The Missing Layer in Agentic AI: Why Proving What Was Approved Matters More Than Proving Who Did It

The AI agent wave is here. Autonomous systems are booking travel, executing trades, processing claims, and managing procurement — all without a human clicking a button. And the security industry’s response so far has been to ask one question: who is this agent?

That’s the wrong question.

Knowing the identity of an agent doesn’t tell you what it was authorized to do. A verified agent identity can still transfer money to the wrong account, approve a claim it shouldn’t, or execute an action that was never sanctioned
by a human. Identity proves presence. It doesn’t prove intent.

This is the gap we built FortSignal to close.

The Problem With “Who”

Every major identity platform today — passkeys, OAuth, FIDO2, hardware tokens — is built around proving who is acting. That made sense in a world where humans clicked buttons. If a human authenticated and took an action, you could reasonably assume they meant to.

Agents break that assumption entirely.

An agent operates autonomously, often across multiple systems, often without a human watching. A prompt injection attack doesn’t need to steal credentials — it just needs to convince the agent to do something the human never authorized. A compromised session doesn’t need to impersonate the user — it just needs to ride existing authentication to execute.

The attack surface isn’t identity anymore. It’s authorization.

Proving What Was Approved

FortSignal is built around a different question: what exactly did a human authorize, and can you prove it cryptographically?

Here’s how it works. When an action is initiated — a transfer, an approval, a delegation — the exact parameters of that action are locked into a cryptographic hash: the action type, the amount, the recipient, the sender, any metadata. That hash is then bound to a WebAuthn challenge.

When the human approves with Face ID or Touch ID, their device’s hardware security chip signs that challenge. The signature is cryptographically bound to those exact parameters. Change anything — the amount, the recipient, anything — and verification fails.

Every allow response returns a signalId — a cryptographic receipt proving exactly what was approved, by whom, under what policy, at what moment. Not just that someone was authenticated. What they authorized.

This is what we call parameter binding, and it’s the core of what makes FortSignal enforcement rather than evaluation.


The Same Engine, For Humans and Agents

The enforcement layer doesn’t care whether the actor is a human or an agent. It cares about the signature and the policy.

For humans: biometric approval via WebAuthn, hardware-backed signing, policy enforcement.

For agents: Ed25519 keypair authentication, delegation scope enforced on every request, instant revocation, full audit trail.

Both run through the same challenge/verify pipeline. Both produce the same cryptographic receipt. One unified enforcement layer for your entire stack.

An agent operates within a delegation a human already signed. That delegation is bound to a policy — allowed action types, value caps, recipient restrictions, expiry. FortSignal checks it on every single request. Revoke the delegation and the agent’s next action is denied, immediately, with no waiting for anything to expire.

This is the architecture that makes safe autonomous operation possible. Not monitoring after the fact. Not ML-based anomaly detection. Deterministic enforcement before execution.

What’s Coming: Agent Passports

Today, FortSignal’s agent delegation layer is built for developers and platform administrators. You register agents, assign policies, approve delegations — all through the dashboard. The cryptographic infrastructure is there. The enforcement engine is live.

What we’re building next is Agent Passports: a dedicated, user-friendly interface that brings this same capability to every end user.

Not just administrators. Not just developers. Any human who has an agent acting on their behalf.

The flow will be simple:
— Review exactly what an agent is allowed to do
— Approve the delegation with a single Face ID prompt
— Manage and revoke permissions instantly, at any time

The enforcement engine doesn’t change. The same parameter binding, the same policy constraints, the same cryptographic receipts. Agent Passports is the human layer on top of infrastructure that already works.

Why This Matters Now

In March 2026, Mastercard and Google co-launched Verifiable Intent — an open standard for cryptographically proving what a consumer authorized when an AI agent acts on their behalf. It’s built on FIDO, W3C, and EMVCo standards, backed by Fiserv, IBM, and Checkout.com.

We were already building this.

FortSignal’s parameter binding is the same core idea as Verifiable Intent — proving what was approved, not just who was present. We’ve been live while the standard was being written. Two API calls. Drop-in integration. No new infrastructure required on your end.

The industry is converging on exactly the architecture we’ve been building. The biggest names in payments are codifying the standard. The question now is who builds the implementation layer that developers actually use.

The Architecture That Scales

FortSignal is always B2B. End users never call the API directly. The flow is always:

End User → Company’s App → FortSignal API → Allow / Deny

Your customer integrates FortSignal into their backend. Their users get enforcement — whether that’s a biometric approval screen for a high-stakes action or an Agent Passport UI for managing autonomous delegation. The enforcement engine is the same at every layer.

This is the architecture that holds from a single developer testing the API to an enterprise with thousands of users each managing their own agent delegations. The loop is fixed:

Intent declared → Parameters locked → Signature verified → Policy enforced → Allow / Deny

That never changes. The surface area just gets wider.

Two API Calls

// Start the challenge — parameters are locked
const challenge = await fortsignal.challenge.start({
userId,
action: ‘transfer’,
amount: 4200,
recipient: ‘acct_456’,
from: ‘acct_123’
})

// User signs with Face ID — verify the result
const result = await fortsignal.challenge.verify({
challengeId: challenge.id,
response: biometricResponse
})

if (result.decision === ‘allow’) {
// result.signalId → cryptographic proof of this exact approval
await executeTransfer(result.signalId)
}

That’s the entire integration. The enforcement, the policy check, the cryptographic receipt — all of it happens inside those two calls.

What We’re Building

The agentic age isn’t coming. It’s here. Autonomous agents are executing consequential actions today, and the question of how to govern them is no longer theoretical.

The answer isn’t more monitoring. It isn’t better anomaly detection. It’s deterministic enforcement — a gate that every action must pass through, with cryptographic proof of what was authorized and by whom.

That’s what FortSignal is. Live today. Two API calls.

Agent Passports coming soon.

Get API access at fortsignal.com

Tags: AI Agents, Security, Agentic AI, Authentication, Cryptography, WebAuthn, Fintech, Developer Tools