The Trust
Boundary Problem.
Every prime contractor, parent bank, and hospital network is now legally accountable for agents acting under their authority — and operationally unable to revoke them at machine speed. The trust boundary is the next frontier of non-human identity governance.
There is a question every CISO at a Tier-1 organization will be asked in the next eighteen months, and almost none of them can answer it today. The question is simple. If a subcontractor's AI agent breaches your environment at 11:43 PM on a Friday, what is the time from notification to revocation? The honest answer, in nearly every case, is hours. Sometimes days. Almost never seconds. The reason is not negligence. The reason is architecture.
Modern enterprise operations no longer end at the boundary of the enterprise. A federal prime contractor extends its operational surface across ten Tier-1 subcontractors, each of which extends to thirty more Tier-2 firms. A Global Systemically Important Bank routes work to two hundred third-party vendors, each operating with credentialed access into the bank's environments. A regional hospital system contracts AI vendors for diagnostic imaging, radiology workflows, and revenue-cycle automation — every one of them a Business Associate under HIPAA, every one of them issuing agents that touch protected health information.
The legal accountability for what those downstream agents do flows upward. The technical authority to govern them does not.
This is the trust boundary problem. It is the gap between what a parent organization is responsible for and what a parent organization can actually control. The gap exists because identity governance was built for a world where the parent's employees and the parent's systems were the entire surface area. That world has not existed for fifteen years, and the governance architecture has not caught up.
Section 01Three Scenarios, One Pattern
The shape of the problem is identical across industries. The names of the regulations change. The architecture of the failure does not.
A prime contractor on a classified Department of Defense contract directs work to ten Tier-1 subcontractors. Each Tier-1 contracts to its own downstream firms. Under CMMC Level 3, the prime is accountable for every credential issued anywhere in the contract's operational scope. When a Tier-2 subcontractor is debarred mid-contract, the prime has no cryptographic mechanism to invalidate the agents that subcontractor previously deployed. The credentials remain live until each downstream firm voluntarily rotates them — a process measured in weeks.
A G-SIB operates with two hundred third-party vendors under OSFI B-13 in Canada and OCC third-party risk guidance in the United States. Each vendor issues service accounts and agent credentials to access bank systems. When one vendor is breached, the bank has paper authority to terminate access — but the technical implementation is a ticket queue, not a cryptographic operation. The mean time to revocation is measured in hours during business days, longer over weekends. Regulators are increasingly asking why.
A regional hospital system contracts twelve AI vendors under HIPAA Business Associate agreements. Each vendor's agents authenticate into the hospital's environments to access protected health information. When a vendor is acquired by a private-equity firm with a different security posture, the hospital must re-evaluate every credential that vendor has issued — and has no automated mechanism to enforce the re-evaluation. The agents continue operating under the prior trust assumption until manually inventoried.
The pattern is not a security failure. It is a governance architecture that was never designed to express trust across organizational boundaries. The IAM platform that governs the parent's employees does not — and cannot — extend its authority into the subcontractor's environment. The PAM platform that vaults the parent's privileged credentials does not vault the subcontractor's. Each downstream entity operates as a sovereign island, and the parent is left with contractual remedies that move at the speed of legal process while the agents move at the speed of API calls.
Legal accountability for downstream agents flows upward. The technical authority to govern them does not. That gap is no longer acceptable to the regulators writing the next generation of compliance frameworks.
— Arkion Research
Section 02Why the Existing Stack Cannot Solve This
Three architectural assumptions baked into the current identity stack make the trust boundary problem structurally unsolvable with existing tools.
The first is single-tenancy.IAM, PAM, and secrets-management platforms were built to govern identities within one organization's perimeter. Multi-tenant architectures exist for SaaS delivery, but not for cross-organizational trust expression. A bank and its vendor are two tenants. There is no construct that lets the bank's tenant exert authority over the vendor's tenant.
The second is the human session. Existing governance assumes that every privileged action is anchored to a human session — a logged-in user with an MFA token and a session timeout. Agents do not have human sessions. They authenticate with long-lived credentials and act continuously. The session-based revocation model collapses entirely when the actor is not a person.
The third is contractual delegation.When a parent organization needs to extend trust to a subcontractor today, the mechanism is a written contract. The contract specifies what the subcontractor may do, who is liable when something goes wrong, and how disputes are resolved. The contract does not, and cannot, revoke a credential. Revocation is an operational act that depends entirely on the subcontractor's willingness and capacity to execute it.
Trust between organizations, in the era of agent-driven operations, must be expressed cryptographically, not contractually. Anything else introduces a delay between policy decision and operational effect — and that delay is the breach surface.
Section 03What the Regulators Are Already Asking
The trust boundary problem is not a future concern. It is an active line of regulatory inquiry, and three frameworks are converging on the same architectural requirement.
CMMC Level 3requires demonstrable revocation authority over credentials issued within the scope of a defense contract — including credentials issued by subcontractors operating under the prime's authority. The 2026 implementation guidance has begun to ask primes for evidence of automated revocation capabilities, not contractual ones.
OSFI B-13, in force across Canadian federally regulated financial institutions, requires risk-tiered third-party access controls with documented mean time to revocation. The expectation is moving from days to hours. The next revision is widely expected to push it toward minutes.
The EU's NIS2 directive, particularly under its supply-chain provisions, holds parent organizations accountable for the security posture of their downstream digital service providers. Member-state regulators have begun citing instances where parent organizations could not technically enforce the security policies they had contractually required of their suppliers.
The trajectory is unambiguous. Regulators are asking for technical authority to match legal accountability. The market does not yet have an answer. That gap is the governance frontier.
Section 04What Comes Next
Arkion is researching this problem actively. We believe the answer requires a hierarchical trust architecture for non-human identity — a model in which a parent organization can issue cryptographically-bound authority to its downstream entities, scope that authority to specific environments and credential types, and revoke the entire downstream tree with a single policy decision. We are not yet ready to publish the architecture. We will be.
What we are ready to say now is this. The single-tenant, session-anchored, contractually-delegated trust model that defines today's identity stack will not survive the next three years of agent-driven operations. The organizations that move first to express trust cryptographically across their boundaries will be the ones whose regulators stop asking awkward questions in audit conversations. The organizations that wait will be answering for delays measured in hours when the regulator has already shifted the bar to minutes.
The trust boundary problem is the next governance question. The architecture to solve it is a category, not a feature. We will have more to say on it soon.
Field Note FN-02-2026 · Distributed under arkion.ai/field-notes
For questions or to discuss this against your environment: research@arkion.ai
- Cybersecurity Maturity Model Certification (CMMC) Program — DoD, 2026 implementation guidance.
- OSFI Guideline B-13 — Technology and Cyber Risk Management, Office of the Superintendent of Financial Institutions Canada.
- OCC Bulletin 2023-17 — Third-Party Risk Management, Office of the Comptroller of the Currency.
- HIPAA Business Associate Provisions — 45 CFR §§ 164.502(e), 164.504(e).
- Directive (EU) 2022/2555 — NIS2, supply-chain provisions.
- Quebec Law 25 — Act respecting the protection of personal information in the private sector.