SAN FRANCISCO, March 23, 2026 (GLOBE NEWSWIRE) — Keycard, the supplier of id and entry for AI brokers, and Smallstep, the System Identification Platform™, as we speak introduced a product integration that brings hardware-rooted belief to runtime AI agent governance. As coding brokers transfer into manufacturing and take motion throughout shell instructions, MCP instruments, cloud APIs, and inside providers, organizations want greater than visibility, they want a technique to govern what brokers do in actual time and guarantee these actions originate from trusted, verified environments.
Keycard helps outline a brand new layer of AI safety centered on runtime management. Its platform offers organizations a technique to govern agent conduct because it occurs by imposing coverage on each device name an agent takes. That helps CISOs and safety groups shut one of the vital pressing gaps in agentic AI: visibility and management over what brokers truly do as soon as they start working inside manufacturing methods.
However runtime governance is just as sturdy because the surroundings through which the agent is operating.
That’s the place Smallstep is available in. Smallstep brings confirmed, production-grade id to the combination by cryptographic attestation and short-lived, non-exportable credentials. Constructed on ACME System Attestation (ACME-DA), developed in collaboration with Apple and Google, Smallstep verifies that agent periods start in identified, compliant environments earlier than credentials are issued. Already deployed at scale in main enterprise environments, Smallstep supplies the mature belief basis that permits AI agent governance to increase past coverage and into high-assurance enforcement.
Collectively, Keycard and Smallstep shut the hole between runtime governance and hardware-rooted belief. Keycard governs what the agent can do: which instruments it could possibly invoke, which credentials it could possibly obtain, and the way every motion is scoped, audited, and revoked. Smallstep proves the place that ruled session is operating by binding credentials to verified infrastructure and trusted execution environments. The result’s a unified chain of belief that ties every device name again to a verified surroundings, a human id, an agent, and a job.
More Read
“AI agents need more than access. They need guardrails that hold up while they’re actually doing work,” stated Ian Livingstone, co-founder and CEO of Keycard. “Keycard governs each tool call at runtime, and Smallstep brings attested runtime context. That means every action can be scoped, attributed, and revoked.”
“The next perimeter is not just who the agent is — it’s where the agent is running,” stated Mike Malone, founder and CEO of Smallstep. “Together with Keycard, we give security teams a way to root AI governance in verified infrastructure, so every action is enforceable, attributable, and built on real trust.”
As coding brokers transfer into manufacturing, CISOs are inclined to hit the identical three partitions: they can’t confirm the place brokers are operating, they can’t rotate secrets and techniques quick sufficient, and so they can’t audit what brokers truly did.
More Read
The Keycard and Smallstep integration addresses all three instantly.
Govern brokers at runtime. Keycard governs the agent session and enforces coverage on each device name and credential issuance, together with shell instructions, MCP instruments, API calls, and agent-generated scripts. Credentials are ephemeral, task-scoped, and identity-bound, making agent actions governable in actual time as a substitute of after the very fact.
Begin from a trusted execution surroundings. Smallstep makes use of attestation to make sure an agent solely receives credentials whether it is operating in identified, compliant infrastructure, together with managed units and trusted workload environments. No attestation, no certificates, no entry.
Change static secrets and techniques with short-lived credentials. Smallstep’s “badges not keys” mannequin replaces long-lived X.509 certificates, SSH keys, and embedded secrets and techniques with robotically issued, short-lived credentials. Keycard then scopes entry dynamically at runtime, decreasing the blast radius of compromised credentials and eliminating static secrets and techniques from .env information, MCP configs, and scripts.
Produce a full audit path. Collectively, the 2 platforms make it attainable to attribute each motion to an surroundings, person, agent, and job, giving safety groups the visibility they want throughout MCP workflows, CLIs, APIs, and agent-generated tooling.
This partnership brings collectively Keycard’s runtime governance for autonomous brokers, giving organizations visibility, management, and revocation for the time being an agent acts, with Smallstep’s system id infrastructure. Smallstep is constructed for automated environments, utilizing short-lived certificates and streamlined issuance to make sure actions originate from trusted, compliant units. Collectively, they supply a basis for adopting AI brokers with enforceable controls with a hardware-backed belief mannequin.
More Read
The Keycard and Smallstep integration is now open for early entry sign-up. To study extra, go to the joint Smallstep and Keycard sales space #2045 in Moscone South Corridor at RSAC Convention 2026 in San Francisco, or cease by Keycard’s sales space #2351.
About Keycard
Keycard’s mission is to unlock the facility of AI brokers by giving builders and enterprises the foundations they should construct and undertake trusted agentic purposes at scale. Its id and entry platform supplies real-time, contextual guardrails, enabling the transition from static, human-driven workflows to machine-driven, autonomous, agentic purposes. Keycard is a remote-first firm and backed by Andreessen Horowitz, Boldstart Ventures and Acrew Capital. For extra data, go to: https://www.keycard.ai/.
About Smallstep
Smallstep is the System Identification Platform that hyperlinks belief to verified {hardware} and infrastructure, so entry, actions, and automation originate from identified, compliant environments. Utilizing cryptographic system attestation and short-lived, hardware-backed credentials, Smallstep replaces passwords, SSH keys, and VPN purchasers with automated, certificate-based entry and phishing-resistant MFA. Constructed on ACME System Attestation, developed in collaboration with Apple and Google, Smallstep helps organizations cut back credential theft and lateral motion whereas bringing governance to unmanaged units, trusted workloads, Shadow AI, agentic AI workflows, and MCP servers. With broad integrations throughout id suppliers and system administration methods, Smallstep helps organizations operationalize NIST Zero Belief ideas and help CMMC-aligned necessities throughout enterprise and mission environments.
Media Contacts
