The Agent Control Fabric
Every agent needs a verifiable identity, every action it takes needs an authorization decision. Highflame provides both by enforcing identity, authority, delegation, and revocation at every boundary, in real time.
Identity answers who, Authorization answers what
Two questions, answered together: who is this agent, and on whose behalf does it act, and for this action, right now, is it allowed?
Agent Identity
Every agent carries a verifiable credential: owner, trust tier, framework, delegation depth, and the chain back to a named human.
- Verifiable, agent-shaped credentials
- Delegation & scope attenuation
- Just-in-time, ephemeral access
- Cascade revocation in seconds
Agent Authorization
Every action (tool call, model request, A2A hop) is checked against one policy and hundreds of live signals, then allowed, shaped, paused, or blocked.
- One Cedar policy, every boundary
- Hundreds of typed signals per run
- Adaptive guardrails & breakout controls
- Out-of-band, fail-closed enforcement
Identity without authorization is just an inventory. Authorization without identity is a guess. The fabric is both.
Identity built for agents, not retrofitted from humans or machines
Human IAM was built for users. NHI was built for services, workloads, and machines. Agents introduce a different identity problem: they act on behalf of people, delegate work, call tools, and change context over time. Highflame gives every agent a verifiable, agent-shaped credential that can be governed at every boundary.
Agent-shaped credentials
A stable, verifiable identity carrying owner, framework, trust tier, and delegation depth, not a shared key or a borrowed role.
Delegated authority
An unbroken on-behalf-of chain, where an agent always holds strictly less authority than the principal that authorized it.
Scope attenuation
Permissions narrow at every hop. A sub-agent can never out-scope the agent that delegated to it.
Just-in-time access
Short-lived, task-scoped credentials minted on demand and expired when the work is done. No standing access to leak.
Proof-of-possession
Tokens bind to a proof key, so a stolen token is inert without it.
Cascade revocation
Revoke a parent and the whole delegation tree collapses with it: instantly, not at token expiry.
All of it ships open source as Highflame ZeroID: OAuth 2.1, SPIFFE/WIMSE, RFC 8693, DPoP. Trusted by inspection, not reputation.
One policy, hundreds of signals: decided before the action lands
Agents drift, get manipulated, and chain calls no one anticipated, so a static gate won’t hold. Every action is checked in-line against one policy and a live stream of signals, out-of-band and fail-closed.
One policy, every boundary
One Cedar policy, authored once, enforced across model traffic, the IDE, the tool gateway, and A2A, not three languages for three products.
The signal engine
150+ prebuilt detectors emit hundreds of typed signals per run (across prompts, tool calls, and responses), mapped to one taxonomy and fed to the policy. Detection and decision stay decoupled.
Adaptive guardrails
Controls tighten as new signals and attack patterns emerge, instead of static rules someone has to keep rewriting.
Breakout & mission drift
Each agent’s mission is tracked at runtime; when it drifts or is steered off, the fabric contains or stops it before the action lands.
Human-in-the-loop
High-consequence actions pause for attributable human approval, then resume, without blocking the routine 99%.
Out-of-band & fail-closed
Enforcement sits outside the model’s control path and denies on error: never a silent allow.
Tiered detection with early-exit
| Tier | Method | What it catches |
|---|---|---|
| Fast | <5 ms · rules | Secrets, PII, injection, tool-risk, MCP poisoning, runaway loops. |
| Standard | 10–200 ms · ML | Prompt injection, toxicity, hallucination, and intent drift, across the full session. |
| Deep | 50–500 ms · cloud | DLP, content safety, phishing, and custom webhook detectors. |
A fast block skips the slower tiers, and a failed detector fails safe: never a false deny.
Deterministic rules and probabilistic signals resolve in the same policy. Blocking an injection and pausing a drifting agent are the same kind of decision.
Authorization is only as real as the wire it runs on
The Highflame Agent Gateway is the data plane that enforces every decision: a Rust gateway for LLM, MCP, and A2A traffic that binds each request to a verifiable agent identity at the wire. Policy runs inline and out-of-band, never advisory.
Identity bound at the wire
Every request carries a verifiable agent or NHI credential, audience-bound to the exact tool it was minted for. A token lifted from one surface is inert on another.
Per-method scope & trust gates
The gateway evaluates identity type, trust tier, scopes, and delegation depth on every call. An agent can read a tool but not invoke it, and an unverified agent never reaches a destructive method.
Delegated tokens downstream
Gateway-side token exchange means each downstream tool call carries a delegated token with a provable on-behalf-of chain, so the tool sees who it is really acting for.
Revoke an identity and its token dies at the gateway in under a second, not at JWT expiry. One auditable choke point for every agent-to-tool call across LLM, MCP, and A2A, deployable as SaaS, in your private cloud, or fully on-prem. Run it as your gateway, or attach the fabric to the LLM and MCP gateway you already operate. Enforcement goes where your agent traffic already flows.
Every decision becomes a queryable trace
Built on OpenTelemetry and ClickHouse: posture, correlation, and audit you query, not logs you reassemble after an incident.
Security posture score
One decomposable score across every agent, control, and tenant.
Cross-product correlation
Identity events, detections, and decisions on one timeline: the whole run in one place.
Blast-radius graph
See what a compromised agent could reach, and what revocation just contained.
Entity risk & drift
Risk scoring on every agent identity, plus drift monitoring on the detectors themselves.
Governance and spend, from the same policy that authorizes
Every decision is already an attributable, policy-bound event, so compliance evidence and cost controls fall out of the same substrate, not a second program.
GRC · evidence by construction
Policy outcomes carry their framework mapping, so evidence is continuous, not assembled for an audit.
Cost controls · spend as a policy
The same engine that authorizes an action also meters it, because fleets burn tokens at machine speed.
One substrate for governing agents at enterprise scale
- 01
Verifiable identity
Every agent gets one durable identity, recognized at every boundary.
- 02
Unified policy
Policy is authored once and enforced everywhere, not rewritten across tools, gateways, and point products.
- 03
Human attribution
The on-behalf-of chain travels with the credential, so every action can be traced back to the human authority behind it.
- 04
Instant cascading revocation
Revoke a parent agent and its whole delegation tree collapses with it: instantly, not at token expiry.
At the identity layer, trust isn’t a feature. It’s the whole system
If the identity backbone is a black box, every claim above it is unverifiable. So the identity layer ships open source; the security stack stays commercial.
Highflame ZeroID uses SPIFFE subjects, OAuth 2.1 grants, RFC 8693 token exchange, DPoP-bound tokens, CIBA approval, and CAE/SSF cascade revocation to make agent authority verifiable, delegated, bound, and revocable. Inspect it. Deploy it. Trust it.
Everything enterprises need to operate agents at scale: signal engine, governance UI, managed attestation, policy packs, evidence exports, cost controls, and enterprise integrations.
Agent governance requires an authority layer.This is the fabric.
Every agent needs a verifiable identity. Every action needs an authorization decision. Both must persist across prompts, tools, delegations, systems, and audit trails. Anything less is just a feature.