Genuine question first; product disclosure at the bottom. We've been running Claude / GPT agents wired into real workflows (billing, document signing, internal tooling) and ran into a problem that doesn't seem widely-discussed yet: the audit log can't tell us *which* agent session performed a key operation?
The standard setup is:
agent → tool call → AWS KMS / Vault → CloudTrail entry.
The CloudTrail entry says role X did the call. But role X is shared across every agent and every human. There's no agent_id, no session_id, no parent-human pointer. So when you need to answer "did agent_claude-7a3, spawned by alice@org at 14:22, call sign() on this key?" — you can't, from the audit alone. You can sometimes reconstruct it from app logs, but the chain of custody is brittle.
How is your team handling this? Specifically interested in: - Are you propagating agent IDs through to the KMS audit somehow? (Custom claims in JWTs? Headers passed to a sidecar? Tags?) - Have you given up and just instrumented at the framework layer? - Has your security team flagged this as a problem yet, or is it still "we'll address it later"?
Disclosure: I'm building Aegis-KMS, an open-source agent-aware KMS that records agent_id / session_id / parent on every audit row by
Design. v0.1.1 just shipped (lifecycle + crypto ops; agent-aware audit fields populate end-to-end in v0.2.0).
But I'm genuinely curious how others are solving this in the meantime — the problem space is bigger than any one product.