VEX Identity
Architecture
“If the identity of an agent is managed purely in software, that identity belongs to whoever controls the operating system.”
The Identity Fragility Problem
Current AI agent deployments rely on software-managed API keys, JWTs, or environment variables for identity. In a compromised host environment, these credentials are trivial to extract via memory dumps or process injection. Once extracted, an attacker can impersonate a legitimate agent indefinitely, bypassing traditional session security.
Silicon-Rooted Identity
The VEX identity architecture is designed around keeping an agent's private key material within a Hardware Security Module (HSM). By targeting TPM 2.0 for hardware-rooted key custody, this approach establishes a binding between the physical hardware and the attested execution environment.
TPM 2.0 PCRs
Platform Configuration Registers provide a cryptographic measurement of the platform state relevant to the attested execution environment.
Remote Attestation
External verifiers can request proof that the agent is running within an attested hardware environment.
Reference implementation: attest-rs
The reference implementation, `attest-rs`, provides a Rust interface for generating and verifying TPM Quotes. When hardware attestation is enabled, these quotes can be embedded into VEX evidence artifacts, binding governed actions to a hardware-verified execution state.
// pseudocode — illustrative // Generating a hardware identity quote let quote = tpm.generate_quote(pcr_selection)?; capsule.identity = IdentityBinding::Hardware(quote);
Toward Hardware-Rooted Governance
This architecture note is part of ongoing work on hardware-rooted identity for governed execution in agentic systems.