AI agents are the fastest-growing category of non-human identity. Unlike service accounts, they act autonomously, change behavior at runtime, and touch regulated systems at machine speed. Kakunin issues each agent a cryptographic machine identity — X.509 certificates backed by AWS KMS, continuous behavioral monitoring, and auto-revocation in under 60 seconds.
Non-human identity (NHI) is the practice of issuing cryptographic credentials to automated systems — not users — so that every action taken by a machine can be attributed, scoped, and revoked independently. Kakunin is purpose-built NHI infrastructure for AI agents.
An API key proves that someone once had access to it. An X.509 machine identity proves that this specific agent instance, with this specific scope, is operating within its authorised window — and that every action it takes is cryptographically signed and attributable to a named identity, not a shared secret.
Kakunin encodes permitted actions directly in each agent's X.509 credential as certificate extensions. An agent with read:accounts in its machine identity physically cannot call a write:payments endpoint — the scope is cryptographic, not advisory, and enforced at the gateway layer before any application code runs.
Unlike API keys, X.509 credentials expire by design. Every Kakunin-issued machine identity carries a notAfter timestamp — 365 days by default, shorter for high-risk agents. Expiry forces renewal, limits blast radius, and satisfies MiCA Article 70 without any manual credential hygiene process.
Any counterparty — a downstream service, a regulator, an auditor — can verify an agent's machine identity via GET /api/v1/verify/{serial} with no Kakunin account required. The response includes operator, scope, model hash, validity window, and revocation status. Under 500ms, globally CDN-cached.
Traditional service accounts follow predictable, audited scripts. AI agents are different: they reason, adapt, and take novel actions at runtime. That autonomy creates three NHI problems that existing credential systems cannot solve.
AI agents may attempt actions outside their original design — not through compromise, but through reasoning errors or prompt injection. NHI credentials must enforce permitted scope at the cryptographic layer, not the application layer.
Large deployments run dozens of agent instances sharing underlying models. Shared API keys make attribution impossible when an incident occurs. Each agent instance needs its own machine identity with a unique serial number in every log entry.
Traditional NHI revocation is manual — a human decides a credential needs to be retired. AI agents need automated revocation: when behavioral risk crosses a threshold, the agent's machine identity must be withdrawn in under 60 seconds, without human intervention.
EU AI Act Article 12 and MiCA Article 72 require audit trails where each entry is cryptographically linked to a specific agent identity. Log entries attributed only to an API key do not satisfy this requirement.
The X.509 standard (RFC 5280) provides the NHI credential format that AI agents need. It was designed for exactly this class of problem — proving the identity of a machine to another machine — and has been battle-tested across three decades and billions of TLS connections.
The certificate Subject field encodes a structured identifier: organisation, department, agent name, and unique agent ID. This is not a secret — it is publicly readable by any counterparty. The CA's signature on that subject is the proof of identity. Subject:CN=trading-agent-003, O=fintech-startup, OU=agent-fleet
Each agent's RSA-2048 private key is generated inside AWS KMS and never exported. Kakunin stores only the KMS ARN. All signing operations are delegated to KMS via API. Even full database access yields no exploitable key material — only ARN references to hardware-protected keys.
Kakunin uses X.509 extensions to encode agent-specific data: permitted action array, model hash, tenant ID, and deployment environment. This data is cryptographically bound to the credential — it cannot be modified after issuance without invalidating the CA signature.
Every agent credential chains to Kakunin's root Certificate Authority. This creates a verifiable trust anchor: any system that trusts the Kakunin CA automatically trusts all agent credentials it has issued, and can verify their revocation status without a direct relationship with the issuing operator.
Static NHI credentials answer the question: is this agent who it claims to be? Behavioral monitoring answers the harder question: is this agent still acting within acceptable bounds? Kakunin combines both — machine identity and continuous behavioral assessment — in a single infrastructure layer.
Every action an agent takes — API calls, data access, transaction submissions, authentication attempts — is streamed to Kakunin's event ingestion endpoint and attributed to its machine identity via certificate serial. 1,000 events per second per tenant. p99 ingestion latency under 200ms.
Kakunin maintains a continuously-updated risk score for each agent based on behavioral patterns: action frequency, scope boundary tests, authentication failures, and anomalous transaction patterns. The score is computed over a rolling 30-day window and updates in real time as events are ingested.
Score ≥0.85 triggers automatic credential revocation. Score ≥0.75 triggers a pre-revocation warning pushed to /api/v1/notifications. Score ≥0.3 is medium risk — monitored but not blocked. Score <0.3 is low risk. All thresholds are configurable per-tenant.
All behavioral events and NHI credential operations are written to an append-only, immutable audit log. PostgreSQL-level rules prevent any UPDATE or DELETE — the log is cryptographically tamper-evident. Regulators and auditors access a complete, unmodifiable history from agent registration through every action to final revocation.
When an agent's behavioral risk crosses the 0.85 threshold, Kakunin revokes its machine identity automatically — no human approval required. The revocation is propagated to the public CRL within seconds. The next gateway verification from that agent returns a 403. Total time from risk breach to first blocked request: under 60 seconds.
No manual step, no approval queue. When the risk engine records a score ≥0.85, the credential revocation is triggered synchronously. The KMS key is scheduled for deletion, the serial is added to the public CRL, and the audit log receives acertificate.revoked event with full metadata.
At 0.75 risk, operators receive a proactive warning via the notification inbox before revocation occurs. This creates a 10-point risk buffer for human review: investigate the anomaly, determine if it is a bug or a genuine threat, and either remediate or manually revoke before the automatic threshold is hit.
Every revocation event triggers a webhook to registered endpoints with HMAC-SHA256 verification. Your downstream systems — API gateways, monitoring platforms, incident management tools — are notified within 5 seconds of credential revocation. Zero polling required.
MiCA Article 72 requires that AI agent operators maintain the capability to withdraw agent authority when risk conditions are met. Kakunin's automated revocation pipeline is a direct implementation of this requirement: the capability is always active, the threshold is documented, and every activation is logged in the WORM audit trail.
Three regulatory frameworks directly mandate non-human identity controls for AI agents operating in the EU. Kakunin's NHI infrastructure is designed to satisfy all three without requiring separate compliance tooling.
Requires defined validity periods for AI agent authority. Kakunin issues X.509 machine identities with 365-day validity windows by default. Annual renewal forces re-verification of agent identity and scope. Each renewal generates an audit log entry and produces fresh credential material. Agents that have drifted from their original specification become visible at renewal time.
Requires the capability to withdraw agent authority when risk conditions are met. Kakunin's automated revocation at risk score ≥0.85 directly implements this obligation. Every withdrawal is logged in the WORM audit trail with timestamp, triggering risk score, and affected agent identity. Regulators can access this history via the public verification endpoint.
Requires logs that allow post-hoc monitoring of high-risk AI system operations. Log entries attributed only to an API key do not satisfy this requirement — you cannot prove which specific agent instance generated a given entry. Kakunin's cryptographic attribution links every behavioral event to a specific machine identity via certificate serial, creating the non-repudiable audit trail Article 12 requires.
Requires transparency documentation for high-risk AI systems. The publicly verifiable machine identity gives regulators and auditors direct access to operator, scope, model hash, and deployment context — without requiring a Kakunin account. The same endpoint used by downstream systems for enforcement is available to compliance reviewers for audit.
NHI infrastructure
X.509 credentials via AWS KMS, behavioral monitoring, automated revocation. Register your first agent in under 15 minutes.