Reference identity governance contract

Agent Identity & Access Runtime

How bp Sphere implements enterprise-grade agent identities using Microsoft Entra ID, Zero Trust, least privilege access, and full auditability
Agents are not anonymous AI models. Every bp Sphere agent is treated as a governed digital workforce member with unique identity, assigned responsibilities, explicit permissions, policy boundaries, audit trail, and lifecycle management.
Platform capability proof: every agent identity record binds source lineage, policy authority, evidence pack, decision replay, collaboration handoff, action boundary, observability, value impact, and learning memory before runtime access is trusted.
Provenance: reference identity/access contract, not a live Microsoft Graph or Entra ID attestation. Production readiness requires tenant-bound identity, consent, and access telemetry.
Agents Registered128
Active Agents116
Disabled Agents12
Pending Reviews9
High Risk Agents14
Access Reviews Complete Pct98%
Policy Coverage Pct100%
Audit Traceability Pct100%
Entra Managed Identities Pct100%
Architecture Visual
Microsoft Entra IDHuman, service, enterprise app, and agent workload identities
Agent IdentityUnique principal per certified agent family
Agent Authorization LayerRBAC, ABAC, entitlements, delegation, and policy constraints
bp Sphere Policy RuntimeApproval limits, SoD rules, financial controls, AI governance policies
Governed Enterprise ActionsRead, recommend, simulate, draft, execute only when permitted
Identity Philosophy
Identity TypeRuntime Question
Human IdentityWho are you?
Agent IdentityWhat agent are you, who owns you, what are you allowed to do, and what evidence supports your action?
Zero Trust Agent Security
AuthenticateAuthorizePolicy CheckEvidence CheckExecuteAudit
Agent Identity Model
  • Agent GUID
  • Agent Name
  • Business Owner
  • Technical Owner
  • Purpose
  • Allowed Systems
  • Allowed Actions
  • Risk Classification
  • Policy Boundary
  • Approval Requirements
Agent Lifecycle Management
Lifecycle StageRuntime State
Stage 1 - ProvisionAgent created, identity issued, owner assigned
Stage 2 - CertificationPolicies approved, security reviewed, access granted
Stage 3 - OperationAgent executes, actions logged, evidence captured
Stage 4 - ReviewQuarterly access review, usage validation, risk assessment
Stage 5 - RetirementAccess revoked, identity disabled, history retained
Agent Authorization Model
Authorization LayerQuestion Answered
Layer 1 - Entra AuthenticationWho is the agent?
Layer 2 - Role Based Access ControlWhat role does the agent have?
Layer 3 - Attribute Based Access ControlWhat business context applies?
Layer 4 - Policy RuntimeWhat actions are allowed?
Agent Identity Registry
AgentOwnerIdentityRiskStatus
Spend AgentP2P[email protected]MediumHealthy
Credit AgentTreasury Risk Team[email protected]HighHealthy
Journal AgentR2R[email protected]HighHealthy
Close AgentR2R[email protected]HighHealthy
Agent Access Matrix
ResourceP2P AgentCredit AgentJournal AgentClose Agent
SAP Vendor MasterReadNoNoNo
SAP AP InvoicesReadNoNoNo
Credit ExposureNoReadNoNo
Journal EntriesNoNoReadRead
Post JournalNoNoDraft OnlyNo
Release PaymentNoNoNoNo
Human + Agent Accountability
Human: who approved? Agent: which agent acted, which policy allowed it, which evidence supported it?
Agent Activity Timeline
09:41Credit Agent triggered
09:41Exposure evaluated
09:42Policy check completed
09:42Recommendation generated
09:42Controller approval requested
09:43Approved
09:43Action completed
Agent Failure Scenarios
Failure ScenarioRuntime Response
Agent Credential CompromisedEntra account disabled, all actions blocked, incident created, security notified
Excessive Privileges DetectedAccess revoked and owner review required
Policy ViolationAction blocked and escalation created
Demo Scenario for BP
  • Agent: Credit Agent
  • Identity: [email protected]
  • Role: Treasury Risk Agent
  • Permissions: Read exposure, Read ratings, Read payment history
  • Blocked Permission: Approve credit increase
  • Action: Requests approval from Controller
  • Evidence: Supporting documents and exposure history available
  • Replay: Full execution history available
Production Boundary
The workshop environment demonstrates an Entra-compatible identity contract. Production deployment requires BP tenant app registration, consent, conditional access, SCIM/JIT lifecycle rules, audit sink, and privileged-access controls.
Key BP Message
bp Sphere does not treat agents as AI bots. Agents are enterprise identities governed through Microsoft Entra ID with the same rigor applied to human users, service principals, and critical enterprise applications. Every action is attributable, auditable, policy-bound, and revocable.