The Intersection of Continuous Authentication & Identity Assurance and Agentic AI

Imagine an AI agent that spins up three sub-agents to complete a task. Who authorized them? Who's accountable if one acts outside its scope?

Those questions have a single answer, and it traces back further than most people think.

Every agentic AI session begins the same way, a human being sits down, authenticates, and gets to work. That authentication produced an OIDC session. That session carried privileges and authorizations. And when that person launched an AI agent, those privileges went with it. Pull the thread far enough and the bloodline of every agentic AI instance leads back to one thing: an authenticated, authorized human. That's the intersection where continuous authentication and agentic AI meet, and it's a more consequential intersection than the industry has yet fully reckoned with.

Phishing Resistance That Travels the Entire Tree

CA brings something important to that intersection. A session born from a phishing-resistant FIDO2 ceremony isn't just secure at the moment of login, through silent, no-gesture FIDO2, that phishing resistance can project forward across the entire authorized session, reaching every agent in the tree whether a direct descendant of the user or several generations removed.

The Agentic Tree

The tree is the thing worth thinking carefully about. It establishes itself at login. The user's access device becomes the root. The provider session, OIDC, OAuth2, or SAML2, becomes the security backbone running through the whole structure. Monitoring should begin just before or alongside that initial FIDO2 ceremony, because everything that follows depends on the integrity of that moment.

Merkle Tree Traceability

Tracking an expanding agentic tree turns out not to be so different from tracking crypto transactions across a network of wallets. The same Merkle Tree technology that makes cryptocurrency accountable and auditable applies here with equal effect. Every agent instance gets a unique cryptographic identity, SHA-512 is well suited to the purpose, and the Merkle Tree maintains the chain of custody back to the human principal at the root. Traceability isn't optional; it's the whole point.

Authorization Inheritance: A Hard Ceiling

Authorization inheritance flows down that tree, but it doesn't amplify. An agent's permissions are equal to or less than the human principal who spawned it, never more. That ceiling is enforced by policy, not assumed by convention. And when those policies permit it, an agent can spin up further instances, each bound by the same rule. This is natural progression, but it requires discipline in implementation.

Continuous Authentication & Identity Assurance Monitoring

What keeps the whole structure honest is continuous authentication monitoring. CA's job is straightforward in principle: verify that the authorized user and their device remain present and engaged from login to logout. Agentic AI sessions are a logical extension of that, they fall under the same session, the same policies, the same monitoring. Revoke the human's session and every derived agent loses authorization immediately. AuthZEN evaluators and PDP coverage extend that reach into the agentic environment, ensuring the tree doesn't outlive its root.

Device Binding and Endpoint Assurance

Device and endpoint assurance underpins all of this. There's no better anchor for that assurance than FIDO2's device-binding capability. Applied beyond the authentication ceremony itself, wrapping every network-crossing transaction in a device-bound exchange demonstrating proof-of-possession, without requiring a user gesture, it extends phishing resistance to the entire session. That matters because humans remain in the loop at nearly every juncture of an agentic workflow, whether directly or by reference, and humans are no less susceptible to phishing at those junctures than they are at login. It also addresses the specific vulnerability of OAuth2 authorization token interception, which tends to get less attention than it deserves.

The Cell Phone as an Underappreciated Asset

The cell phone is an underappreciated asset in this architecture. A CA app running on the user's device delivers a continuous stream of presence, identity, location, and proximity signals to the policy evaluation layer throughout the session. It's unobtrusive and remarkably effective.

Extending Industry Standards Into the Agentic Tree

The industry standards, OIDC, OAuth2, SAML2, handle the accountability between provider and human principal well. They were designed for that. The harder and more urgent problem is extending that accountability into the agentic tree, where the relationships multiply quickly and the stakes of a misconfigured authorization are significant. Continuous authentication, applied thoughtfully, is the mechanism that makes that extension possible.

Pulse CA was built with exactly this architecture in mind. The principles described here, session-rooted accountability, inherited authorization, phishing resistance carried forward through the tree, Merkle Tree traceability, are not aspirational for Pulse. They are baked into its architecture.

---

---