A2A (Agent-to-Agent)
Communication where one agent delegates work to, or calls, another agent. Each hop has to carry identity and narrow scope. Or authority leaks down the chain.
The agent-security glossary.
The terms behind agent identity, authorization, and governance: defined plainly, no jargon for its own sake.
A
Adaptive guardrails
Runtime controls that tighten themselves as new signals and attack patterns emerge, instead of relying on static rules someone has to keep updating.
Agent Control Fabric
Highflame's term for the identity, policy, and enforcement substrate that governs every agent action at every boundary it crosses: one layer, not a bundle of point tools.
Agent identity
A verifiable, cryptographic credential issued to an agent that carries agent-shaped claims (owner, trust tier, framework, delegation depth) so every action traces back to a named human.
Attribute-based access control (ABAC)
Authorization decisions keyed to attributes (the agent's claims, owner, trust tier, and delegation depth) rather than shared keys or static roles.
Authorization
Deciding whether a given actor is allowed to take a given action. Distinct from authentication (proving who you are); authorization is what an agent may do.
B
Blast radius
The set of systems and data a compromised agent or credential could reach. Identity-scoped access shrinks it; cascade revocation contains it.
Breakout controls
Runtime controls that keep an agent aligned to its mission: containing, redirecting, or stopping it when it veers off course, before the action lands.
C
Cascade revocation
Revoking a parent credential instantly invalidates everything it delegated, collapsing the affected delegation tree rather than waiting for tokens to expire.
Cedar
An open, formally analyzable policy language. Highflame authors authorization policy in Cedar and enforces the same policy at every boundary an agent crosses.
CIBA
Client-Initiated Backchannel Authentication: an out-of-band flow that pauses a sensitive agent action for explicit, attributable human approval.
D
Delegated authority
The model where an agent acts on behalf of a human or another agent, holding strictly less authority than the principal that authorized it, and provably distinct from that principal.
Delegation depth
How many on-behalf-of hops a credential sits from its original human authorizer. Highflame enforces depth as a first-class policy primitive.
DPoP
Demonstrating Proof-of-Possession (RFC 9449): binds a token to a proof key so a stolen token is inert without it.
G
Guardrails
Inline detection and enforcement on an agent's prompts, tool calls, and responses: blocking unsafe actions in real time.
I
Identity provider (IdP)
The system that issues and manages identities. Highflame extends your existing IdP to agents rather than replacing it.
Inline enforcement
Evaluating and deciding on an action before it executes, out-of-band and fail-closed, rather than detecting it after the fact.
J
Just-in-time (JIT) access
Issuing short-lived, task-scoped credentials on demand that expire when the work is done: eliminating standing access there's nothing to leak or over-grant.
M
MCP (Model Context Protocol)
An open protocol that connects agents to external tools and data. Powerful for capability. But every connection is a new access path that has to be governed.
MCP Gateway
A governed checkpoint every tool connection passes through (authenticated, policy-checked, and logged) so credentials stay central and unapproved servers can't connect.
Mission drift
When a non-deterministic agent gradually diverges from its intended task. Tracked at runtime so it can be contained before consequences land.
N
Non-human identity (NHI)
Identities belonging to machines, services, and agents rather than people. Agents are the fastest-growing and least-governed class of NHI.
O
On-behalf-of (OBO) chain
The unbroken provenance recorded on a credential (who authorized the action, what scope was granted, and how deep the delegation goes) so an audit walks back to a human.
P
Prompt injection
An attack that manipulates an agent through crafted input (in a prompt, a tool result, or retrieved content) to make it act against policy.
R
Red teaming
Continuous adversarial testing of AI systems (jailbreaks, extraction, manipulation) with findings turned into enforcement policy and re-scanned to prove the fix.
RFC 8693 (token exchange)
The standard that lets one token be exchanged for another with attenuated scope: the basis for verifiable agent-to-agent delegation.
S
Scope attenuation
Narrowing permissions at each delegation hop so a sub-agent can never hold more authority than the agent that delegated to it.
Shadow agents
Agents running across clouds, IDEs, and SaaS that no one inventoried or assigned an owner: the unmanaged majority of an enterprise's agent footprint.
SPIFFE / WIMSE
Open standards for verifiable workload identity. Highflame extends them with agent-shaped claims for delegation, trust, and attribution.
T
Trust tier
A provenance-based level on an agent's identity (first-party/attested, verified third-party, or unverified) that gates what the agent is eligible for and tightens its policy. It is a verified input to every decision, never a bypass: each action is still authorized per request, so there is no implicit trust.
Z
ZeroID
Highflame's open-source agent identity core (Apache 2.0), built on OAuth 2.1, SPIFFE/WIMSE, and RFC 8693: the inspectable foundation beneath Highflame Identity.
See the fabric against your own agents.
A 45-minute session covers your real agent footprint and what governance looks like in your environment.