Agent Identity and Attestation: From Digital Shapeshifting to Compliance Verification

1. The paper
2. Four pillars
3. Attestation research findings
4. Gaps to address
5. Regulatory context
6. Connection to the compliance harness
7. Attestation tiers
8. Related

Agent identity spans two problems: who acted (attribution) and who claims what (attestation). This note connects the digital shapeshifting framework (LITCon 2025) to the Walsh-Research compliance spec (v1.3) and the emerging regulatory landscape.

1. The paper

Digital Shapeshifting: Identity Delegation and Attribution in AI-Assisted Development (Walsh, Tao, Kumar, Pace — April 2025).

The paper introduces temporary identity delegation with clear boundaries: an AI agent acts under a human's identity with structured attribution via git trailers (Co-Authored-By, Sudo-By). The contribution is credited while the delegation is documented.

2. Four pillars

Pillar	Question	Research
Identity/Attestation	Who claims to be what?	This note + shapeshifting paper
Access/Compliance	What must a bot do when fetching?	Walsh-Research spec v1.3 (R1-R13)
Sandbox/Governance	Where does the code run?	Agent Sandbox Architectures
Memory/State	What persists across sessions?	Agent Memory Systems

The Walsh-Research compliance harness is the practical instantiation of the identity delegation concept: Walsh-Research/1.2 is a delegated identity with R13 tagging for attribution. The Co-Authored-By trailers in every commit are the git-native form of the same pattern.

3. Attestation research findings

Recent work validates and extends the shapeshifting framework:

3.1. Convergence evidence

The HDP Protocol (arXiv:2604.04522) independently arrived at the same delegation chain structure as the Sudo-By trailer: Ed25519-signed, append-only, human-anchored. Two independent designs converging on the same structure is strong evidence for the pattern.

3.2. The VS Code Copilot incident (March 2025)

GitHub's auto-attribution of Copilot contributions without explicit consent triggered community backlash. Validates the consent-first design in the shapeshifting paper: delegation must be explicit, not inferred.

3.3. Novel contributions

The Trailer Consistency Score (TCS) metric is novel. No existing work quantifies trailer consistency as a governance metric. TCS measures whether attribution trailers are present, well-formed, and consistent across a repository's commit history.

4. Gaps to address

Five gaps identified for the next revision of the paper:

Cryptographic maturity continuum. Position git trailers as the pragmatic entry point, with Sigstore and HDP as the cryptographic upgrade path. Trailers are unsigned claims; Sigstore adds OIDC-bound signatures; HDP adds delegation chains.
HDP + Agentic JWT citation. Formal analogues to the social/procedural approach in the shapeshifting paper. The math exists; cite it.
AIBOM alignment. The trailers are a minimal AI Bill of Materials embedded in git history. Frame them in AIBOM terms for the supply-chain audience.
Behavioral fingerprinting (arXiv:2601.17406). 97.2% accuracy identifying AI agents from code patterns. Complementary to voluntary disclosure — even without trailers, the code itself is a signal.
Cisco's alternative model. Distinct non-human identities (each agent gets its own account) vs. the delegation model (agent acts under human's identity with attribution). Engage with the tradeoff: Cisco's model is cleaner for audit but breaks the git blame human-readable invariant.

5. Regulatory context

EU AI Act Article 50 becomes enforceable August 2026. It requires machine-readable AI content attribution. The git trailer framework is ahead of current requirements — structured, machine-readable, embedded in the artifact's version history.

The Walsh-Research compliance spec's R1 (exact UA with policy URL) and R13 (implementation tagging) satisfy the "machine-readable AI attribution" requirement for HTTP traffic. The Co-Authored-By trailer satisfies it for source code.

6. Connection to the compliance harness

The 29-language compliance harness (walsh/compliance-harness) demonstrates that identity attestation works at scale across languages. Each implementation:

Declares identity: Walsh-Research/1.2 in the UA (R1)
Tags provenance: ?impl={org/repo}&sha={sha} (R13)
Persists attribution: Co-Authored-By in the commit trailer
Survives audit: access logs + git history + git notes

The access log is the external oracle. Git is the internal ledger. The two together form a verifiable attribution chain from HTTP request to source commit.

7. Attestation tiers

From the bot attestation research:

Tier	Name	What it proves
0	Undeclared	Nothing — no UA, no policy
1	UA assertion only	Claims an identity
2	UA + policy URL	Claims an identity with a published contract
3	Verifiable contract	Published spec, test fixtures, self-audit
4	Third-party audited	External verification of claims

Walsh-Research is tier 3. The gap to tier 4 is third-party audit — the compliance harness with 29 independent implementations is evidence toward that claim but is self-operated, not independently verified.

Web Bot Auth (draft-meunier-web-bot-auth-architecture-05) adds cryptographic bot identity. When combined with the attestation tier model, it would elevate R1 from declared identity to verified identity.

8. Related

Digital Shapeshifting (PDF) — the LITCon 2025 paper
Walsh-Research Compliance Spec (v1.3) — the bot behavior contract
Agent Sandbox Architectures — where the code runs
Agent Memory Systems — what persists
REPL-Driven Compliance — 29-language implementation
CPRR Methodology — the lifecycle model
walsh/compliance-harness — 29-language harness repo
defrecord/litcon-2025 — LITCon 2025 materials