Keycard, a provider of identity and access solutions for AI agents Security , has announced a new integration with Smallstep, a device identity platform, to strengthen security for AI agents operating in production environments. The collaboration introduces a hardware-rooted trust model designed to improve how organizations govern and verify AI-driven actions in real time . As AI coding agents increasingly interact with shell commands, APIs, and internal systems, organizations are facing a growing challenge: maintaining control over what these agents do once deployed. Traditional security approaches often provide visibility, but fall short when it comes to enforcing real-time governance. Keycard addresses this gap by enabling organizations to apply policies at the moment an agent performs an action, ensuring every tool call is controlled, monitored, and reversible.
However, runtime governance alone is not sufficient without verifying the environment in which the agent operates. This is where Smallstep adds critical value. Through cryptographic attestation and short-lived, non-exportable credentials, Smallstep ensures that AI agents Security can only operate within trusted and compliant environments. Its approach is built on ACME Device Attestation (ACME-DA), a framework developed alongside major industry players, which validates infrastructure before granting access By combining their capabilities, Keycard and Smallstep create a continuous chain of trust. Keycard governs agent behavior defining what actions are allowed and under what conditions while Smallstep verifies where those actions originate. This integration allows every agent activity to be tied back to a verified environment, a specific identity, and a defined task.
The joint solution directly tackles common security challenges faced by CISOs. First, it ensures that agents only run in verified environments through attestation. Second, it replaces long-lived secrets with short-lived credentials, reducing the risk associated with credential exposure. Third, it delivers comprehensive auditability by tracking every agent action across systems and workflows.
Keycard enforces granular control by issuing task-specific, identity-bound credentials that expire quickly, preventing misuse. At the same time, Smallstep eliminates reliance on static credentials such as SSH keys and embedded secrets by introducing a “badges not keys” model, where access is dynamically granted and tightly scoped. Together, the integration provides organizations with a more secure and controlled way to adopt AI agents. By combining runtime policy enforcement with hardware-backed identity verification, Keycard and Smallstep enable enterprises to move beyond basic visibility toward a model of enforceable, real-time AI governance built on trusted infrastructure.
Recommended Cyber News:
-
WideField Expands AI Identity Security With Cisco Investment
-
Bonfy Launches ACS 2.0 to Secure Enterprise Data Across AI Agents and Workflows
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
