeing clearly where your coverage is solid, where it's thin, and where the gaps are. You can't close a gap you are unaware of.
Notice that where the commandment is either not met or only partially so, your agent often provides hints as to why and what needs to be done to reach Achieved state.
Finally, in reviewing the commandments you’ll see they have no bias, no finger on the scale, and for the most part are just common-sense recommendations.
Phishing Resistance is Absolute
Phishing resistance is not a feature; it is the governing condition of the entire framework. Every boundary through which human identity, trust, or authorization is asserted, transmitted, or acted upon must be phishing-resistant without exception. This includes authentication at its origin, token delivery, IdP-to-agent connections, agent-to-agent authorization assertions, step-up reauthentication channels, and policy decision communications. No commandment that follows has meaning if the channels through which it runs can be compromised. Phishing resistance is not achieved once at login, it is maintained everywhere, always.
Born from Human Activity
Every agentic AI instance traces its origin to an authenticated human, the founding human. That authentication must be phishing-resistant at its inception; a compromised human root invalidates everything that follows. The founding human's identity, authorization level, and trust posture at the moment of agent creation become the immutable starting conditions for the agent's existence. No agent exists without a verified, phishing-resistant human root.
Unique Identity
Each agent instance must have a distinct, cryptographically protected identity, not a label, but a verifiable credential. No two agents should be indistinguishable, and identity must be resistant to spoofing, cloning, or assumption. Unique identity is the prerequisite on which all other commandments depend.
Authorization Equal or Lower than Founding Human
An agent cannot exceed the permissions of the human who created it. This ceiling is the cardinal rule of authorization inheritance. An agent, and any sub-agent it creates, runs within a bounded permission envelope that descends from, and never exceeds, the founding human's entitlements at the time of creation.
Bounded Operational Scope
An agent's permitted actions are defined at creation and must not expand without explicit re-authorization traceable to the founding human. Scope is a constraint, not a starting point for negotiation.
Propagation Governed, Not Unbounded
An agent's ability to spawn sub-agents is a privilege, not a right. That privilege must be explicitly granted within the bounds of the founding human's authorization level. Unbounded propagation is an uncontrolled expansion of the trust surface.
Inherited Trust Posture, Not Assumed Trust
An agent begins with a trust level derived from the founding human's continuously verified identity state. That trust is inherited as a bounded and traceable starting condition, it must reflect the founding human's current verified posture, not the posture that existed at session initiation. Trust assumed once and never revisited is not trust; it is risk.
Session Lifecycle Linkage
An agent's session is a derivative of the founding human's continuously verified session. When the human's identity verification degrades, lapses, or does not meet the threshold required for the current operational context, the agent's session follows. The human session is the root lease; agent sessions are sub-leases that inherit both its authority and its constraints in real time.
Right to Exist: Continuous Identity Verification and Step-Up Reauthentication
An agent's right to operate must be continuously reaffirmed through ongoing verification of the founding human's identity. Verification is not a moment; it is a condition that must be sustained. Where that condition degrades, or where the sensitivity of a pending action exceeds the current verified trust level, step-up reauthentication of the founding human is required before the agent may proceed. Agents whose authorization chain cannot be reaffirmed lose their right to exist.
Supervision, Action-Level Control, and Auditability
Session-level oversight is necessary but not sufficient. Every discrete action taken by an agent must be observable, subject to authorization at the moment of execution, and attributable after the fact. Supervision must extend to the action layer — where agents invoke tools, access resources, and make decisions — not only to the session within which those actions occur. The audit trail across the entire agent tree must be complete and tamper-evident, tracing every action to its executing agent, its parent chain, and ultimately to the founding human. What cannot be seen cannot be governed. What cannot be governed cannot be trusted.
Accountability
Accountability is not a property an agent possesses, it is the condition achieved when the preceding ten commandments are designed, implemented, and enforced without exception. It is the measure by which architects, designers, and evaluators judge whether an agentic AI system is trustworthy.
Plain Text Version (for AI Submission)
Copy this block and paste it into your AI prompt after the evaluation question above.
ELEVEN COMMANDMENTS OF THE SECURE AGENTIC AI FRAMEWORK Affirmed Identity, June 22, 2026 I. PHISHING RESISTANCE IS ABSOLUTE Phishing resistance is not a feature; it is the governing condition of the entire framework. Every boundary through which human identity, trust, or authorization is asserted, transmitted, or acted upon must be phishing-resistant without exception. This includes authentication at its origin, token delivery, IdP-to-agent connections, agent-to-agent authorization assertions, step-up reauthentication channels, and policy decision communications. No commandment that follows has meaning if the channels through which it runs can be compromised. Phishing resistance is not achieved once at login, it is maintained everywhere, always. II. BORN FROM HUMAN ACTIVITY Every agentic AI instance traces its origin to an authenticated human, the founding human. That authentication must be phishing-resistant at its inception; a compromised human root invalidates everything that follows. The founding human's identity, authorization level, and trust posture at the moment of agent creation become the immutable starting conditions for the agent's existence. No agent exists without a verified, phishing-resistant human root. III. UNIQUE IDENTITY Each agent instance must have a distinct, cryptographically protected identity, not a label, but a verifiable credential. No two agents should be indistinguishable, and identity must be resistant to spoofing, cloning, or assumption. Unique identity is the prerequisite on which all other commandments depend. IV. AUTHORIZATION EQUAL OR LOWER THAN FOUNDING HUMAN An agent cannot exceed the permissions of the human who created it. This ceiling is the cardinal rule of authorization inheritance. An agent, and any sub-agent it creates, runs within a bounded permission envelope that descends from, and never exceeds, the founding human's entitlements at the time of creation. V. BOUNDED OPERATIONAL SCOPE An agent's permitted actions are defined at creation and must not expand without explicit re-authorization traceable to the founding human. Scope is a constraint, not a starting point for negotiation. VI. PROPAGATION GOVERNED, NOT UNBOUNDED An agent's ability to spawn sub-agents is a privilege, not a right. That privilege must be explicitly granted within the bounds of the founding human's authorization level. Unbounded propagation is an uncontrolled expansion of the trust surface. VII. INHERITED TRUST POSTURE, NOT ASSUMED TRUST An agent begins with a trust level derived from the founding human's continuously verified identity state. That trust is inherited as a bounded and traceable starting condition, it must reflect the founding human's current verified posture, not the posture that existed at session initiation. Trust assumed once and never revisited is not trust; it is risk. VIII. SESSION LIFECYCLE LINKAGE An agent's session is a derivative of the founding human's continuously verified session. When the human's identity verification degrades, lapses, or does not meet the threshold required for the current operational context, the agent's session follows. The human session is the root lease; agent sessions are sub-leases that inherit both its authority and its constraints in real time. IX. RIGHT TO EXIST: CONTINUOUS IDENTITY VERIFICATION AND STEP-UP REAUTHENTICATION An agent's right to operate must be continuously reaffirmed through ongoing verification of the founding human's identity. Verification is not a moment; it is a condition that must be sustained. Where that condition degrades, or where the sensitivity of a pending action exceeds the current verified trust level, step-up reauthentication of the founding human is required before the agent may proceed. Agents whose authorization chain cannot be reaffirmed lose their right to exist. X. SUPERVISION, ACTION-LEVEL CONTROL, AND AUDITABILITY Session-level oversight is necessary but not sufficient. Every discrete action taken by an agent must be observable, subject to authorization at the moment of execution, and attributable after the fact. Supervision must extend to the action layer — where agents invoke tools, access resources, and make decisions — not only to the session within which those actions occur. The audit trail across the entire agent tree must be complete and tamper-evident, tracing every action to its executing agent, its parent chain, and ultimately to the founding human. What cannot be seen cannot be governed. What cannot be governed cannot be trusted. XI. ACCOUNTABILITY Accountability is not a property an agent possesses, it is the condition achieved when the preceding ten commandments are designed, implemented, and enforced without exception. It is the measure by which architects, designers, and evaluators judge whether an agentic AI system is trustworthy.
How Does Pulse CA Measure Up?
We built Pulse with these commandments as design requirements, not aspirational goals. Session lifecycle linkage, phishing resistance through the full agentic tree, inherited trust posture, Merkle Tree auditability, these are baked into the architecture.
Ask your AI agent to score us. We're not concerned about the answer.
Request a Demo → Read the Technical BriefPulse CA™ — AffirmedID at affirmedid.com — Copyright © June 2026