
Key facts.
- AgentDojo measured a frontier agent at about a 48% targeted attack success rate under prompt injection, the kind of compromise that propagates across an unsecured cross-org path. source
- The Cloud Security Alliance publishes agentic identity and access guidance, including verifiable credentials and zero-trust patterns built for agents acting across trust boundaries. source
- Greshake's indirect prompt injection shows an agent obeys instructions hidden in data it reads, so crossing into a partner's data is exactly where an unowned seam turns into a breach. source
Why does a single-owner governance model break at the boundary?
Because each owner governs only their side and the agent's action spans both. Company A grants the agent permissions in A's systems and logs what it does there; company B does the same in B's systems. Neither owns the full path the agent takes across the two, so when the agent does something wrong in the handoff between them, there is no single party who saw the whole sequence, who is accountable for it or who can reconstruct it end to end. The gap between two governance models is not governed by either and a cross-boundary agent lives precisely in that gap. The same is true across departments inside one company when each has its own controls and no one owns the seam between them.
A stronger model does not close the seam. AgentDojo is why: under injected instructions, a frontier agent is compromised about half the time, so an agent crossing into a partner's data carries a real chance of acting on something hostile it read there and without a shared identity, a shared audit trail and an agreed accountability model, the compromise spreads across a path that neither side fully governs. The fix is federated governance: the parties agree in advance on how the agent authenticates across the boundary, what it is permitted to do on each side, where the audit trail lives so both can read it and who is accountable when it fails. The CSA's agentic identity work exists because this cross-boundary problem is real, and Greshake's indirect-injection result is exactly why crossing into a partner's data without a shared audit trail is so dangerous: the agent can be turned by something it read on the other side of the seam.

What does a federated governance model specify?
Four things, agreed by every party. Identity: how the agent authenticates across the boundary, so each side knows it is the agent and what it is allowed to be. Permissions: what the agent may do on each side, enforced by each side, with deny-by-default across the seam. Audit: a trail both parties can read, so the full cross-boundary path is reconstructible by either. Accountability: a named owner for the agent's behavior across the boundary, so a failure in the seam is owned, not orphaned. Without all four, the boundary is a gap and the gap is where the incident happens.
| Dimension | Single-owner gap | Federated model |
|---|---|---|
| Identity | Each side trusts its own | Agreed cross-boundary authentication |
| Permissions | Only governed per side | Deny-by-default across the seam |
| Audit and accountability | No one owns the full path | Shared trail, named cross-boundary owner |
A cross-boundary agent needs federated identity and audit agreed in advance, the minimal case; a stronger model does not help (AgentDojo: roughly 48% hijack). (arXiv:2406.13352)
The Pattern Intelligence Layer is where a federated model is enforced, so an agent crossing organizational boundaries authenticates, stays within permission and is audited end to end at the pattern level rather than falling into the gap between two owners. Identity, permissions and audit are tracked across the seam, which is exactly where single-owner governance leaves a hole. Reliability at the pattern level is what lets an agent cross a boundary without leaving the boundary ungoverned.
Frequently asked questions
Can't each organization just govern its own side?
That governs the two halves but not the seam between them, where the cross-boundary action lives. A wrong handoff is owned by neither side without a federated model.
Why is identity the hard part?
Because each side has to trust the agent is what it claims across the boundary. Agentic identity work, like CSA's verifiable-credential patterns, exists to solve exactly this.
What goes wrong without federation?
An injection or error in the handoff propagates across a path neither party fully sees, so the incident is hard to trace, hard to contain and owned by no one.

