Itinerary-Based
Access.
Why securing agents needs to move beyond the Passport.
The Premise
International travel takes four documents, not one.
So does enterprise AI.
Air travel has three degrees of freedom that ground transport does not. You leave one jurisdiction. You enter another. Between the two you carry property whose risk profile only the destination understands. That is why the airport stack is what it is: a passport that says who you are; a visa that says you have been pre-approved; a boarding pass that says where you are going on which plane in which seat; a luggage tag that follows the bag you are not personally carrying.
Each document answers a different question. None of them is sufficient on its own. Confuse the four and the system breaks at the worst possible moment, usually at a gate, in front of a uniformed officer who has heard every excuse.
Enterprise AI agents have those same three degrees of freedom. An agent crosses jurisdictions, from your workforce identity provider into a model vendor, then into a tool vendor, then into the data behind it. It carries payload it did not author and cannot fully verify. It hands work off to sub-agents the way a passenger hands a bag to a conveyor belt. The check at the gate is the same check, only the gate is an API.
The shortcut most enterprises take is to treat the passport as enough. It is not. This piece argues for an itinerary-based view of agent access, where authority is issued per journey, scoped per leg and inspected at every gate. Four documents, one trip.
Field map
An agent’s journey, from intent to interaction.
A single instruction (“update the customer cases in Salesforce with the latest fix”) becomes a route: across language models, MCP servers, tools and the sub-agents commissioned along the way.
Figure 1 · The route a typical enterprise agent takes today. Identity is verified once, at takeoff. Every subsequent leg trusts the last by inheritance.
The Challenges
Securing intent starts with identity.
But identity is only one of six checks. Each one is well understood in isolation. Each one fails when a vendor solves it without the other five.
- 01
Identity.
A passport is a fact. Service keys, OAuth scopes and workload assertions add up to one only if you wire them together.
- 02
Delegation.
When one agent calls another the chain has to carry intent, not impersonate identity. Two audit trails, not one.
- 03
Capability.
Which model, which provider, which servers, which tools. The envelope changes per journey, not per session.
- 04
Attenuation.
A sub-agent inherits a strict subset of its parent’s authority. Narrower scope, shorter lifetime, no path to escalate.
- 05
Inspection.
The bag goes through the scanner before it boards. Prompts, retrieved context and tool outputs all need a read at the boundary.
- 06
Gates.
Departure and arrival are different checks. Issuing scope and accepting it must both be governed. Both must agree.
The
Passport.
Agents are not enterprise employees. The provisioning, authentication and attestation patterns built for the workforce do not translate cleanly to software that acts on a user’s behalf.
01.1 · Three forms, one notion of identity
Whether reasoning in a chat, acting inside an editor or running unattended in production, every agent needs a verifiable passport.
The format changes. The function does not. A passport is a fact about who the bearer is, signed by an authority a stranger can verify, that the bearer carries from check to check.
AI Assistants
Conversational, user-driven. Reasoning at the speed of a chat.
AI Coding Agents
Workspace-native and code-aware. Acting inside the editor.
Agent Runtimes
Infrastructure for autonomous, long-running workflows.
01.2 · The Identification Page
A Root of Trust.
Every passport is a root of trust. The shape changes with the form of the agent. The role does not. Identity is what every other document refers back to when the inspector at the gate asks the question that matters: are you who you say you are?
- 01 · For users
Enterprise Identity
SAML, OIDC and federation. The patterns the workforce already runs on, extended to the agent it commissions.
- 02 · For runtimes
Workload Identity
SPIFFE, mTLS, attested workloads. Service identity issued at the boundary of the cloud, never embedded in a long-lived key.
- 03 · For clients
Client ID Metadata
Dynamic registration and signed metadata. How an AI assistant declares what it is before anyone asks what it can do.
A passport gets you to the counter. It does not get you on the plane.From the field guide · Chapter 01
The
Visa.
Agent to agent, not user to agent. The visa is the scoped, verifiable grant that one sovereign issues to another: I sent this. Here is what I am asking for. Here is how long the grant is good for.
02.1 · The Visa, made concrete
One sovereign agent commissioning another.
A passport identifies the bearer. A visa names a journey, a duration and a destination. The calling agent does not impersonate the called one. It issues a grant the called one accepts on its own identity, then returns. The audit trail forks and rejoins. Two passports show up in the log, exactly the way two diplomatic stamps show up in a real one.
- 01 · Issuer
Who is asking
The calling agent stamps its own identity on the visa, names what it wants and says how long it needs it.
- 02 · Holder
Who is acting
The called agent acts on the issuer’s intent without surrendering its own identity. Two audit trails, not one.
- 03 · Protocol
How they speak
Agent-to-Agent (A2A), OAuth scopes, signed claims. The standards that make delegation legible and verifiable.
Without a visa, the passport is a souvenir. With one, it is a contract between two governments.From the field guide · Chapter 02
The
Boarding
Pass.
Where the agent is going. Which scopes it is permitted to carry. Issued only after the passport has been verified, valid only for this journey.
03.1 · Four questions
The envelope answers four questions, and changes per journey.
A standing role says this user may use Salesforce. A boarding pass says this agent, on this leg, may call updateCase on these three case IDs through Sonnet, via the Salesforce 360 server, before 14:22 today. The first is policy. The second is the action the auditor reads back when the question is what happened on flight WB518950.
LLMs
- ChatGPT
- Claude
- Gemini
Models
- Haiku 4.5
- Sonnet 4.6
- Opus 4.7
MCP Servers
- Salesforce
- GitHub
- Linear
Tools
- updateCase()
- searchCases()
- getCase()
- getIssue()
A standing role gets you to the counter. The boarding pass is what gets stamped at the gate.From the field guide · Chapter 03
The
Luggage
Tag.
The tag carries less than the boarding pass. Narrower scope, shorter lifetime, no path to escalate. A sub-agent inherits a strict subset of its parent’s authority, and the gate enforces the smaller envelope, not the larger one.
04.1 · Specialists, by design
Sub-agents inherit a strict subset.
Summarisers, classifiers, retrievers, planners. Each is handed just enough to do one job, with no path to escalate. The tag is a separate document for a reason: lose it and you have lost a bag, not a passport. Lose the passport and you have lost the trip.
- 01 · Narrower scope
Just enough authority.
Read-only where possible, single-resource where not. Capabilities are clipped down the chain.
- 02 · Shorter lifetime
One task, then expire.
Tokens issued for a single call, a single document, a single decision. Time-to-live measured in seconds.
- 03 · Smaller blast radius
Prompt injection, contained.
When a sub-agent is compromised, what it can do and how long it stays compromised is bounded by design.
The bag is not the passenger. Tag it accordingly.From the field guide · Chapter 04
The Gates
Departure is one check.
Arrival is another.
A real airport runs two stacks. Outbound, where the document is issued. Inbound, where someone you have never met decides whether to honour it. Most enterprise AI today only operates the first.
The Outbound Edge
The agent’s side. The boarding pass is issued. The bag is tagged. The passport is stamped on the way out. Identity, scope and intent are all bound to the journey before the wheels leave the tarmac.
- Authenticate the actor.
- Bind scope to this leg.
- Tag any sub-agents.
- Sign the manifest.
The Inbound Edge
The destination’s side. The MCP server. The frontier API. The internal tool. The luggage scan. Documents are read for what they actually say, not what the issuer hoped they would say. Trust does not transit by handshake.
- Verify the signature.
- Confirm the scope is honoured.
- Inspect the payload.
- Record the entry.
The Composition
Four documents, one journey.
The complete travel set. Each document refers to the next. None is sufficient on its own. Together, they are an itinerary.
The Platform
Where it all comes together.
Itinerary-based access is a discipline before it is a product. The documents are the shape. The gates are where the work is done. The platform that makes the discipline operable does six things at once. It issues the four documents, enforces them at both gates, inspects the payload and stitches the audit back together so a single trip reads as a single story.
Ferentin is the trust fabric for that itinerary. The control plane authors policy in plain language. The service edge runs at the customer boundary and never lets unsigned traffic past the gate. The AI registry knows every server, every tool, every model an organisation has approved. The intent flow records every leg of the journey and attributes it to the actor that asked for it.
The documents are the model. The platform is what writes them, hands them out and reads them back.
Bon voyage.
You need more than a passport for a complete trip. Use the complete system for securing intent.
Book a demoferentin.com/book-a-demo