The ephemeral credential: why AI agents should never hold standing authority
An agent operating in a consequential domain should never hold standing authority. Authority should arrive when a task begins, scoped to exactly that task, and expire when the task ends. This is not a convenience restriction — it is the correct security architecture for agents that act in the real world.
The contrast is with standing authority: a persistent credential, issued once, renewed infrequently, granting broad access that the agent carries at all times. This is how most deployed systems work today, because it is simpler to provision. The agent is given an API key, a signing certificate, or an access token with a long refresh window, and it uses these whenever it needs to act. The credential is not the agent's identity; it is the agent's standing permission slip — and it is a large footprint carried constantly, whether or not any task is in flight.
What ephemeral means in practice
An ephemeral credential is bound to a session, a task, or a specific action scope. It is issued at the start of the relevant scope, used within it, and revoked — or simply expires — at the end. The issuer generates a fresh credential for each scope rather than refreshing a long-lived one.
Three properties define an ephemeral credential: it has a short, predetermined validity window; it is scoped to a specific action or action set; and it cannot be renewed by the agent alone. The last property matters most. A credential that the agent can silently refresh drifts toward standing authority. Renewal must require explicit re-authorization from the issuing principal, so that each new task scope carries a fresh check against the current authority state.
The cryptographic transition argument
The migration from classical public-key systems toward post-quantum algorithms is already under way. National standards bodies have finalised their first post-quantum algorithm selections, and the industry is working through the multi-year process of retiring RSA and elliptic-curve credentials in favour of lattice-based and hash-based alternatives. This transition is an argument for ephemeral credentials regardless of AI agents — but it sharpens the case for agents specifically.
Post-quantum migration requires replacing the algorithms underlying every long-lived credential in a system. If credentials are ephemeral, the migration scope is bounded: update the issuance infrastructure, and every subsequently issued credential uses the new algorithm. There is no hunt for long-lived tokens predating the migration, no credential issued under a deprecated algorithm three years ago that has been silently renewed ever since.
An agent fleet built on ephemeral credentials migrates its cryptographic posture with each issuance cycle. The transition is continuous rather than a one-time flag day that demands coordinated revocation and re-issuance of everything the fleet holds. This is a practical advantage that compounds as the number of agents and action types grows.
The hardware anchor
The right root for issuing ephemeral credentials is hardware attestation. A trusted execution environment or a dedicated secure element can generate a credential, bind it to the attested state of the running agent, and sign it with a hardware-held key that never leaves the device. The resulting credential is verifiable: a relying party who trusts the hardware root certificate can confirm that the credential was issued to this agent, in this attested state, for this specific scope, at this moment in time.
Without a hardware-backed issuer, ephemeral credentials are short-lived tokens — better than permanent ones, but unatested. With a hardware-backed issuer, the credential carries proof of provenance, not just an identity claim. The relying party does not need to trust the agent's self-declaration; they trust the hardware root, which is independently auditable. This is the architecture that makes ephemeral credentials useful in adversarial or high-stakes environments rather than merely theoretically sound.
Why care environments make standing authority especially dangerous
Standing authority is particularly harmful in care contexts because authority in care is not static. A patient's consent changes. A clinical situation escalates or resolves. A carer's scope of practice is modified. An agent that holds standing authority when the consent grounding it has been withdrawn is operating outside its legitimate scope without any mechanism to detect this.
Ephemeral credentials address this structurally. Each new credential requires a fresh evaluation against the current authority state. If the patient has modified their consent since the previous credential was issued, the issuance system catches that at the start of the new task scope and denies the credential. The agent cannot act in the new scope because it cannot obtain authorization for it.
This is not a theoretical edge case. In complex care environments, authority changes are frequent: family dynamics shift, clinical prognoses change, and care plans are revised. An architecture that checks authority at task start, rather than once at deployment, is the only correct one for a domain where authority is genuinely dynamic.
The cost is the point
Ephemeral credentials are more expensive to operate than standing ones. Every task scope requires an issuance round-trip. The issuance infrastructure must be highly available and low-latency. The operational overhead is real.
It is also the correct cost signal. An agent whose authority should be checked frequently operates in a domain where authority matters — where the consequences of acting outside scope are significant. The overhead of frequent issuance is the price of that correctness guarantee. Systems that are cheap to authorize are cheap because their authority is not being checked carefully. In the domains that Asaptic Labs works across — where cryptographic properties must survive an algorithm transition, where hardware integrity is the only root of trust, where care decisions have irreversible human consequences — cheapness is not a property to optimize for. Correctness is.
AI 智能体不应持有长期有效的凭证。正确的架构是:权限在任务开始时颁发,范围严格限定于该任务,任务结束后即失效。临时凭证与后量子密码迁移天然契合——更新颁发基础设施即可更新整个智能体集群的密码学属性,无需追踪历史遗留的长效令牌。以硬件证明为根的颁发机制使凭证具备可溯源性,而非仅凭自我声明。在照护领域,动态变化的授权状态要求每次任务开始时都进行权限核查——而非仅在部署时检查一次。
摘要 — 繁體AI 智能體不應持有長期有效的憑證。正確的架構是:權限在任務開始時頒發,範圍嚴格限定於該任務,任務結束後即失效。臨時憑證與後量子密碼遷移天然契合——更新頒發基礎設施即可更新整個智能體集群的密碼學屬性,無需追蹤歷史遺留的長效令牌。以硬件證明為根的頒發機制使憑證具備可溯源性,而非僅憑自我聲明。在照護領域,動態變化的授權狀態要求每次任務開始時都進行權限核查——而非僅在部署時檢查一次。
临时凭证:为何AI智能体永远不应持有长期权限
在后果严重的领域中运行的智能体,永远不应持有长期有效的权限。权限应在任务开始时到达,范围严格限定于该任务,并在任务结束时失效。这不是便利性的限制,而是在真实世界中行动的智能体所需的正确安全架构。
与之对立的是长期权限:一次颁发、鲜少更新、赋予广泛访问权限、由智能体始终持有的持久凭证。这是当今大多数已部署系统的运行方式,因为这样更易于配置。智能体获得一个API密钥、一个签名证书,或一个具有较长刷新窗口的访问令牌,并在需要行动时使用这些凭证。凭证不是智能体的身份;它是智能体的长期许可证——是一个无论是否有任务在进行都始终携带的大型足迹。
临时凭证的实际含义
临时凭证与一个会话、一个任务或一个特定的行动范围绑定。它在相关范围开始时颁发,在其中使用,并在结束时被撤销或自然过期。颁发机构为每个范围生成新的凭证,而非刷新长期有效的凭证。
临时凭证由三个属性定义:具有短暂、预定的有效期;范围限定于特定行动或行动集;不能由智能体单独续期。最后一个属性最为重要。可以被智能体静默刷新的凭证会逐渐演变为长期权限。续期必须要求颁发主体的明确重新授权,以确保每个新任务范围都对当前权限状态进行新的核查。
密码学迁移的论据
从经典公钥系统向后量子算法的迁移已经开始。国家标准机构已完成首批后量子算法的遴选,业界正在经历将基于RSA和椭圆曲线的凭证替换为基于格和哈希的替代方案的多年过程。无论是否涉及AI智能体,这一迁移本身就是支持临时凭证的有力论据——但它对智能体的适用性尤为明显。
后量子迁移需要替换系统中每一个长效凭证所依赖的算法。如果凭证是临时的,迁移范围是有界的:更新颁发基础设施,此后颁发的每个凭证都将使用新算法。不再需要追踪迁移之前的长效令牌,也不存在三年前在已弃用算法下颁发并一直被静默续期的凭证。
基于临时凭证构建的智能体集群在每个颁发周期内迁移其密码学属性。迁移是持续的,而不是需要协调整个集群进行撤销和重新颁发的一次性重大节点。随着智能体数量和行动类型的增长,这一实践优势会不断积累。
硬件锚点
颁发临时凭证的正确根源是硬件证明。可信执行环境或专用安全元件可以生成凭证,将其与运行中智能体的已证明状态绑定,并使用永不离开设备的硬件持有密钥对其签名。生成的凭证是可验证的:信任硬件根证书的依赖方可以确认该凭证是在此时、为处于此证明状态的这个智能体、针对这一特定范围而颁发的。
没有硬件支持的颁发机构,临时凭证只是短期令牌——比永久令牌更好,但缺乏证明。有了硬件支持的颁发机构,凭证携带来源证明,而非仅凭身份声明。依赖方无需信任智能体的自我声明;他们信任硬件根,这是可独立审计的。这是使临时凭证在对抗性或高风险环境中切实可用的架构,而非仅仅在理论上合理。
为何照护环境中的长期权限尤为危险
在照护场景中,长期权限特别有害,因为照护中的权限不是静态的。患者的知情同意会改变。临床情况会升级或缓解。照护人员的执业范围会被修改。持有长期权限的智能体,在支撑该权限的同意被撤回后,仍在其合法范围之外运行,且没有任何机制来检测这一情况。
临时凭证从结构上解决了这一问题。每个新凭证都需要对当前权限状态进行新的评估。如果患者自上次颁发凭证以来修改了其同意,颁发系统会在新任务范围开始时捕捉到这一点并拒绝颁发凭证。智能体无法在新范围内行动,因为它无法获得该范围的授权。
这不是理论边界情况。在复杂的照护环境中,权限变更很频繁:家庭动态发生变化,临床预后改变,照护计划被修订。在任务开始时核查权限——而非仅在部署时核查一次——是权限真正动态的领域中唯一正确的架构。
成本本身是信号
临时凭证的运营成本高于长期凭证。每个任务范围都需要一次颁发往返。颁发基础设施必须高度可用且低延迟。运营开销是真实存在的。
这也是正确的成本信号。权限应被频繁核查的智能体,运行在权限举足轻重的领域——在该范围外行动的后果是重大的。频繁颁发的开销是这一正确性保证的代价。授权成本低廉的系统之所以廉价,是因为其权限没有被仔细核查。在Asaptic Labs所关注的领域——密码学属性必须在算法迁移中存续、硬件完整性是唯一信任根、照护决策有不可逆的人类后果——廉价不是需要优化的属性。正确性才是。
臨時憑證:為何AI智能體永遠不應持有長期權限
在後果嚴重的領域中運行的智能體,永遠不應持有長期有效的權限。權限應在任務開始時到達,範圍嚴格限定於該任務,並在任務結束時失效。這不是便利性的限制,而是在真實世界中行動的智能體所需的正確安全架構。
與之對立的是長期權限:一次頒發、鮮少更新、賦予廣泛存取權限、由智能體始終持有的持久憑證。這是當今大多數已部署系統的運行方式,因為這樣更易於配置。智能體獲得一個API金鑰、一個簽名憑證,或一個具有較長刷新窗口的存取令牌,並在需要行動時使用這些憑證。憑證不是智能體的身份;它是智能體的長期許可證——是一個無論是否有任務在進行都始終攜帶的大型足跡。
臨時憑證的實際含義
臨時憑證與一個會話、一個任務或一個特定的行動範圍綁定。它在相關範圍開始時頒發,在其中使用,並在結束時被撤銷或自然過期。頒發機構為每個範圍生成新的憑證,而非刷新長期有效的憑證。
臨時憑證由三個屬性定義:具有短暫、預定的有效期;範圍限定於特定行動或行動集;不能由智能體單獨續期。最後一個屬性最為重要。可以被智能體靜默刷新的憑證會逐漸演變為長期權限。續期必須要求頒發主體的明確重新授權,以確保每個新任務範圍都對當前權限狀態進行新的核查。
密碼學遷移的論據
從經典公鑰系統向後量子演算法的遷移已經開始。國家標準機構已完成首批後量子演算法的遴選,業界正在經歷將基於RSA和橢圓曲線的憑證替換為基於格和雜湊的替代方案的多年過程。無論是否涉及AI智能體,這一遷移本身就是支持臨時憑證的有力論據——但它對智能體的適用性尤為明顯。
後量子遷移需要替換系統中每一個長效憑證所依賴的演算法。如果憑證是臨時的,遷移範圍是有界的:更新頒發基礎設施,此後頒發的每個憑證都將使用新演算法。不再需要追蹤遷移之前的長效令牌,也不存在三年前在已棄用演算法下頒發並一直被靜默續期的憑證。
基於臨時憑證構建的智能體集群在每個頒發週期內遷移其密碼學屬性。遷移是持續的,而不是需要協調整個集群進行撤銷和重新頒發的一次性重大節點。隨著智能體數量和行動類型的增長,這一實踐優勢會不斷積累。
硬件錨點
頒發臨時憑證的正確根源是硬件證明。可信執行環境或專用安全元件可以生成憑證,將其與運行中智能體的已證明狀態綁定,並使用永不離開裝置的硬件持有金鑰對其簽名。生成的憑證是可驗證的:信任硬件根憑證的依賴方可以確認該憑證是在此時、為處於此證明狀態的這個智能體、針對這一特定範圍而頒發的。
沒有硬件支持的頒發機構,臨時憑證只是短期令牌——比永久令牌更好,但缺乏證明。有了硬件支持的頒發機構,憑證攜帶來源證明,而非僅憑身份聲明。依賴方無需信任智能體的自我聲明;他們信任硬件根,這是可獨立審計的。這是使臨時憑證在對抗性或高風險環境中切實可用的架構,而非僅僅在理論上合理。
為何照護環境中的長期權限尤為危險
在照護場景中,長期權限特別有害,因為照護中的權限不是靜態的。患者的知情同意會改變。臨床情況會升級或緩解。照護人員的執業範圍會被修改。持有長期權限的智能體,在支撐該權限的同意被撤回後,仍在其合法範圍之外運行,且沒有任何機制來偵測這一情況。
臨時憑證從結構上解決了這一問題。每個新憑證都需要對當前權限狀態進行新的評估。如果患者自上次頒發憑證以來修改了其同意,頒發系統會在新任務範圍開始時捕捉到這一點並拒絕頒發憑證。智能體無法在新範圍內行動,因為它無法獲得該範圍的授權。
這不是理論邊界情況。在複雜的照護環境中,權限變更很頻繁:家庭動態發生變化,臨床預後改變,照護計劃被修訂。在任務開始時核查權限——而非僅在部署時核查一次——是權限真正動態的領域中唯一正確的架構。
成本本身是信號
臨時憑證的營運成本高於長期憑證。每個任務範圍都需要一次頒發往返。頒發基礎設施必須高度可用且低延遲。營運開銷是真實存在的。
這也是正確的成本信號。權限應被頻繁核查的智能體,運行在權限舉足輕重的領域——在該範圍外行動的後果是重大的。頻繁頒發的開銷是這一正確性保證的代價。授權成本低廉的系統之所以廉價,是因為其權限沒有被仔細核查。在Asaptic Labs所關注的領域——密碼學屬性必須在演算法遷移中存續、硬件完整性是唯一信任根、照護決策有不可逆的人類後果——廉價不是需要優化的屬性。正確性才是。