Agent Identity Management gives AI agents the three things IAM gives human users: cryptographic identity, capability authorization, and audit trails. Open source under Apache-2.0.
IAM answers one question for human users: who can do what, and can it be proven later. Okta, Entra, and cloud IAM roles solve it for people. Autonomous agents act on their own and need the same guarantees. AIM is that layer for agents: identity that proves which agent is acting, authorization that bounds what it may do, and an audit trail that records what it did.
Every agent gets an Ed25519 keypair. Each action is signed, so the backend knows which agent did what, not just which API key was used.
Capability grants define what an agent may do. A 5-step fine-grained authorization check runs on every invocation before the action executes.
Every signed invocation and its outcome lands in an audit log. After the fact, the record shows who did what, when, and whether it was allowed.
The Damn Vulnerable AI Agent runs two copies of the same agent: one unprotected, one wrapped with an AIM capability grant. The unprotected copy exfiltrates a secret on command. The AIM-protected copy denies the same outbound call, because the capability grant does not permit it. Same code, different outcome.
Run the A/B demo on DVAAInstall the SDK and authenticate:
pip install aim-sdkWrap any function with a capability grant. Each call is signed, authorized, and audited:
from aim_sdk import secure
agent = secure("my-first-agent")
@agent.perform_action(capability="db:read")
def get_customer(customer_id):
return db.query("SELECT * FROM customers WHERE id = ?", customer_id)