Skip to content

08+ — Beyond v1: Hardening the Control Plane Toward Production

A follow-on to the big swing, for the direction the Day-91 page calls the control-plane arc. The v1 you shipped is a demo-scale enforcement point. This is the climb from there toward something a real fleet could run behind — and, more to the point, what building each rung teaches you that adopting a vendor never would.

Why build what already ships

Most of what follows exists commercially — Entra Agent ID does identity, Cedar/OPA do policy, Aembit does credential exchange, Firecracker does isolation. So the honest objection is: why build a worse version of a shipped thing?

Because "it exists" and "you understand it" are different claims, and this whole program is a bet on the second. You don't earn the right to critique Entra's delegation model or Aembit's credential exchange by reading their docs — you earn it by building the toy, hitting the exact wall they're selling past, and feeling why the wall is there. The landscape survey lists who ships each piece; this page is what you learn assembling them yourself.

Two things make that more than resume-padding:

  • Production isn't a feature checklist — it's a dependency graph. Several rungs below only work because your identity got real in v1 (a per-identity budget, a quarantine keyed to identity, a delegated token all mean nothing without an authenticated principal). Building them is how you discover that the thin identity leg was load-bearing all along.
  • Two rungs deepen your actual differentiator. Your edge is cross-hop taint + a published precision/recall no shipped system has. Taint-across-memory extends the first; audit integrity is what makes the second trustworthy (a P/R computed from a log a compromised agent could forge is a number, not evidence). These two aren't hardening — they're the thesis, continued.

And the corollary that keeps this honest: building it yourself and buying it are not opposed — they're sequential. Each rung is scoped around a clean seam (a PDP behind an AuthZEN interface, an identity you mint, a sandbox boundary, a taint API) because that seam is exactly where a vendor slots in. Build the toy to learn the seam; then, where it makes sense, swap in Cedar for your YAML PDP, Entra for your minted identity, Firecracker for your sandbox — a slot-in, not a rewrite. The lesson isn't "build everything forever"; it's that you can't evaluate or integrate a vendor at the seam until you've built across it once. The right production posture is a mix — build what's your differentiator (taint, the detector, audit integrity), buy what's commodity (identity, isolation, the PDP engine) — and the only way to know which is which for your system is to have built the naïve version of both.

How to read this

Not a to-do list. Same heuristic as Day 91: pick the rung that touches the pillar you didn't want to end. Each is scoped as one build — a week or two of real work — with a lesson you can only get by building it, and a maturity signal that separates the toy from the version you'd talk about in an interview. Do one properly rather than six shallowly; the depth is the point.

Each rung: the gap (what the v1 / the field's five-leg rubric can't see) → the build (the scoped thing you make) → what building it teachesmaturity signal.


Rung 1 — Delegation & on-behalf-of identity (the foundation)

The gap. V1 made each agent a verifiable principal. It never asked whose authority it wields. Real agent identity is a delegation problem, not an authentication one.

The build. On-behalf-of token exchange (RFC 8693): the broker mints a short-TTL, scope-narrowed token per hop, so an agent acts as the user with attenuated authority — never as an ambient service account. Chain it: agent A delegates to agent B; B's effective grant is the intersection of its own and what A delegated.

What building it teaches. The moment you implement attenuation, you find every place v1 quietly used a god-credential — ambient authority stops being a diagram and becomes a bug you wrote. You learn "who is this agent" was the wrong question; "on whose authority, narrowed how, for how long" is the right one. And you hit the real tradeoff — short TTL limits blast radius but taxes the token-mint path — which is exactly the tension every identity vendor is priced around. Confused-deputy becomes a bug you caused and fixed, not a slide.

Maturity signal. Authority attenuates at every hop; a stolen token is inert within minutes; you can trace any tool call back to the human it was delegated from. Study Auth0 Token Vault / Aembit after — you'll finally see what they're actually solving.

Rung 2 — Authorization as a service (PEP/PDP split)

The gap. V1's grants live in a YAML the broker reads inline. Enforcement and decision are the same code, so policy can't be tested or audited on its own.

The build. Lift grants out into a real policy-decision point — Cedar (what AWS AgentCore uses), OPA, or OpenFGA — behind the AuthZEN PEP↔PDP shape. The broker asks; the PDP decides; decisions are logged.

What building it teaches. You learn the PEP/PDP split isn't enterprise bureaucracy — it's what makes authorization a tested artifact. You end up writing unit tests for policy, and that's the moment authz stops being config and becomes software. You also feel the cost of an out-of-process decision on the hot path, and learn where decision-caching is safe and where it silently defeats revocation.

Maturity signal. Policy changes ship with tests and a diff review, independent of broker code; every decision is explainable from its logged inputs.

Rung 3 — Taint across memory (deepens the differentiator ★)

The gap. V1 taint is request-scoped: provenance tracked across hops within a session. It's blind to long-term memory — a vector store, a scratchpad, shared context — where an injection can sleep and re-fire days later. Stored injection runs on a different clock.

The build. Extend taint through the memory store: tag provenance on what goes into long-term memory, re-check it on the way out, across process restarts. Decide the hard questions explicitly — does a tag persist forever, decay, or get laundered, and by whom?

What building it teaches. You learn taint is a data-lifecycle property, not a request property — and that the in-session version you shipped was the easy half. You confront persistence and laundering directly (the questions research systems like FIDES punt on by staying intra-agent). This is your thesis extended into the one place no shipped system tracks it.

Maturity signal. An injection written to memory in session 1 is caught when it re-fires in session 5; you can articulate your taint's persistence and laundering rules and defend them.

Rung 4 — Audit integrity (protects the differentiator ★)

The gap. Leg (e) of the rubric says "with audit" — and silently assumes honest logs. If a compromised agent can forge or erase its own trail, every downstream claim is hollow.

The build. Append-only, hash-chained, signed audit log, shipped off-box before the agent can touch it. The record has to survive the thing it's recording.

What building it teaches. You learn "we log everything" and "the log can be trusted" are different systems, and the gap between them is exactly where a compromised principal lives. Most directly: you feel that your own published precision/recall is only as credible as the log it's computed from — this rung is what turns your headline number from a claim into evidence. You also learn the economics: tamper-evidence (hash chaining) is cheap; tamper-proofing is expensive; you pick where to sit on that line and can say why.

Maturity signal. An attacker who fully owns an agent still can't rewrite history undetected; your detection numbers are reproducible from the shipped log by someone who doesn't trust you.

Rung 5 — Assume-breach: detection & response

The gap. V1 is pure prevention — inline block. It has no answer to "something got through; now what?" The whole field's rubric is prevention-shaped; response is the missing half (the one Day-91 forks to Plaintext for).

The build. A quarantine / kill-switch keyed to agent identity, plus behavioral anomaly detection over your traces: baseline an agent's normal tool-call distribution, alert on deviation, contain on confirmation.

What building it teaches. Prevention and response are different mindsets — inline blocking answers "should this call happen," response answers "this agent is behaving wrong, contain it." You discover the cost asymmetry flips: an inline detector's false positive is a warning, but a kill-switch's false positive kills a live workflow — so the thresholds that served the guardrail are wrong here, and you learn to tune for a different failure cost. And you find the audit trail from Rung 4 is your detection substrate. (This rung needs Rung 1: you can't quarantine what you can't name.)

Maturity signal. A compromised agent is contained in seconds by identity, not by pulling the whole fleet; anomaly alerts fire on real deviations with a false-positive rate you measure, not guess.

Rung 6 — Execution isolation

The gap. The rubric governs messages. It says nothing about containing the agent process — so the broker is the only wall between an agent and the internet, and it's one bug from total bypass.

The build. Run each agent in a microVM (Firecracker) or gVisor with a network egress allowlist and a syscall filter. Then assume the broker is bypassed and see what the sandbox still stops.

What building it teaches. Defense-in-depth becomes visceral: you build the second wall, immediately try to climb the first, and learn a single-layer control plane is fragile by construction. You relocate the real trust boundary — it's the process, not the message. And you discover the two layers have different coverage: egress filtering catches exfil your detector missed, and the detector catches intent the network layer can't see. Neither subsumes the other.

Maturity signal. An agent running attacker-chosen code still can't reach an un-allowlisted host or escalate off the box; you can state exactly what each layer catches that the other doesn't.

Rung 7 — Resource governance (denial-of-wallet)

The gap. The rubric frames security as injection/exfil — confidentiality and integrity. It has no slot for availability and cost. But a runaway agent that burns $6,500 in a day (the postmortem in the JIT map) is a security incident, not an ops footnote.

The build. Hard per-identity budget ceilings and rate limits enforced at the broker, with a circuit breaker that trips before the bill does.

What building it teaches. You learn security's third leg — availability — is enforced at the same choke point as the other two, and that the enforcement point you already built is the natural home for economic limits. Most usefully, you learn per-identity budgets are meaningless without Rung 1: this rung is the payoff that proves identity was foundational, not decorative.

Maturity signal. No single agent can exhaust the fleet's budget; a spend anomaly trips a breaker and pages a human before it becomes a bill.


The through-line

Read the rungs together and the shape is not a checklist:

  • Rung 1 is load-bearing for 5, 7, and half of 3–4. Delegation, quarantine-by-identity, and per-identity budgets are all impossible without a real principal. Building them is how you discover that the thin identity leg you almost skipped was holding up the roof.
  • Rungs 3 and 4 are the thesis, continued. Everything else hardens the product; these two extend and protect the one thing that makes it yours — cross-hop taint and a number nobody else publishes.
  • The meta-lesson is the deliverable. After building these, you can walk into a room and say why Entra's delegation model, Cedar's decision logs, or Aembit's credential exchange are shaped the way they are — because you built the naïve version and hit the wall. Very few people in this field can. That, not any single rung, is the credential.

Eval bar (per rung)

A rung is "done well enough to talk about" when:

  • The build runs against your capstone fleet, not a toy mock.
  • You can name the specific wall the naïve version hit and how the mature version answers it.
  • You can point at the shipped product (Entra, Cedar, Aembit, Firecracker, FIDES) it corresponds to and say what yours does and doesn't do versus it — the honest delta, both directions.
  • One measured claim: attenuation latency, policy-test coverage, memory-taint catch rate, log tamper-evidence, quarantine time, sandbox-blocked egress, or budget-breaker trip time.

Publish

Same as the month: each rung is a write-up — the wall, the build, the honest delta versus the shipped thing. A practitioner who can articulate why the vendors are shaped the way they are reads very differently from one who can only list them.