AI Agents

Your ecosystem foundations already govern AI agents. No rebuild needed.

The same standards and control plane governing 100 billion+ banking API calls per year now govern your AI agents. MCP uses OAuth 2.1. Agents use OpenID Federation. Your existing investment carries forward. Raidiam Connect provides the discovery, control, and governance layer — additive, not replacement.

See the platform
Learn about Connect
Expansion Proof: AI Agents

Your ecosystem foundations already govern AI agents. No new infrastructure needed.

This is not a new product. This is proof that the ecosystem control plane you built for APIs extends naturally to AI agents. MCP uses OAuth 2.1. Agents use OpenID Federation. Your existing investment carries forward. Additive, not replacement.

Trust verified

AI Agent

Requests tool access via MCP

authorises via

Model Context Protocol (MCP)

Delegates authorisation to OAuth 2.1

add identity via

OAuth 2.1

Base authorisation framework

authenticates via

OpenID Connect

Identity and authentication layer

resolves trust via

OpenID Federation

Decentralised trust establishment

anchored by

Trust Anchor — Your Control Plane

Raidiam Connect

This is what building once looks like. The standards and infrastructure you invested in for open banking now govern AI agents — without rebuilding a single thing.

Additive, not replacement

Your existing OAuth 2.1 and FAPI investment isn’t going anywhere. AI agents, wallets, and credentials layer on top of the same standards stack. No rip-and-replace. No new security framework.

Same control plane, same policies

For regulators: the control plane you operate today governs AI agents tomorrow. For enterprises: onboard agents and wallets into the same trust fabric as your APIs. One federation. One policy model.

Battle-tested at planetary scale

These standards run 100 billion+ API calls per year across 159 banks in Brazil alone. Zero security incidents. Now they power AI agent governance.

What this means

Without an ecosystem control plane

  • Each AI agent needs bespoke authorisation
  • No visibility into what agents can access
  • No standard way to revoke agent access
  • Trust is configured per-agent, per-service

With the ecosystem control plane

  • Agents register once in the trust fabric
  • Full visibility and lifecycle management
  • Instant revocation across all services
  • Trust inherited from the federation
Explore AI agent governance →
Expansion Proof: Agent Lifecycle

From CI/CD to governed production in minutes

The same ecosystem control plane that onboards API consumers now onboards AI agents — with identity, credentials, roles, and governance in seconds, not weeks. Same registration pattern. Same trust model. No new infrastructure required.

agent-lifecycle.pipeline — live simulation
AWS ECS / Lambda

CI/CD Spawns Agent

> deploy agent-payments-v3 --region us-east-1
AWS KMS / HSM

Seed Credential Issued

agent-payments-v3.seed.pem
Raidiam Connect API

Register in Federation

federation.register(agent-payments-v3)
OpenID Federation

Identity & Roles Assigned

roles: ["payments-reader", "accounts-query"]
mTLS + JWS

Certificates Issued

transport.pem + signing.pem → certificate-bound tokens
OAuth 2.1 + MCP

Agent Goes Live

Payments API ✓ | Accounts API ✓ | Customer Data ✗ (not in role)

Scroll horizontally to see all stages

Complete visibility and control over every agent

Real-time registry. Certificate lifecycle. Policy enforcement. Every agent — visible, auditable, revocable.

Raidiam Connect — Agent Registry

Active Agents

847

Regions

4

us-east-1, eu-west-1, ap-se-1, eu-central-1

Avg Lifetime

4.2h

Revocations Today

3

Agent IDRegionRoleStatusLast ActivityCertificates
agent-payments-v3us-east-1payments-readerActive2m agoValid (23d)
agent-accounts-v2eu-west-1accounts-queryActive5m agoValid (45d)
agent-fraud-v1us-east-1fraud-analysisReview1h agoExpiring (3d)
agent-onboard-v4ap-se-1onboarding-botActive30s agoValid (60d)
agent-test-v1eu-central-1test-runnerStopped2d agoRevoked
agent-customer-v2us-east-1customer-dataDeniedRejected

Authorisation Request Rejected by OP

agent-customer-v2 authorisation request rejected by OP: the agent's federation entity statement does not include 'customer-data-write' in its authorised scopes. The OP queried Raidiam Connect and resolved the agent's permissions in real-time.

Same trust pattern, new entity type

An AI agent follows the exact same lifecycle as any API consumer in your ecosystem. The trust patterns are identical — the speed and dynamism are not. Your existing investment carries forward.

Traditional Relying PartyFintech App

  • Registers with the federation
  • Gets certificates and identity
  • Assigned roles and permissions
  • Discovers APIs via the trust plane
  • Accesses resources with OAuth tokens
  • Audited, revocable, governed
= Same pattern

AI AgentMCP Client

  • Registers with the federation
  • Gets certificates and identity
  • Assigned roles and permissions
  • Discovers APIs via the trust plane
  • Accesses resources with OAuth 2.1 tokens(2.1)
  • Audited, revocable, governed

The only difference is speed and scale. CI/CD can spawn thousands of agents. Each one needs identity, credentials, roles, and governance in seconds, not weeks. The ecosystem control plane handles this because it was built for exactly this kind of scale — 100 billion+ API calls per year across 159 banks. No rebuild required.

What keeps a CISO up at night

Five failure modes in enterprise AI. One answer.

Shadow agents

Developers deploy AI agents with hardcoded API keys. Nobody knows they exist. Nobody can revoke them.

Raidiam Connect

Every agent must register with the federation. No registration = no certificates = no tokens = no access.

Uncontrolled scope

An agent built for payments analysis quietly starts accessing customer PII because there’s no policy boundary.

Raidiam Connect

Authorised scopes are declared in the agent’s federation entity statement and published by Raidiam Connect. The OP or resource server queries this in real-time at token issuance or API access — the agent can only get tokens for what it’s authorised for in the federation.

Audit blind spots

When something goes wrong, nobody can trace which agent did what, when, or with whose authority.

Raidiam Connect

Full audit trail from deployment to revocation. Certificate-bound tokens mean every API call is traceable to a specific agent identity.

Revocation lag

A compromised agent continues operating for hours because there’s no central revocation mechanism.

Raidiam Connect

Instant revocation via the federation controller. Shared signals notify every resource provider immediately. Access stops in seconds.

Cross-cloud sprawl

Agents in AWS can’t be governed by Azure AD. Agents in Google Cloud have different credentials. No unified view.

Raidiam Connect

One trust plane across every cloud. Every agent, regardless of where it runs, registers with the same federation controller.

This is what building once looks like. The ecosystem control plane you invested in for open banking now governs AI agents — without rebuilding a single thing.

Every agent gets identity, credentials, roles, and governance in seconds. Every agent is visible, auditable, and revocable. Same control plane. Same standards. Additive, not replacement.

Trust Marks

Beyond permissions. Dynamic trust signals for every entity.

OAuth metadata tells you what an entity can do. Trust marks tell you what an entity IS — its compliance status, risk score, capability attestations, and real-time trust signals from external authorities. Raidiam Connect models them all.

AI Agent

payments-v3

Federation Authority

Ecosystem Participant ✓

Attests that the agent is a registered, accredited member of the federation

Conformance Authority

FAPI 2.0 Certified ✓

Attests that the agent's implementation passes conformance testing

Risk Scoring Service

Risk Score: 0.12 (Low)

A third-party oracle provides a real-time risk assessment that OPs can factor into authorisation decisions

Compliance Attestor

PCI DSS Compliant ✓

An external authority attests regulatory compliance status

Capability Authority

Payments: Initiate + Read

Declares what the agent is technically capable of, verified by the authority

How OPs and resource servers use trust marks

Trust marks are resolved at runtime. Every authorisation decision can be informed by real-time signals from external authorities.

01

Agent requests access

An AI agent presents its identity to an OP and requests authorisation to access a payments API.

02

OP resolves trust marks from the federation

The OP queries Raidiam Connect for the agent’s entity statement AND all attached trust marks — not just OAuth metadata, but risk scores, compliance attestations, capability declarations, and conformance status.

03

OP makes a rich authorisation decision

The OP can now decide based on: Is this agent a registered participant? Is it conformant? What’s its risk score? Is it compliant? What are its declared capabilities? This is richer than just ‘does it have the right scopes.’

For agentic AI, coarse-grained OAuth scopes aren’t enough.

An OP needs to know not just WHAT an agent can do, but WHO attests to its trustworthiness, WHAT its current risk profile is, and WHETHER it’s still compliant. Trust marks make this possible — and Raidiam Connect can model, publish, and distribute them all.

This isn’t just for agents

Trust marks work for every entity type in the federation — wallets, credential issuers, verifiers, APIs, OPs. Any authority can publish a trust mark about any entity. Raidiam Connect is the distribution layer.

Wallet trust mark

A mobile wallet provider attested as compliant with eIDAS 2.0 by a notified body

API trust mark

A banking API attested as PSD2 compliant by the national competent authority

Issuer trust mark

A credential issuer attested as authorised to issue government identity credentials

Discovery — Build Once, Connect Instantly

New participants and services discover each other automatically

In the ecosystem control plane, every organisation publishes its services, APIs, and credentials. New participants discover each other programmatically — no manual configuration, no bilateral exchange. The more participants you add, the more discoverable the ecosystem becomes.

Discovery eliminates the single most expensive step in partner integration: the bilateral exchange of endpoints, keys, and metadata. Without it, every new partner is weeks of manual configuration. With it, participants discover each other programmatically in seconds.

Your Federation Controller
Trust Anchor · Metadata · Discovery
Meridian BankData Provider
Retail OP
Business OP
Payments OP
AccountsTransactionsBalancesPaymentsStanding OrdersDirect DebitsBeneficiariesProducts
Nova FintechData Receiver
Nova Auth
Nova Connect AppNova Business App
1
2
3
4
5
6
7
Key Insight

No bilateral setup. No client registration. The federation controller is the single source of truth. Applications and authorisation servers both query it. The OP pulls verified client information directly — no push-based registration needed. This works whether there are 2 organisations or 2,000.

Federation Discovery API

Applications query the controller for registered authorisation servers and API resource types. One query returns the entire ecosystem.

OP-Initiated Client Pull

When an authorisation server encounters a new client, it pulls the verified software statement and metadata directly from the federation controller.

OpenID Federation Trust Chains

Trust is established by resolving entity statements back to the trust anchor. Cryptographically verified. No pre-shared secrets.

Powered by Raidiam Connect

Technical Deep-Dive

How MCP meets OpenID Federation

A step-by-step look at how an AI agent establishes trust and gains authorised access to enterprise resources through the federation control plane.

Trust verified
1

AI Agent requests tool access

Agent identifies an MCP server that provides access to a banking API. The agent needs authorised access.

MCP Protocol
2

MCP server requires OAuth 2.1 token

The MCP server is protected by OAuth 2.1. The agent must obtain an access token from the authorisation server.

OAuth 2.1 + FAPI 2.0 Security Profile
3

Agent authenticates via OpenID Connect

The agent presents its client credentials. The authorisation server verifies the agent’s identity and software statement.

OpenID Connect + Dynamic Client Registration
4

Trust chain resolved via OpenID Federation

The authorisation server resolves the agent’s trust chain back to the federation trust anchor. Entity statements are verified at each level. Metadata policies are applied.

OpenID Federation Trust Chain Resolution
5

Federation validates agent status

The trust anchor confirms: the agent is a registered participant, its conformance status is current, its certificates are valid, and its claimed roles are authorised.

Raidiam Connect — Ecosystem Control Plane
6

Access token issued — agent connected

The authorisation server issues a certificate-bound access token. The agent can now access the banking API through MCP. Full audit trail. Full lifecycle management.

mTLS + Certificate-Bound Access Tokens (RFC 8705)

This entire flow happens in milliseconds. The agent doesn’t know it’s using OpenID Federation. The MCP server doesn’t know it’s part of a national trust ecosystem. The federation is invisible infrastructure — but it’s what makes the trust real.

Expansion Proof: Wallets & Credentials

Same control plane. New entity types. No rebuild.

A decade ago, APIs needed a trust layer to enable open banking. Today, wallets and credentials need the same thing. Tomorrow, AI agents will too. This isn’t a new problem — and it doesn’t need new infrastructure. The ecosystem control plane extends naturally from APIs to credentials, wallets, and verifiers.

Trust Anchor

Build the ecosystem control plane once for APIs. Extend it to wallets, credentials, and AI agents without rebuilding. Same foundations. Same standards. No new infrastructure.

APIs today, wallets tomorrow

Your existing federation investment extends naturally to new entity types. No re-architecture required.

Verifiable trust, not assumed trust

Every entity’s trust status is published, discoverable, and verifiable through cryptographic trust chains.

Standards-native

Built on OpenID Federation entity statements, trust marks, and metadata policies — not proprietary extensions.

Built Once. Expanding Everywhere.

The ecosystem control plane powering the world's largest digital economies

Live global operations
🇧🇷Live

Brazil Open Finance

  • 940+ institutions
  • 100B+ API calls/year

Central Bank of Brazil

🇧🇷Live

Brazil Open Insurance

  • 42 providers
  • 1.18M monthly API calls

Superintendência de Seguros Privados

🇦🇺Live

Australia ConnectID

  • Big Four banks
  • 10M+ customers

Australian Payments Plus

🇳🇿Live

NZ Fraud Data Sharing

  • NZBA member banks
  • Fraud prevention network

New Zealand Banking Association

🇦🇪Growing

UAE Open Finance

  • Central Bank of UAE
  • National ecosystem

Central Bank of UAE

🇬🇧Growing

UK Smart Data

  • Cross-sector trust
  • Open Banking origins

UK Government / FCA

0+Banks and financial institutions
0National ecosystems and programmes
0B+API calls per year
Security incidents. Ever.

Our clients include central banks, payment scheme operators, and globally systemically important financial institutions. We don't build point solutions. We operate the ecosystem control plane that the world's financial system depends on. They built once. They keep expanding.

Raidiam is a founding contributor to OpenID Federation and actively shapes the standards that define how digital trust ecosystems work globally. OpenID Federation is the standard. Raidiam Connect is the ecosystem control plane that makes it work at national scale — and lets it expand to whatever comes next.

OAuth 2.0OpenID ConnectFAPI 2.0OpenID FederationOAuth 2.1MCP

Built on 10+ years of battle-tested standards

See how Brazil uses Raidiam Connect
Build Once. Expand Everywhere.

Where will your ecosystem take you next?

The same ecosystem control plane covers all of these. Your investment in one use case is your investment in every use case.

Open Banking

Start with open banking. Expand to open finance and beyond.

Smart Data

Banking infrastructure extends to energy, telecoms, property, pensions.

Digital Identity

Same control plane. Now governing wallets and credentials.

Payments

CoP, VRP, and pay-by-bank — same foundations.

Enterprise

Platformise your business across brands, clouds, and partners.

Regulators

Build the platform for the digital economy.

Build Once. Expand Everywhere.

Where will your ecosystem take you?

Whether you're a regulator building a national digital economy, an enterprise platformising across brands and clouds, or a bank that wants to stop rebuilding trust for every new use case — there's a next step.

See It in Action

See how one investment in Raidiam Connect covers your first use case — and the next hundred

See It in Action

Request a Briefing

For regulators and central banks — how to build the foundations for an expandable digital economy

Request a Briefing

See the Proof

Brazil started with 2 data-sharing scopes. Today it has hundreds — all on the same infrastructure

See the Proof

Not sure where to start? Build the business case → · See if this is right for you → · Developer Portal & API docs → · Security & Trust Center →