Eleven Commandments of the
Secure Agentic AI Framework

Replace [identity provider name here] with your IdP — Okta, Microsoft Entra, Ping Identity, etc. Then attach or paste the commandments below.

The Eleven Commandments

Each commandment identifies a specific security measure that should be in place to reduce cyber risk in agentic AI deployments and business account security generally. Some will be fully met by your current solution. Some partially. Some not at all. That's normal, and expected.

This is not a pass/fail test. It's a diagnostic. The scoring paints a security picture, one with shades of gray in most real-world environments. What matters is seeing clearly where your coverage is solid, where it's thin, and where the gaps are. You can't close a gap you are unaware of.

Copy this block and paste it into your AI prompt after the evaluation question above.

ELEVEN COMMANDMENTS OF THE SECURE AGENTIC AI FRAMEWORK
Affirmed Identity — June 22, 2026

I. PHISHING RESISTANCE IS ABSOLUTE
Phishing resistance is not a feature; it is the governing condition of the entire framework. Every boundary through which human identity, trust, or authorization is asserted, transmitted, or acted upon must be phishing-resistant without exception. This includes authentication at its origin, token delivery, IdP-to-agent connections, agent-to-agent authorization assertions, step-up reauthentication channels, and policy decision communications. No commandment that follows has meaning if the channels through which it runs can be compromised. Phishing resistance is not achieved once at login — it is maintained everywhere, always.

II. BORN FROM HUMAN ACTIVITY
Every agentic AI instance traces its origin to an authenticated human, the founding human. That authentication must be phishing-resistant at its inception; a compromised human root invalidates everything that follows. The founding human's identity, authorization level, and trust posture at the moment of agent creation become the immutable starting conditions for the agent's existence. No agent exists without a verified, phishing-resistant human root.

III. UNIQUE IDENTITY
Each agent instance must have a distinct, cryptographically protected identity — not a label, but a verifiable credential. No two agents should be indistinguishable, and identity must be resistant to spoofing, cloning, or assumption. Unique identity is the prerequisite on which all other commandments depend.

IV. AUTHORIZATION EQUAL OR LOWER THAN FOUNDING HUMAN
An agent cannot exceed the permissions of the human who created it. This ceiling is the cardinal rule of authorization inheritance. An agent, and any sub-agent it creates, runs within a bounded permission envelope that descends from, and never exceeds, the founding human's entitlements at the time of creation.

V. BOUNDED OPERATIONAL SCOPE
An agent's permitted actions are defined at creation and must not expand without explicit re-authorization traceable to the founding human. Scope is a constraint, not a starting point for negotiation.

VI. PROPAGATION GOVERNED, NOT UNBOUNDED
An agent's ability to spawn sub-agents is a privilege, not a right. That privilege must be explicitly granted within the bounds of the founding human's authorization level. Unbounded propagation is an uncontrolled expansion of the trust surface.

VII. INHERITED TRUST POSTURE, NOT ASSUMED TRUST
An agent begins with a trust level derived from the founding human's continuously verified identity state. That trust is inherited as a bounded and traceable starting condition — it must reflect the founding human's current verified posture, not the posture that existed at session initiation. Trust assumed once and never revisited is not trust; it is risk.

VIII. SESSION LIFECYCLE LINKAGE
An agent's session is a derivative of the founding human's continuously verified session. When the human's identity verification degrades, lapses, or does not meet the threshold required for the current operational context, the agent's session follows. The human session is the root lease; agent sessions are sub-leases that inherit both its authority and its constraints in real time.

IX. RIGHT TO EXIST: CONTINUOUS IDENTITY VERIFICATION AND STEP-UP REAUTHENTICATION
An agent's right to operate must be continuously reaffirmed through ongoing verification of the founding human's identity. Verification is not a moment; it is a condition that must be sustained. Where that condition degrades, or where the sensitivity of a pending action exceeds the current verified trust level, step-up reauthentication of the founding human is required before the agent may proceed. Agents whose authorization chain cannot be reaffirmed lose their right to exist.

X. SUPERVISION AND AUDITABILITY
Every action taken by an agent must be attributable to the agent, to its parent, and ultimately to the founding human. The audit trail across the entire agent tree must be complete and tamper-evident. What cannot be audited cannot be trusted.

XI. ACCOUNTABILITY
Accountability is not a property an agent possesses — it is the condition achieved when the preceding ten commandments are designed, implemented, and enforced without exception. It is the measure by which architects, designers, and evaluators judge whether an agentic AI system is trustworthy.