← c16c16 / wf2 - Agent Control Plane — value-first (wf2) / Agent Identity·control-plane-v1-v1 · 2026-06-03 · draft
Qpoint
QP
Agent Identity & Accessagent-as-actor · machine-credential governance (NHI)

Security · Agent Identity

What credential each agent presents — and how trustworthy it is.

Govern machine identities (NHI): which agents carry long-lived static keys or consumer aliases vs. revocable, org-backed OAuth. Observed from the wire — not issued or verified by qcontrol.

Bottom line

2 high-risk credentials (static keys / consumer aliases) and 2 agents with no org binding. Rotate the static keys and move them to org-backed OAuth first. Observed, not IdP-verified.

Do nextRotate 2 high-risk credentialsPlan SSO/SCIM join

Observed, not verified

Credential class, org, and account below are read from provider telemetry — they are not issued, rotated, or IdP-verified by qcontrol. A duck.com address is a vendor-supplied alias, not an authenticated human. Treat these as machine identities (NHI) to govern, not as proof of identity.

2

high-risk credentials

static keys, unbacked

3

static API keys

4 on OAuth

2

no org binding

consumer identities

1

unverified aliases

duck.com vendor proxy

Machine credentials — sorted by credential risk

7 instrumented agents
AgentBound identityCredentialCredential riskDestinations
Codex CLI v1.4.0~/.codex/config.tomldev-7f3@duck.com unverified aliasconsumer — no org bindingAPI keyobservedHighstatic key on an unbacked consumer identity1 hosts
marketing-gpt v0.3.0/srv/marketing-gpt/.env— no telemetry identity consumer — no org bindingAPI keyobservedHighstatic key on an unbacked consumer identity2 hosts
support-copilot v0.9.2/opt/support-copilot/agent.yamlsvc-support@qpoint.io org_qpoint · acct_551aa9c0ff31API keyobservedElevatedlong-lived static key1 hosts
Claude Code v2.1.161/Users/mark/.claude/settings.jsonmark@qpoint.io org_qpoint · acct_7f3a91c4e0b2OAuth (JWT)observedLowerrevocable OAuth, enterprise-backed2 hosts
Cursor v3.5.17~/Library/Application Support/Cursor/settings.jsonjane@qpoint.io org_qpoint · acct_22b8de01aa54OAuth (opaque)observedLowerrevocable OAuth, enterprise-backed1 hosts
data-pipeline-agent v1.2.4/opt/etl/agent.yamlsvc-data@qpoint.io org_qpoint · acct_99fa201bcd77OAuth (JWT)observedLowerrevocable OAuth, enterprise-backed1 hosts
Claude Desktop v1.9255.2~/Library/Application Support/Claude/config.jsonmark@qpoint.io org_qpoint · acct_7f3a91c4e0b2OAuth (JWT)observedLowerrevocable OAuth, enterprise-backed1 hosts

Projected — identity controls qcontrol does not issue today

Just-in-time credentials

roadmap

Mint short-lived, scoped tokens per run instead of long-lived static keys — no standing secret to leak or rotate.

SSO / SCIM join

roadmap

Bind machine identities to your IdP so each agent maps to a real, deprovisionable principal — retire duck.com aliases.

Credential rotation

roadmap

Detect long-lived keys, schedule rotation, and revoke on anomaly — closing the standing-credential gap automatically.

Fields: auth_method · cred_risk · cred_why · email · org_id · account_uuid · egress.length — from app/data/c16-fleet.ts (instrumented agents only).