Agent Name Service (ANS): A Proof-of-Concept Trust Layer for Secure AI Agent Discovery, Identity, and Governance in Kubernetes
Source: arXiv:2604.26997 · Published 2026-04-29 · By Akshay Mittal, Elyson De La Cruz
TL;DR
This paper addresses critical security and operational challenges in autonomous AI agent ecosystems, focusing on secure agent discovery, cryptographic authentication, capability attestation without credential exposure, and enforceable policy governance. It presents a Kubernetes-native proof-of-concept implementation of the Agent Name Service (ANS), a DNS-inspired trust layer designed to unify identity and trust management across multiple emerging agent communication protocols. ANS builds on a prior protocol specification and integrates decentralized identifiers (DIDs), verifiable credentials (VCs), zero-knowledge capability proofs, Open Policy Agent for policy-as-code enforcement, and Kubernetes features such as Custom Resource Definitions (CRDs), admission controllers, and service mesh security. Experimental evaluation conducted on a 3-node Kubernetes cluster with 50 agents shows that ANS achieves low-latency (<10ms for discovery), high throughput (1000+ registrations per minute), reliable deployment automation (100% success rate in scripted tests, reducing setup from days to minutes), and effective defense against agent impersonation and capability escalation attacks. The authors provide an explicit threat model, discuss limitations around protocol dependencies and scalability, and release open-source artifacts for reproducibility.
Key findings
- Agent discovery operations have 12ms mean latency with 41ms 99th percentile in the demo cluster.
- Capability verification averaged 78ms per proof, leveraging zero-knowledge proofs for privacy-preserving attestation.
- Policy evaluation latency is low at an average of 3ms per decision under the Open Policy Agent framework.
- Certificate validation takes approximately 15ms per operation, supporting continuous automatic certificate rotation.
- ANS registry sustained over 1,000 agent registrations per minute and 10,000+ discovery queries per second in controlled tests.
- Deployment time reduced from typical 2-3 days to under 30 minutes due to automated GitOps pipeline and policy-driven validation.
- Demo deployment success rate improved from 65% manually-intervened to 100% in scripted PoC runs with rollback mechanisms.
- Security testing demonstrated ANS prevents unauthorized agent impersonation and capability escalation through combined cryptographic identity and zero-knowledge proofs.
Threat model
Adversaries can attempt unauthorized agent impersonation, misuse or escalate agent capabilities, and launch network attacks such as interception and replay within a Kubernetes multi-agent cluster. Trusted components include the Kubernetes control plane, certificate authorities, and policy engine. Attacks involving malicious cluster admins, hardware compromises, or internet-scale adversaries are out of scope for this proof-of-concept evaluation.
Methodology — deep read
Threat Model & Assumptions: The authors consider adversaries capable of unauthorized agent impersonation, capability misuse or escalation, and network attacks such as interception and replay within a Kubernetes multi-agent environment. They assume trust in the cluster control plane integrity, root certificate authorities, and policy engine correctness. Hardware root-of-trust compromise and malicious cluster administrators are outside the scope.
Data & Environment: Experiments were run on a 3-node Kubernetes cluster with 8-core CPUs, 32GB RAM, and 500GB disk per node. The environment simulated 50 concurrent agents across five namespaces using the supported communication protocols A2A, MCP, and ACP. Monitoring stack components included Prometheus, Grafana, and Jaeger.
Architecture and Algorithms: ANS architecture consists of a centralized ANS Registry managing agent metadata, DID-based decentralized identity with cryptographic certificates, zero-knowledge proofs for capability attestation, and OPA-based policy enforcement. Kubernetes-native integration leverages CRDs for agent metadata, admission controllers for deployment validation, and Istio service mesh for mTLS-based mutual authentication and encrypted communication.
Training/Deployment Regime: Not a machine learning system; deployment automation practices include GitOps pipeline using Sigstore for certificate provisioning, ArgoCD for continuous deployment, and runtime compliance monitoring. Demo scenarios use scripted deployment manifests automated via repository scripts for reproducibility.
Evaluation Protocol: Performance metrics include latency (mean, 95th, 99th percentile) for agent registration, discovery, capability proof verification, policy evaluation, and certificate validation. Throughput tests assess registration and query rates. Deployment efficiency is evaluated by comparing manual vs automated deployment durations and success rates. Security validations test impersonation, capability escalation, and network attack mitigations.
Reproducibility: The authors provide a fully open-source implementation including core libraries, Kubernetes manifests, demo agents, OPA policies, and CNCF monitoring configs. The repository includes scripts to reproduce benchmarks and security testing, enabling independent validation.
Technical innovations
- Integration of decentralized identifiers (DIDs) and verifiable credentials (VCs) with zero-knowledge proofs for private capability attestation in AI agents.
- DNS-inspired hierarchical ANS naming convention enabling self-describing capabilities, versioning, and provider/environment context for AI agents.
- Kubernetes-native design using CRDs, admission controllers, and service mesh integration to enforce zero-trust security with cryptographic identity and policy-as-code governance.
- Multi-protocol adapter layer supporting emerging AI agent communication standards (A2A, MCP, ACP) through a unified trust framework.
- Automated GitOps deployment pipeline incorporating policy validation, certificate provisioning with Sigstore, and runtime compliance monitoring for AI agent ecosystems.
Datasets
- Demo Kubernetes Multi-Agent Setup — 50 agents across 5 namespaces — internal research cluster simulation
Baselines vs proposed
- Traditional manual deployment process: Deployment time ≈ 2-3 days vs. ANS GitOps automated deployment: <30 minutes
- Manual deployment success rate: 65% vs. ANS scripted PoC deployment success rate: 100%
- Agent Discovery operation latency: Traditional hardcoded endpoints unknown, ANS demo: mean 12ms, 99th percentile 41ms
- Capability proof verification: No prior cryptographic attestation in deployments vs. ANS zero-knowledge proof verification mean 78ms
Limitations
- ANS currently relies on adoption of emerging communication protocols (A2A, MCP, ACP), which are evolving and fragmented.
- Cryptographic operations (zero-knowledge proofs, certificate validation) introduce measurable latency overhead compared to non-secure methods.
- Centralized ANS registry could become a bottleneck in very large scale deployments; federation features are future work.
- Policy complexity may impact performance as the number of agents and policies grows.
- Security evaluation is limited to proof-of-concept scripted demos; internet-scale adversarial stress testing and hardware root-of-trust attacks are out of scope.
Open questions / follow-ons
- How to effectively federate ANS registries across multi-cluster and multi-cloud environments with unified identity and trust anchors?
- Can AI/ML be leveraged to create adaptive, evolving security policies for agent capability verification and anomaly detection?
- What performance and security trade-offs arise when deploying ANS in resource-constrained edge or offline environments?
- How to optimize cryptographic operations and zero-knowledge proofs to minimize latency overhead for large-scale real-time agent ecosystems?
Why it matters for bot defense
The paper’s proposed Agent Name Service (ANS) framework introduces a principled, cryptographically grounded approach to secure autonomous AI agent discovery and identity verification in Kubernetes environments. For bot-defense and CAPTCHA engineers, these mechanisms demonstrate how a unified trust layer can mitigate risks of impersonation and unauthorized capability escalation among automated agents. Integrating zero-knowledge proof based capability attestations combined with policy-as-code enforcement offers a model of fine-grained, privacy-preserving verification beyond traditional authentication. The Kubernetes-native design with service mesh integration shows practical pathways to operationalize such security models at scale.
While the focus here is on internal AI agent ecosystems rather than public web bot defenses, analogous trust and identity principles could inform CAPTCHA system designs requiring secure automated client identity verification, capability proofs without leaking secrets, and scalable policy-driven governance. The evaluation details around latency and throughput demonstrate the feasibility of such strong cryptographic assurances within tight performance requirements—critical for CAPTCHA deployments needing low user friction. However, the ANS PoC limitations around protocol adoption and large-scale federation suggest practical deployment challenges remain. Overall, this research provides deep insights into securing cooperating autonomous agents that bot-defense engineers can consider when architecting new-generation verification and trust mechanisms.
Cite
@article{arxiv2604_26997,
title={ Agent Name Service (ANS): A Proof-of-Concept Trust Layer for Secure AI Agent Discovery, Identity, and Governance in Kubernetes },
author={ Akshay Mittal and Elyson De La Cruz },
journal={arXiv preprint arXiv:2604.26997},
year={ 2026 },
url={https://arxiv.org/abs/2604.26997}
}