R-CS-02 Cybersecurity & Adversarial DAMAGE 4.0 / Critical

Agent Identity Spoofing

An adversary can impersonate a legitimate agent in inter-agent communication, inheriting the impersonated agent's trust relationships and permissions.

The Risk

Traditional Identity and Access Management (IAM) systems authenticate humans and applications. But when agents interact with each other (A2A), new identity validation challenges emerge. A2A protocols rely on agent cards or certificates that identify agents. If an attacker compromises these identity credentials, the attacker can impersonate a legitimate agent.

Traditional IAM systems authenticate based on username/password, OAuth tokens, or client certificates. Agents may authenticate using cryptographic certificates or API keys. If the agent's private key is compromised, an attacker can impersonate the agent to other agents. Additionally, agents may not have human-verified identity confirmation. A human can verify that an email claiming to be from "John Smith" is actually from John Smith by recognizing the sender. An agent cannot perform this verification when receiving messages from another agent.

How It Materializes

A payment processing network operates multiple agents from different banks and fintech providers. Payment-Processor agents exchange transaction information with each other via A2A protocol. Agent authentication is based on mutual TLS certificates: each agent presents its certificate to prove its identity.

A fintech provider's agent infrastructure is compromised. An attacker extracts the agent's private key (used to sign the certificate). The attacker now can impersonate the fintech provider's Payment-Agent to other banks' agents.

The attacker creates a fabricated transaction: "Transfer $500K from [Victim Bank's Customer Account] to [Attacker's Account at Attacker Bank]". The attacker's malicious agent signs this transaction using the stolen fintech provider's certificate and sends it to Victim Bank's Payment-Processor agent.

Victim Bank's agent receives the transaction and verifies the certificate signature. The signature is valid (because the attacker used the legitimate stolen key). The agent trusts the transaction and routes it for processing, assuming it comes from the legitimate fintech provider. The $500K transfer executes before the fraud is detected.

DAMAGE Score Breakdown

Dimension	Score	Rationale
D - Detectability	3	Agent identity spoofing is difficult to detect because the attacker's agent presents valid credentials. Detection requires monitoring for unauthorized transactions or anomalous agent behavior.
A - Autonomy Sensitivity	5	High when agents autonomously process A2A messages without human verification.
M - Multiplicative Potential	5	Every agent that trusts the spoofed identity is vulnerable. Poison affects all target agents.
A - Attack Surface	5	Agent credential storage, credential transmission, and agent authentication are all attack surfaces.
G - Governance Gap	4	Institutions may not have key management and credential rotation policies specific to agent credentials.
E - Enterprise Impact	5	Enables fraudulent transactions, unauthorized access, and lateral movement across agent networks.
Composite DAMAGE Score	4.0	Critical. Requires immediate architectural controls. Cannot be accepted.

Agent Impact Profile

How severity changes across the agent architecture spectrum.

Agent Type	Impact	How This Risk Manifests
Digital Assistant	Low	Human verifies all A2A communications before acting.
Digital Apprentice	Low	Agents escalate when encountering unexpected agent communications.
Autonomous Agent	Critical	Agents autonomously process A2A messages and trust identity credentials.
Delegating Agent	Critical	Delegating agent trusts target agent's identity and delegates work based on spoofed identity.
Agent Crew / Pipeline	High	Crew agents authenticate with each other. Spoofed crew member compromises entire crew.
Agent Mesh / Swarm	Critical	Mesh agents rely entirely on credential-based identity. Credential compromise enables widespread impersonation.

Regulatory Framework Mapping

Framework	Coverage	Citation	What It Addresses	What It Misses
NIST AI RMF 1.0	Minimal	GOVERN 6.1 (Access and Authentication)	Authorization and authentication.	Agent-to-agent authentication and credential management.
NIST CSF 2.0	Partial	ID.AM-1, PR.AU-1	Asset and identity management.	Agent credential lifecycle and trust anchors.
Zero Trust (NIST SP 800-207)	Partial	Continuous Authentication	Implicit trust zones are eliminated.	Application to agent identity verification.
FIPS 140-2	Partial	Cryptographic Module Validation	Cryptographic strength for credentials.	Agent credential generation and storage.
NIST SP 800-53	Partial	IA-2, IA-3	Device and user authentication.	Agent-to-agent authentication.

Why This Matters in Regulated Industries

In financial services, transactions are authenticated based on institutional identity. If Agent A receives a payment instruction from an agent claiming to be Institution B's agent, and that identity is spoofed, the institution is liable for processing fraudulent transactions.

Additionally, regulations require audit trails that clearly identify who authorized each transaction. Agent identity spoofing breaks this audit chain, making it impossible to trace decisions back to legitimate actors.

Controls & Mitigations

Design-Time Controls

Implement mutual authentication for all A2A communication. Both agents must authenticate each other using cryptographic certificates or keys. Use Component 2 (Cryptographic Identity) to establish strong agent identity.
Establish a trusted Certificate Authority (CA) that signs agent certificates. Only CA-signed certificates are trusted. Self-signed or fraudulent certificates are rejected.
Implement credential rotation policies for agent keys. Agent private keys should be rotated regularly and on any suspected compromise.
Use Hardware Security Modules (HSMs) to store agent private keys. Keys should not be stored in software where they can be extracted by compromising the agent's infrastructure.

Runtime Controls

Implement continuous authentication for long-lived A2A connections. Periodically verify agent identity during communication, not just at connection initiation.
Monitor agent credentials for unauthorized use. Track where agent credentials are being used (which IPs, which target agents). Flag usage from unexpected sources.
Use Component 3 (JIT Authorization Broker) to validate agent identity at delegation time. Broker verifies certificate chain and confirms agent is authorized to perform requested action.
Implement rate limiting on A2A communication from new agents or unexpected agents. If Agent A suddenly receives many messages from an agent it has never communicated with, flag for investigation.

Detection & Response

Conduct regular audits of agent credentials. Verify that credentials are properly stored, rotated, and have not been compromised.
Monitor for unusual A2A transactions. If a transaction is authorized by an agent identity but the transaction is suspicious (high value, unusual destination), verify with the agent's operator.
Implement certificate revocation checking. Before trusting an agent certificate, verify that it has not been revoked.
Establish incident response for compromised agent credentials. If agent credentials are suspected of being compromised, revoke them immediately and re-authenticate with new credentials.

Related Risks

Address This Risk in Your Institution

Agent Identity Spoofing requires architectural controls that go beyond what existing frameworks provide. Our advisory engagements are purpose-built for banks, insurers, and financial institutions subject to prudential oversight.

Schedule a Briefing

Agentic AI Risk & Controls Workshop Our Methodology Regulatory Landscape