add agent identity tree layers image

Author: kanywst

articles/assets/agent-identity-three-layers-2026/cover.png

@@ -0,0 +1,46 @@
+direction: down
+
+classes: {
+  human: {style: {fill: "#fef3c7"; stroke: "#b45309"; stroke-width: 2; font-color: "#0a0f25"}}
+  idp: {style: {fill: "#fde68a"; stroke: "#92400e"; stroke-width: 2; font-color: "#0a0f25"}}
+  agent: {style: {fill: "#dbeafe"; stroke: "#2563eb"; stroke-width: 2; font-color: "#0a0f25"}}
+  resource: {style: {fill: "#dcfce7"; stroke: "#16a34a"; stroke-width: 2; font-color: "#0a0f25"}}
+  llm: {style: {fill: "#fce7f3"; stroke: "#be185d"; stroke-width: 2; font-color: "#0a0f25"}}
+  service: {style: {fill: "#e0e7ff"; stroke: "#4338ca"; stroke-width: 2; font-color: "#0a0f25"}}
+  layerbox: {style: {fill: "transparent"; stroke: "#94a3b8"; stroke-width: 2; stroke-dash: 5; font-color: "#0f172a"; font-size: 22; bold: true}}
+}
+
+layerC: "Layer C: Agent (workload) → LLM\nRFC 7523 jwt-bearer + 各社 WIF" {
+  class: layerbox
+
+  agentC: "AI Agent" {class: agent}
+  llm: "LLM Provider\n(Anthropic / OpenAI / Google)" {class: llm}
+
+  agentC -> llm: "k8s SA / SPIFFE / GHA の JWT を\nshort-lived sk-ant-oat01-... に交換" {style.stroke: "#be185d"; style.stroke-width: 3}
+}
+
+layerA: "Layer A: Human → Agent → External Resource\nID-JAG / XAA / OAuth Identity Chaining" {
+  class: layerbox
+
+  human: "Human (Alice)" {class: human; shape: person}
+  idp: "IdP\n(Okta / Entra ID / Google Workspace)" {class: idp}
+  agentA: "AI Agent" {class: agent}
+  resource: "External Resource\n(GitHub / Slack / DB)" {class: resource}
+
+  human -> idp: "1. SSO" {style.stroke: "#b45309"; style.stroke-width: 2}
+  idp -> agentA: "2. identity assertion JWT" {style.stroke: "#b45309"; style.stroke-width: 2}
+  agentA -> resource: "3. RFC 8693 Token Exchange で\nAlice 用 scope-narrow token に交換\n→ API 呼び出し" {style.stroke: "#b45309"; style.stroke-width: 3}
+}
+
+layerB: "Layer B: Agent → Internal Service Chain\nTransaction Tokens for Agents (act + sub)" {
+  class: layerbox
+
+  agentB: "AI Agent" {class: agent}
+  s1: "Order Service" {class: service}
+  s2: "Risk Service" {class: service}
+  s3: "Payment Service" {class: service}
+
+  agentB -> s1: "Txn-Token\n(act=agent, sub=alice)" {style.stroke: "#4338ca"; style.stroke-width: 3}
+  s1 -> s2: "Txn-Token を propagate" {style.stroke: "#4338ca"; style.stroke-width: 2}
+  s2 -> s3: "監査ログに\n「agent が alice の取引を実行」" {style.stroke: "#4338ca"; style.stroke-width: 2}
+}

articles/assets/agent-identity-three-layers-2026/diagrams/01-three-layers.d2

@@ -0,0 +1,33 @@
+direction: down
+
+classes: {
+  stage: {style: {fill: "#f1f5f9"; stroke: "#475569"; stroke-width: 2; font-color: "#0a0f25"}}
+  incident: {style: {fill: "#fee2e2"; stroke: "#b91c1c"; stroke-width: 2; font-color: "#0a0f25"}}
+  reg: {style: {fill: "#fef3c7"; stroke: "#b45309"; stroke-width: 2; font-color: "#0a0f25"}}
+  ok: {style: {fill: "#dcfce7"; stroke: "#16a34a"; stroke-width: 2; font-color: "#0a0f25"}}
+  predicted: {style: {fill: "#f3f4f6"; stroke: "#16a34a"; stroke-width: 2; stroke-dash: 5; font-color: "#0a0f25"; italic: true}}
+}
+
+mfa: "MFA" {
+  s1: "Tech exists\n(2005-2012)" {class: stage}
+  s2: "Big incident\nLinkedIn / Yahoo / Equifax\n(2012-2017)" {class: incident}
+  s3: "Regulation\nNIST 800-63-3 (2017) /\nPCI-DSS v4 MFA 拡大 (2022)" {class: reg}
+  s4: "Adoption\n(2019-2023)" {class: ok}
+  s1 -> s2 -> s3 -> s4
+}
+
+aws: "Short-lived AWS creds" {
+  a1: "Tech exists\nSTS AssumeRole (2011)" {class: stage}
+  a2: "Big incident\nCode Spaces / Uber / Capital One\n(2014-2019)" {class: incident}
+  a3: "Industry mandate\nIRSA (2019) / Pod Identity (2023)" {class: reg}
+  a4: "Adoption\n(2021+)" {class: ok}
+  a1 -> a2 -> a3 -> a4
+}
+
+agent: "Agent Identity (now)" {
+  g1: "Tech exists\nID-JAG / Tx Tokens / WIF\n(2024-2026)" {class: stage}
+  g2: "Big incidents starting\nReplit / EchoLeak / Comet / Moltbook\n(2025-2026)" {class: incident}
+  g3: "Regulation forming\nEU AI Act / NIST AI RMF\n(2026-?)" {class: reg}
+  g4: "Adoption?\n(2028-2030 予想)" {class: predicted}
+  g1 -> g2 -> g3 -> g4
+}