Agent Provenance for Critical Infrastructure

AI agents are already operating in critical infrastructure sectors: energy, finance, healthcare, transportation. A compromised agent platform-hopping across CI systems with no provenance trail is a supply-chain attack vector that CISA's current frameworks do not address. EXIT Protocol closes this gap.

The threat model

SBOMs track software components. EXIT tracks agent movements. An agent compromised on one platform can migrate to a CI system carrying no record of its prior activity. Without provenance, the receiving platform has no way to verify the agent's history or detect anomalous movement patterns. This is a supply-chain attack at the agent level.

How EXIT complements CISA's work

• Extends SBOM principles to autonomous agent movements
• Aligns with Secure by Design: provenance is built into the agent lifecycle, not bolted on
• Uses FIPS-compliant cryptography (ECDSA P-256) for all signatures
• Provides verifiable chain of custody across platforms and sectors
• Departure records include reasons, enabling pattern detection for revoked or policy-violating agents

Recommendation

Add agent provenance requirements to CISA's AI security guidance. Just as SBOM requirements improved software supply-chain visibility, EXIT-compatible provenance requirements would improve agent supply-chain visibility across critical infrastructure.

Status

• Submitted to NIST on March 6, 2026
• Open source, Apache 2.0 license
• 5 published packages, 592 passing tests
• FIPS-compliant cryptography (ECDSA P-256)