The Cross-Domain Agent Passport™: Who Vouches for an Agent When It Leaves Home

The short version

A Cross-Domain Agent Passport™ is a portable, verifiable identity for an AI agent, issued by a neutral party and accepted across platforms that do not trust each other. It is the difference between an employee badge and a passport. The badge gets you through doors inside your own building. The passport is what you show at a border, and it works because the party that issued it is not one of the two parties at the counter.

In 2026 the badge problem got solved. The border problem did not.

Everyone is issuing badges now

The intra-domain wave arrived fast. Workday launched its Agent Passport on June 2, 2026, with Cisco as launch partner: every agent in the Workday estate gets tested against OWASP, NIST, and MITRE standards, receives a signed attestation, and is monitored at runtime. Microsoft's Entra Agent ID gives every Copilot and line-of-business agent a governed identity, and Agent 365 went generally available on May 1. AWS Bedrock AgentCore Identity does the same for agents on Bedrock. The A2A protocol's Signed Agent Cards, now at the Linux Foundation with more than 150 member organizations, prove agent identity at the protocol layer. And open specs are multiplying: Cubitrek published a generic agent passport standard in April, a self-signed JSON file an organization hosts on its own domain.

Each of these is real and useful. Each is also a badge: identity asserted by the platform the agent lives on, or by the organization that operates it, valid exactly as far as that issuer's authority reaches. Workday vouches for agents inside Workday. Entra vouches for agents inside the Microsoft tenant. A self-published passport file vouches for whatever the publisher says about itself.

The border problem

Agents do not stay home. The entire premise of agent commerce is that an agent leaves its platform: a Copilot agent procures from a vendor running on Bedrock, a Workday agent pays an invoice presented by a counterparty's agent, a shopping agent built on the Claude SDK checks out at 5,000 merchants it has never seen before. Every one of those is a border crossing, and at the border, the badge has a problem: the verifying side has no reason to trust the issuing side.

This is not a FLINT observation, it is now the documented state of the standards. The current IETF drafts for AI agent authentication extend OAuth and SPIFFE within a single trust domain. The Agent Identity Protocol paper states plainly that OAuth 2.1 covers single-hop, client-to-server authentication and does not address multi-hop delegation chains across MCP and A2A. Delegation receipts, actor profiles, signed cards: all of it assumes both ends already live under one authority. The question none of them answer is the only question that matters at the border. Who notarizes the chain when neither side trusts the other's issuer?

Why the issuer has to be neutral

The instinctive answer, that one of the platforms will do it, fails on incentives. A hyperscaler cannot serve as the notary between its own garden and a competitor's; every rival has a structural reason to reject its vouching. And the independent vendors who might have played the role are disappearing into the platforms: CrowdStrike acquired SGNL, Cisco acquired Astrix, Palo Alto acquired CyberArk for $25 billion. The intra-domain identity category consolidated into exactly the parties that cannot be neutral.

Passports work for one reason: the issuing authority is not a party to the transaction at the desk. A neutral issuer has no platform to favor, no rival to disadvantage, and no business model that depends on locking the agent inside one estate. That is not a marketing preference. It is the structural requirement the border imposes.

What a Cross-Domain Agent Passport™ requires

Six requirements separate a passport from another badge. Miss one and the credential stops at the border.

• Neutral issuance The issuer sits between domains, not inside one. Its only product is the credibility of the credential.
• Composition, not reinvention NIST's agent-identity initiative says it directly: adapt existing standards rather than invent. The passport consumes OAuth, SPIFFE, DIDs, signed agent cards, and platform attestations as evidence and binds them into one portable credential.
• Pairwise identifiers Each verifying domain sees its own scoped identifier for the agent, the same privacy pattern federal login infrastructure uses, so cross-domain trust never becomes cross-domain surveillance.
• Behavioral continuity A static credential proves issuance, not conduct. The passport has to answer whether the agent still behaves as it did when it was vouched for, which is what hijacked and over-delegated agents break first.
• Signed, retained evidence Every border crossing produces a verification record both sides can hold, export, and present in a dispute, signed so it stays provable after the fact.
• Lifecycle Expiration, renewal, and revocation, because agent compromise is a when, not an if, and a passport that cannot be revoked is a liability.

Where this stands

FLINT issues agent passports today: free, hybrid-signed with both classical and post-quantum signatures, publicly resolvable, and attachable to an account. The pairwise identifier model is live. The cross-domain attestation protocol, the federation layer that lets passports carry platform attestations across borders with a neutral signature over the chain, is the architecture FLINT is building on top of that foundation now.

The positioning matters: keep the badges. Workday's Agent Passport, Entra Agent ID, and AgentCore Identity make agents safer inside their domains, and a Cross-Domain Agent Passport™ is stronger because they exist, since each one is another attestation to carry. The platforms prove who issued the agent. FLINT proves it still behaves as issued, anywhere it goes.