Part of the security infrastructure for AI agents

Cryptographic identity for autonomous agents.

AIM gives every AI agent a unique Ed25519 identity, capability scoped authorization, and a continuous trust score. Add it with one decorator using the Python SDK, or deploy AIM Server for cross machine fleet governance.

$pip install aim-sdk

Open source. Apache 2.0. Self hosted or AIM Cloud.

Built for non human actors.

Agent Identity Management is the practice of creating, authenticating, authorizing, and governing digital identities for autonomous AI agents. Traditional Identity and Access Management was designed for humans logging in. Agents do not log in. They run continuously, take actions without review, and reconfigure themselves at runtime. They need a different identity model.

AspectTraditional IAMAgent Identity Management
Identity TypeHuman usersAutonomous AI agents
Decision MakingHuman in the loopAutonomous, no human review
BehaviorPredictable workflowsDynamic, emergent behavior
PermissionsFixed roles (RBAC)Capability based, context aware
LifecycleLong lived accountsEphemeral, dynamic provisioning
Trust ModelStatic trust after authContinuous trust evaluation

Six capabilities every agent needs.

Identity, authorization, trust, audit, attestation, and monitoring. Each one is enforced at runtime, signed cryptographically, and observable through the CLI or dashboard.

Cryptographic Identity

Every agent receives a unique Ed25519 keypair for unforgeable identity. No shared credentials. No API keys to rotate. Hybrid post quantum keying available for forward secrecy.

  • Ed25519 public key cryptography
  • Hybrid PQC keying (Ed25519 + ML-DSA-65)
  • Request signing and verification

Capability Based Access

Agents are restricted to explicitly declared capabilities. Principle of least privilege enforced at runtime, not at config time.

  • Explicit capability declarations
  • Runtime enforcement on every action
  • Escalation detection and denial

Continuous Trust Evaluation

A local 8 factor posture score grades setup from files on disk. In server mode a 9 factor behavioral score recomputes on every authorization and adjusts permissions accordingly.

  • 8 factor local posture, 9 factor server behavior
  • Drift detection on capability use
  • Automated response to trust drops

Comprehensive Audit Trail

Every agent action is logged with cryptographic attribution for compliance and forensics. Append only by design.

  • Append only audit log
  • Cryptographic signatures on every event
  • SOC 2 and HIPAA ready

MCP Server Attestation

Automatic discovery and verification of MCP servers your agents connect to. Detect shadow tools before they exfiltrate data.

  • Shadow MCP detection
  • Tool capability inventory
  • Connection monitoring and revocation

Open Observability

Every authorization decision is an OpenTelemetry span, one child span per authorization step. Trust score, drift, and scan verdict ride the span, so agent security shows up in the dashboards you already run.

  • OTLP traces, metrics, and logs, no custom agent
  • Attribute names proposed to the OpenTelemetry SemConv working group
  • Works with Tempo, Prometheus, Loki, and Grafana

The 8 factor trust score.

Local mode answers one question: is the agent set up correctly? Eight weighted signals are read from the agent files on disk and combined into a single score. No black box. Every factor is queryable. Run AIM Server and a separate 9 factor behavioral score evaluates whether the agent should still be trusted right now, recomputed on every authorization.

Identity (20%)

An Ed25519 identity exists for the agent in identity.json. The anchor every other factor builds on.

Capabilities (15%)

A capability policy is declared in policy.yaml, so the agent runs under an explicit grant rather than open scope.

Secrets managed (15%)

Secretless integration is active, so credentials are brokered rather than read from the environment.

Audit log (10%)

An append only audit.jsonl is present, giving every action a recorded, attributable trail.

Config signed (10%)

ConfigGuard signatures are present on the agent configuration, so tampering is detectable.

Skills verified (10%)

HackMyAgent verification has run on the agent skills, so loaded tools are not unscanned.

Network controlled (10%)

An egress policy is detected, so outbound destinations are scoped rather than unrestricted.

Heartbeat monitored (10%)

A runtime heartbeat from agent runtime protection is present, so liveness is observed.

$npx opena2a-cli identity trust my-agent

Read the live score.

Run it your way.

AIM works as a local only tool for individual developers or as a centralized server for teams managing fleets of agents. Start solo, upgrade to server mode when you need cross machine governance.

Solo Mode

Local. No server required.

Identity stored in ~/.opena2a/aim-core/. Audit log as a local JSONL file. Policies as YAML files. Zero infrastructure to manage. Ideal for individual developers securing their own agents.

npx opena2a-cli identity create --name my-agent
  • No dependencies or infrastructure
  • Ed25519 keypair generated locally
  • YAML based capability policies
  • Local JSONL audit trail

Server Mode

Centralized fleet management.

Deploy AIM Server, dashboard, and PostgreSQL via Docker Compose. Centralized identity management with a REST API, OIDC token endpoint, and a fleet dashboard for managing agents across machines.

docker compose up -d
  • REST API for identity and audit
  • OIDC based token issuance
  • PostgreSQL backed audit logs
  • Fleet dashboard for cross machine governance

See the deployment documentation for setup instructions.

Wired into the rest of the stack.

Identity is the substrate. HackMyAgent scan results, Secretless credential decisions, OASB benchmark scores, and SOUL.md governance checks all attach to the agent identity for a single audit trail and a single trust score.

scan
209 static plus 29 semantic plus 164 adversarial checks
protect
Credential detection and brokering
benchmark
222 standardized attack scenarios
scan-soul
SoulScanner
Governance file analysis (ABGS)

Why this matters now.

AI agents are being deployed into production with shared credentials, blanket admin access, and zero audit trail. Every one of those decisions creates a new class of incident.

The problem

  • Agents deployed with shared credentials or no authentication
  • Blanket admin access granted without capability restrictions
  • Shadow MCP servers with zero visibility or governance
  • No audit trails for agent actions or decisions
  • Legacy IAM cannot handle autonomous, dynamic actors

The AIM response

  • Unique cryptographic identity for every agent
  • Capability based access with runtime enforcement
  • Automatic MCP server discovery and attestation
  • Complete audit logging with cryptographic proof
  • Purpose built for autonomous AI agents

Real world impact. ServiceNow AI vulnerability, January 2026.

ServiceNow disclosed what researchers called the most severe AI driven vulnerability to date. The disclosure described exposure of Fortune 500 customers through improperly secured AI agents with universal credentials, email only authentication, and unrestricted capabilities.

Read the full analysis

Frameworks we secure.

AIM secures AI agents across frameworks, platforms, and deployment models. The same identity flow works whether you are running a single LangChain script or an AutoGen multi agent system.

LangChain Agents

Secure LangChain and LangGraph agent deployments with cryptographic identity and runtime capability checks.

CrewAI Teams

Identity management for multi agent crews. Per agent identity with shared audit trail.

MCP Servers

Attest and monitor Claude Desktop and Claude Code MCP servers across every machine in your fleet.

AutoGen Systems

Govern autonomous multi agent workflows with capability scoped policies and trust scoring.

Open source. No lock in.

Unlike proprietary identity products from larger vendors, AIM is open source. Self host forever. Read every line of code. Fork it if the roadmap diverges from your needs.

Open source

Apache 2.0 licensed. Inspect, modify, and contribute to the codebase.

Self hosted

Deploy on your infrastructure. Your data never leaves your environment.

Zero cost

No licensing fees. No per agent pricing. No surprise bills.

Three ways to integrate.

Most developers start with the Python SDK. Library authors embed aim-core. Teams running fleets adopt AIM Server. The same identity model works across all three.

Python SDK

pip install aim-sdk

The primary path. Protect any function with a capability grant. secure() generates an Ed25519 keypair, registers the agent, and @perform_action signs and authorizes every call.

pip install aim-sdk

Use when

  • One decorator per protected action
  • 5-step authorization on every call
  • Framework auto-detection
  • Java and TypeScript SDKs available

aim-core

@opena2a/aim-core

Embed identity directly into a Node.js application. Local only library with Ed25519 keys, capability policies, audit logs, and trust scoring. No server required.

npm install @opena2a/aim-core

Use when

  • Building your own agent framework
  • Embedding identity in application code
  • Custom trust scoring logic
  • No infrastructure to manage

AIM Server

opena2a/aim-server

Full server with REST API, dashboard, PostgreSQL backed audit logs, OIDC based identity, and centralized policy management across a fleet of agents.

docker pull opena2a/aim-server

Use when

  • Managing multiple agents
  • Cross machine fleet governance
  • Centralized audit and compliance
  • SSO and OIDC integration
Featureaim-core (local)AIM Server
Ed25519 IdentityLocal keypairServer issued plus OIDC
Audit LogJSON lines filePostgreSQL plus API
Capability PolicyYAML fileREST API plus dashboard
Trust Scoring8 factor, localReal time plus history
Multi AgentPer machine onlyCross machine fleet
InfrastructureNoneDocker or Kubernetes

Give your first agent an identity.

Install the SDK, wrap one function with a capability grant, and every call is signed, authorized, and recorded. The same shape works in Java and TypeScript.

$pip install aim-sdk

Open source. Apache 2.0. Self hosted or AIM Cloud.