The problem surfaced at 3:17 AM on a Wednesday. An Attractor orchestration agent needed to store context in CXDB. Simple enough—the agent composed the request, sent it to the CXDB gateway. But the gateway rejected it. Not because the data was malformed. Not because the server was down. Because the CXDB agent didn't trust the Attractor agent.
Jay found the rejection in the morning logs. 401 Unauthorized. Principal attractor-orch-04 is not permitted to write turns to context cxdb-main.
"They don't know each other," Jay said.
Each agent had a StrongDM ID now. Each agent could prove who it was. But proof of identity wasn't proof of trustworthiness. Agent A could say "I am attractor-orch-04" and prove it cryptographically, but that didn't answer the question Agent B needed answered: "Should I let you in?"
Justin had been thinking about this. He'd been thinking about it since the day they deployed agent identities, because identity without trust is just a name tag at a party where nobody knows anyone.
"The trust chain," he said at the morning standup, which wasn't really a standup because they were all sitting down and eating Navan's Thursday bagels a day early. "Agent A trusts Agent B because StrongDM ID vouches for B. B trusts A for the same reason. The identity service is the root of trust. Cedar policies govern the edges."
He sketched it on his laptop. A directed graph. Nodes were agents. Edges were trust relationships. At the center, the StrongDM ID service, issuing tokens, verifying signatures, serving as the anchor that made the whole structure hold.
Navan wrote the Cedar policies. They were precise and compositional. When principal is in group "attractor-agents" and resource is in group "cxdb-contexts" and action is "write-turn", permit if the principal's token was issued within the last 3600 seconds and the token's DPoP proof is valid.
"The policies don't just check identity," Navan explained. "They check freshness. A token that's more than an hour old is worthless. The agent has to re-prove itself constantly. Trust is not a state. Trust is a continuous verification."
Jay deployed the updated policies that afternoon. The Attractor agent tried again. This time, it presented its DPoP-bound token to the CXDB gateway. The gateway verified the signature, checked the Cedar policy, confirmed the token's age, and opened the door.
The write succeeded. The turn was stored. The context was preserved.
"Agent-to-agent trust," Jay said, watching the successful request in the logs. "No human in the loop."
"There's a human in the loop," Justin corrected. "Three of them. We wrote the policies. We defined the trust boundaries. We chose who gets to trust whom. The agents execute within the boundaries we drew." He paused. "The chain is unbroken because we forged the first link."
Navan added a line to his notebook: Trust is not a state. Trust is a continuous verification. He underlined it twice.
Somewhere in the cluster, agents were talking to each other. Identifying themselves. Proving themselves. Trusting each other exactly as much as the Cedar policies allowed, and not one bit more.
The chain held.
"Trust is not a state. Trust is a continuous verification." This is zero trust architecture explained better than any whitepaper I've ever read.