Issuance
Mints credentials for agents, services, and workloads.
MINDBURN LABS
Inspect surfaceIdentity vs execution authority
Non-human identity vs execution authority
Identity proves who an agent is and on whose behalf it acts. Execution authority decides what that agent may execute, denies the unknown by default, and records a signed receipt.
Identity proves who. Execution authority rules on what. The receipt binds both.
The category
Identity proves who is acting.
As agents multiply, each one needs a verifiable identity: a credential to authenticate, a way to delegate on a user's behalf, and rotation so secrets stay short-lived. This is essential work. It answers who is calling and on whose behalf.
Authentication
Proves the caller is the principal it claims to be.
Delegation
Passes a scoped credential from one principal to the next.
Rotation
Expires and reissues secrets so credentials stay short-lived.
The difference
A valid identity is not a valid action.
An agent can authenticate cleanly and still propose a side effect that policy should stop. Identity answers who; it does not rule on what. Execution authority owns that decision and the evidence behind it.
Non-human identity
- Issues credentials to agents and workloads.
- Authenticates the principal making the call.
- Carries the delegation chain from user to agent to tool.
- Rotates and expires secrets.
HELM execution authority
- Returns ALLOW, DENY, or ESCALATE before the effect runs.
- Denies anything unknown or unapproved by default.
- Reads the delegation chain to rule on the action.
- Signs a receipt and EvidencePack that verify offline.
A delegation chain
Who is acting, and what they may execute.
A founder delegates to an ops agent, which delegates to a deployment tool. Identity proves each link. HELM rules on the action at the end of the chain and binds the chain into the receipt.
Agent proposes
Founder to ops agent to deploy tool: proposes a production deploy
HELM checks policy
Reads the delegation chain, then checks environment and policy
Verdict
ESCALATE
Proof
Delegation-chain receipt + change EvidencePack
Questions
Identity and authority, in plain terms.
What is non-human or agent identity?
It is the discipline of giving agents, services, and workloads verifiable credentials, authenticating them, and managing delegation and rotation. It answers who is acting and on whose behalf.
How is execution authority different from identity?
Identity proves who an agent is. Execution authority decides what that agent may execute, denies anything unknown or unapproved by default, and records a signed receipt. A valid identity can still propose an action that policy should stop.
How do the two work together on a delegation chain?
Identity carries the chain: a user delegates to an agent, which delegates to a tool. HELM reads that chain at the moment of execution, checks the proposed action against policy, and binds the verdict and the delegation chain into the receipt. Identity supplies who; HELM rules on what and keeps the proof.
Does HELM replace my identity provider?
No. HELM checks a proposed action against policy before the effect runs and records a receipt. Your identity provider still issues and authenticates credentials. HELM consumes that identity to decide what the principal may execute.
Keep reading
Follow the proof path.
Terms
Plain-language terms
- EvidencePack
-
A small bundle of records used to verify one event or review path.
Use for replayable evidence slices. - ProofGraph
-
A record chain that helps replay and check what happened.
Use for HELM proof records and replay paths. - ALLOW
-
HELM lets the action run.
Use as a canonical verdict. - DENY
-
HELM blocks the action.
Use as a canonical verdict. - ESCALATE
-
HELM stops and asks for more facts, policy, or human approval.
Use as the canonical non-dispatch path for missing facts, policy hold, or approval.
Prove who is acting. Then prove what they executed.
Bring one delegated action to the boundary and see the verdict and the receipt.