Security · Agent Identity
What credential each agent presents — and how trustworthy it is.
Govern machine identities (NHI): which agents carry long-lived static keys or consumer aliases vs. revocable, org-backed OAuth. Observed from the wire — not issued or verified by qcontrol.
Bottom line
2 high-risk credentials (static keys / consumer aliases) and 2 agents with no org binding. Rotate the static keys and move them to org-backed OAuth first. Observed, not IdP-verified.
Observed, not verified
Credential class, org, and account below are read from provider telemetry — they are not issued, rotated, or IdP-verified by qcontrol. A duck.com address is a vendor-supplied alias, not an authenticated human. Treat these as machine identities (NHI) to govern, not as proof of identity.
2
high-risk credentials
static keys, unbacked
3
static API keys
4 on OAuth
2
no org binding
consumer identities
1
unverified aliases
duck.com vendor proxy
Machine credentials — sorted by credential risk
7 instrumented agentsProjected — identity controls qcontrol does not issue today
Just-in-time credentials
roadmapMint short-lived, scoped tokens per run instead of long-lived static keys — no standing secret to leak or rotate.
SSO / SCIM join
roadmapBind machine identities to your IdP so each agent maps to a real, deprovisionable principal — retire duck.com aliases.
Credential rotation
roadmapDetect long-lived keys, schedule rotation, and revoke on anomaly — closing the standing-credential gap automatically.
Fields: auth_method · cred_risk · cred_why · email · org_id · account_uuid · egress.length — from app/data/c16-fleet.ts (instrumented agents only).