crewai - 💡(How to fix) Fix RFC: Agent identity & inter-Crew trust — OWASP ASI03/ASI07 compliance gap

Context

The OWASP Agentic AI Top 10 (December 2025, 100+ expert contributors) identifies two risks directly relevant to CrewAI deployments:

• ASI03 — Identity & Privilege Abuse: Agents inherit excessive privileges. Credentials get cached, reused, and escalated across agents. Confused-deputy attacks become easy when no agent has a verifiable identity distinct from the human operator.
• ASI07 — Insecure Inter-Agent Communication: Multi-agent message exchange lacks authentication. No built-in way to verify that "Agent A" in a crew is actually the authorized agent — not an injected impersonator.

CrewAI currently has no built-in mechanism for agents to carry verifiable identity credentials.

The Gap

In a typical CrewAI deployment today:

1. Each agent has no cryptographic identity — no verifiable way to assert "I am this agent, running this task, authorized by this human principal"
2. When crews call external APIs or interact with other crews, there is no identity attestation at the call site
3. Agent secrets (API keys, tokens) are typically long-lived and broad-scoped — cached in memory with no automatic rotation or scope limitation

OWASP ASI03 specifically names "SSH keys cached in agent memory, cross-agent delegation without scoping, impersonation chains" as the concrete attack vector. As crew-to-crew interaction becomes common (multi-org deployments, federated task delegation), this gap compounds.

Proposed Integration Point

An optional identity field on Agent, carrying a short-lived JWT that external services can verify without contacting a central registry:

from crewai import Agent

researcher = Agent(
    role="Senior Researcher",
    goal="Synthesize research on quantum computing trends",
    backstory="...",
    # Optional — zero behavior change when absent
    identity={
        "aat": os.environ["AGENTLAIR_AAT"],  # EdDSA JWT, 1h TTL
        "jwks_uri": "https://agentlair.dev/.well-known/jwks.json",
    }
)

When present, the agent's tool calls and inter-crew messages carry a verifiable JWT. Any recipient — external API, another crew's trust layer, audit log — can verify the identity offline using standard JWKS key discovery (RFC 7517). No central registry required.

Why JWT/JWKS over Certificate Chains?

Several existing proposals (#5019, #4560) use ECDSA certificate chains and custom registries. JWT + JWKS is the approach already powering OAuth 2.0 and OIDC:

Differentiated from Existing Proposals

The existing issues focus on static agent identity verification (proof that agent X exists). This proposal addresses runtime behavioral trust:

• Short-lived tokens (1h TTL) — impossible to reuse stolen credentials long-term
• Human provenance chain — every token traces back to the human API key that provisioned it
• Behavioral audit trail — what the agent actually did, not just what it claimed to be
• x402 payment gating — trust that also governs economic interactions between agents

Working Implementation

AgentLair ships this infrastructure today: Ed25519 JWT per agent session, JWKS endpoint, did:web resolution, x402 payment integration, and cross-org behavioral trust scoring. The token is already issued per-session in production.

I'm happy to contribute a CrewAI integration adapter, document the API shape, or just discuss the right interface design. The goal is an open standard interface — the implementation could be AgentLair, another provider, or something CrewAI builds natively.

References

• OWASP Agentic AI Top 10 — ASI03 (Identity & Privilege Abuse), ASI07 (Insecure Inter-Agent Communication)
• RFC 7517 — JSON Web Key (JWK)
• AgentLair AAT spec