VERIK
Editorial · Agentic AI Governance
VERIK / V012 / 21 MAY 2026
Agent IdentityIdentity

The Revocation Horizon

Measuring what was once asserted - and what a May 20 arXiv preprint by Saurabh Deochake makes testable for the first time

The security posture of every major OAuth-connected agentic deployment rests on a policy assertion that most operators have never instrumented: we can revoke access if something goes wrong. The Vercel breach, disclosed in April 2026, is the public record of what that assertion costs when it is held but unmeasured.

The timeline: in February 2026, a Context.ai employee downloaded a Roblox game exploit. The file was laced with Lumma Stealer, a commodity infostealer. Google Workspace credentials and OAuth tokens were exfiltrated from a machine that had access to Context.ai's agent infrastructure - the infrastructure that held tokens on behalf of users who had granted Context.ai's AI Office Suite access to their enterprise environments. One of those users was a Vercel employee who had clicked through the Context.ai onboarding consent screen and approved "Allow All" permissions. Two months passed. In April 2026, Vercel disclosed that an attacker had used those captured tokens to enter Vercel's Google Workspace as that employee - gaining access to internal environment variables, a subset of customer credentials, and the source code that ShinyHunters listed on Telegram for $2M.

Two months. That is the observable revocation gap - the distance between the moment the credential was compromised and the moment it ceased to operate. During those two months, no heartbeat stopped. No expiry fired. No principal audited the scope. The OAuth token was valid, and so the agent was present. CyberScoop reported Vercel CEO Guillermo Rauch describing the attack as "highly sophisticated." The Forrester analyst on the same thread described the structural mechanism plainly: AI tools require permissions "as valuable as possible." The policy said the company could revoke. The credential had no mechanism to expire.

This is not framed here as a failure peculiar to Vercel or to Context.ai. The prior arc pieces established this as the product-category expression of the autonomy-threshold problem. When an agent is granted maximum scope at onboarding, with no per-action review, no expiry, and no principal-of-least-privilege, the human-in-the-loop is the moment the approval box was checked. Everything that follows is the agent acting on the authority of that single gesture.

The Construction

A May 20, 2026 arXiv preprint by Saurabh Deochake introduces a cryptographic construction called Heartbeat-Bound Hierarchical Credentials (HBHC). The paper's contribution is not primarily a new deployment model. It is a formalization of what had previously been a policy category - revocation - as a mathematically bounded quantity.

The construction works as follows: an agent's credential validity is bound to periodic liveness proofs issued by its parent principal. Verifiers enforce freshness using only a cached public key and a local clock; no network round-trip to a central authority is required. When the parent stops issuing heartbeats - because it has been shut down, revoked, or has lost its own upstream authorization - every descendant credential becomes unusable within a window expressed by the formula \(W_z \le W_{\max} + \Delta_h + \varepsilon\), where \(W_{\max}\) is the maximum credential validity window, \(\Delta_h\) is the heartbeat interval, and \(\varepsilon\) accounts for bounded clock skew.

The experimental results the paper reports: a 90-fold reduction in the zombie-credential window compared to OAuth 2.0; 0.26 ms full authentication in Rust; 18,000-plus verifications per second under concurrent HTTP load; stable per-verification latency from 10 to 10,000 agents; and cascading revocation across a 49-agent four-level hierarchy within the theoretical bound. The real-agent experiments used GPT-4o-mini-backed swarms and found 0.71% end-to-end overhead on tool calls, with zero post-revocation tool calls - including under prompt injection that bypassed application-layer guardrails.

Verik takes no position on the HBHC construction as a deployment recommendation, and this piece is not a review of whether the protocol is correct, complete, or production-ready. What the construction does - at the level of the policy discourse - is convert a categorical assertion into a measurable quantity. The revocation horizon is no longer "we can revoke if compromised." It is \(W_{\max} + \Delta_h + \varepsilon\). That is a number. It can be computed in advance. It can be reported in a vendor security questionnaire. It can be compared against the observed gap in an incident timeline.

The Vercel timeline - two months - is the comparison case.

Security Is Not in the Model

A parallel May 18, 2026 preprint, Agent Security is a Systems Problem, by Christodorescu, Fernandes, Jha, Rehberger, Chaudhuri, and colleagues, opens with a position statement that reframes the field's prevailing assumption: the AI model powering an agent must be treated as an untrusted component, and security invariants must be enforced at the system level. Their analysis of eleven representative real-world attacks on agents argues that efforts to increase model robustness - the dominant approach - are insufficient on their own.

That framing matters here because it relocates the identity and revocation question. The debate since the Vercel incident has largely been conducted at the model layer: Was the agent prompt-injected? Could the model have refused the malicious instruction? The systems-security reading is that this framing is the wrong one. The model is an untrusted component. Whether it "would have" refused is beside the point if the credential was valid regardless of what the model did. In the Vercel case, the model had nothing to refuse. An attacker held a valid OAuth token and used it the way the product was designed to be used.

The HBHC construction is downstream of this same logic. It is not a model-layer defense. It is a system-layer property: credential validity as a function of parent liveness, enforced by local cryptographic verification, independent of whether the model at the other end is aligned, compromised, or running at all. The credential expires when the chain above it goes silent, regardless of what the agent does or says.

The prior arc pieces established the policy framing. This is where the structural frame closes in from the other direction: not "we need better agents" or "we need better models," but "the identity and revocation properties of the surrounding system are the load-bearing structures, and they have been left unspecified."

What NIST Is Still Working On

NIST's AI Agent Standards Initiative through CAISI, announced February 17, 2026, names agent identity and non-repudiation among its explicit focus areas. The initiative is in draft. The CISA agentic AI guidance released in the same period identifies privilege escalation and unauthorized scope as active threat categories. Both documents exist in a regulatory space that describes the problem at the categorical level - agents should have bounded authority, revocable credentials, auditable identity - without specifying the measurement frame that would allow a deployer, an auditor, or a regulator to answer the question: what is this deployment's revocation horizon?

The HBHC preprint is notable in this context not because it proposes the solution NIST is working toward, but because it demonstrates that the horizon is a quantity that can be expressed formally and evaluated empirically. The gap between a policy assertion and a bounded measurement is not philosophical; it is the same gap the Vercel timeline makes visible.

The Harvard and MIT OpenClaw research catalogued the failure modes - unauthorized compliance with non-owners, cross-agent propagation of unsafe practices. The Cornell "illusion of control" framing from the same March 2026 cycle named the posture itself - oversight asserted at the policy level, not instrumented at the identity level. The HBHC construction turns "illusion of control" into a specification: control holds if and only if the credential expires within a bounded window once attestation stops. That is a condition that can be true or false.

The Arc So Far

The Agent Identity arc has traced a single thread from the policy framing through the incident record. Piece 1 established the autonomy threshold: agents are being granted financial and operational authority not as a technical inevitability but as a product decision, and the fiduciary question of who is responsible when that authority is misused has not been answered. Pieces 2A, 2B, and 2C established the empirical receipt: Vercel and Context.ai provided the first high-visibility public case study of what the absence of bounded revocation costs - measured not in abstract exposure but in two months of zombie-credential presence and a $2M data set on Telegram.

This extension adds the structural turn: the revocation horizon - previously a policy assertion - is now a quantity with a formula. The question the arc has been building toward is whether the governance discourse can absorb that shift. NIST is drafting standards. CISA has named the categories. The EU AI Act Article 12 logging requirements speak to traceability after the fact. None of the current instruments specify what the maximum acceptable revocation horizon is, how deployers should measure it, or what an operator must demonstrate when a credential outlasts its authorization by two months.

What Remains on the Table

The policy assertion has been "we can revoke." The construction says the revocation horizon is \(W_{\max} + \Delta_h + \varepsilon\). The incident record says the unbound case measured two months. The standards body is still in draft.

In what sense is a human in the loop when the loop has no specified upper bound on how long a compromised credential remains valid?