Eleven Commandments of the Secure Agentic AI Framework
11 Security Measures for Secure Agentic AI and More Common Online Sessions
June 22, 2026
Authentication establishes identity. The Eleven Commandments establish trust.
For decades, cybersecurity has treated authentication as the primary measure of trust. Once a user successfully authenticated, the resulting session was largely assumed to remain trustworthy until it ended. That assumption no longer holds.
Modern attacks increasingly occur after authentication. And with the emergence of agentic AI, the consequences of a broken trust relationship extend far beyond a single compromised session.
Modern attacks increasingly occur after authentication. Session hijacking, stolen tokens, consent abuse, and other post-authentication attacks have demonstrated that proving identity once is not the same as continuously trusting an active session. At the same time, the emergence of agentic AI has fundamentally changed the security landscape. Autonomous agents are capable of acting on behalf of users, invoking services, spawning additional agents, and making decisions without continuous human interaction. If the trust relationship between the human and those agents is not continuously maintained, the consequences can extend far beyond a single compromised session.
The cybersecurity industry has responded with a variety of technologies described as continuous authentication, continuous verification, continuous monitoring, continuous access evaluation, and continuous identity assurance. Standards such as Zero Trust Architecture (ZTA), CMMC, CAEP, and Shared Signals Framework have accelerated this evolution.
These advances are valuable, but they introduce a new challenge: how should architects, security professionals, regulators, and customers evaluate these solutions? What capabilities are essential? Which are optional? How can one distinguish comprehensive security from isolated features marketed under similar names?
The Eleven Commandments of the Secure Agentic AI Framework answer those questions. Rather than describing a particular product or implementation, they define the fundamental principles that any secure agentic AI architecture — and, increasingly, any secure online session architecture — should satisfy. Together they provide a practical framework for evaluating whether a solution merely authenticates users or truly maintains trust throughout the entire lifecycle of human and agent activity.
Technology will continue to evolve. These principles are intended to endure.
Try this with your AI agent of choice: paste the commandments below into your agent and ask it to score your identity provider — Okta, Microsoft Entra, Ping Identity, or any other — against each one. Use simple scoring: Achieved, Partial, or Unachieved. The result is a security picture, not a verdict. What matters is seeing where your coverage is solid, where it's thin, and where the gaps are.
The Eleven Commandments
Each commandment identifies a specific security measure that should be in place to reduce cyber risk in agentic AI deployments and business account security generally. This is not a pass/fail test. It's a diagnostic.
Phishing Resistance is Absolute
Phishing resistance is not a feature; it is the governing condition of the entire framework. Every boundary through which human identity, trust, or authorization is asserted, transmitted, or acted upon must be phishing-resistant without exception. This includes authentication at its origin, token delivery, IdP-to-agent connections, agent-to-agent authorization assertions, step-up reauthentication channels, and policy decision communications. No commandment that follows has meaning if the channels through which it runs can be compromised. Phishing resistance is not achieved once at login — it is maintained everywhere, always.
Born from Human Activity
Every agentic AI instance traces its origin to an authenticated human, the founding human. That authentication must be phishing-resistant at its inception; a compromised human root invalidates everything that follows. The founding human's identity, authorization level, and trust posture at the moment of agent creation become the immutable starting conditions for the agent's existence. No agent exists without a verified, phishing-resistant human root.
Unique Identity
Each agent instance must have a distinct, cryptographically protected identity — not a label, but a verifiable credential. No two agents should be indistinguishable, and identity must be resistant to spoofing, cloning, or assumption. Unique identity is the prerequisite on which all other commandments depend.
Authorization Equal or Lower than Founding Human
An agent cannot exceed the permissions of the human who created it. This ceiling is the cardinal rule of authorization inheritance. An agent, and any sub-agent it creates, runs within a bounded permission envelope that descends from, and never exceeds, the founding human's entitlements at the time of creation.
Bounded Operational Scope
An agent's permitted actions are defined at creation and must not expand without explicit re-authorization traceable to the founding human. Scope is a constraint, not a starting point for negotiation.
Propagation Governed, Not Unbounded
An agent's ability to spawn sub-agents is a privilege, not a right. That privilege must be explicitly granted within the bounds of the founding human's authorization level. Unbounded propagation is an uncontrolled expansion of the trust surface.
Inherited Trust Posture, Not Assumed Trust
An agent begins with a trust level derived from the founding human's continuously verified identity state. That trust is inherited as a bounded and traceable starting condition — it must reflect the founding human's current verified posture, not the posture that existed at session initiation. Trust assumed once and never revisited is not trust; it is risk.
Session Lifecycle Linkage
An agent's session is a derivative of the founding human's continuously verified session. When the human's identity verification degrades, lapses, or does not meet the threshold required for the current operational context, the agent's session follows. The human session is the root lease; agent sessions are sub-leases that inherit both its authority and its constraints in real time.
Right to Exist: Continuous Identity Verification and Step-Up Reauthentication
An agent's right to operate must be continuously reaffirmed through ongoing verification of the founding human's identity. Verification is not a moment; it is a condition that must be sustained. Where that condition degrades, or where the sensitivity of a pending action exceeds the current verified trust level, step-up reauthentication of the founding human is required before the agent may proceed. Agents whose authorization chain cannot be reaffirmed lose their right to exist.
Supervision and Auditability
Every action taken by an agent must be attributable to the agent, to its parent, and ultimately to the founding human. The audit trail across the entire agent tree must be complete and tamper-evident. What cannot be audited cannot be trusted.
Accountability
Accountability is not a property an agent possesses — it is the condition achieved when the preceding ten commandments are designed, implemented, and enforced without exception. It is the measure by which architects, designers, and evaluators judge whether an agentic AI system is trustworthy.
How Does Pulse CA Measure Up?
We built Pulse with these commandments as design requirements, not aspirational goals. Session lifecycle linkage, phishing resistance through the full agentic tree, inherited trust posture, Merkle Tree auditability — these are baked into the architecture.
Ask your AI agent to score us. We're not concerned about the answer.
Request a Demo → Read the Technical BriefPulse CA™ — AffirmedID at affirmedid.com — Copyright © June 2026