Owner: Platform team. Input: Security + Responsible-AI reviews passed. Sub-steps:
- Provision a unique agent identity in the existing IdP (Okta / Entra / Workspace SSO). Naming convention:
agent-<dept>-<slug>or similar. - Grant least-privilege access to each system the Agent Card lists — and only those:
- Separate credentials per system (no super-account).
- Read vs. write scoped per system.
- Time-limited where possible.
- Document credentials: where they're stored (existing secret manager), who can rotate them, rotation cadence.
- Wire identity into logging: every API call the agent makes is attributable to this identity.
- Set up an emergency revocation procedure — who can revoke this agent's credentials in 60 seconds if something goes wrong, and how.
Output / gate criteria: Agent identity exists in IdP. Credentials stored in the secret manager. Revocation procedure documented + tested.
Decision branches:
- Required permission scope is broader than least-privilege should allow → escalate. Likely the workflow needs to be split or the scope re-thought.
Skip-this-step risk: Service-account sprawl, shared credentials, no audit attribution, no clean revocation path. The agent becomes an insider threat by design.