1.4 Identity Lifecycle Management

1. Identity & Provenance — Who is this agent? Can we verify?

Description

Agent identities MUST be managed through their full lifecycle: creation, rotation, suspension, and revocation.

Long-lived static identities accumulate risk over time. Key rotation limits exposure from compromised keys.

1. Document identity lifecycle procedures
2. Check for key rotation automation
3. Verify revocation process exists

1. Establish key rotation policy (90 days recommended)
2. Implement automated rotation
3. Document and test revocation procedures

CIS Control 5.2NIST PR.AC-1