Identity Impersonation Detection White Paper Read Now
Identity Impersonation Detection for agents
The ATO Protect Agent Skill lets an AI agent run real identity verification inside its own workflow. Not a wrapper, not a doc to read. Runnable scripts that create a verification, poll it to a result, and match a driver license against DMV and carrier records, calling the same AuthCloud APIs Trusona runs in production.
Why this, why now
For two years the hard problem in identity has been the human help desk: an attacker calls in, sounds right, and talks an agent into a reset. The same problem is now arriving in software. AI agents are being handed the work that used to require a person, including approving access, moving money, and recovering accounts.
An agent that can take those actions needs the same thing a good help desk analyst needs: a way to confirm the human in the loop is who they claim to be, without relying on what they know or how convincing they sound. That check has to be a step the agent can actually run, not a screen a person clicks.
So we built it as a skill. Point an agent at it, and identity verification becomes one of the things the agent knows how to do.
What the agent can do
Each one maps to a documented intent in the skill. The agent reads the intent, picks the script, and runs the workflow against AuthCloud.
Kick off an identity check, poll it to resolution, then pull the authenticated result and risk score. Run it inline or drive it from a callbackUrl for event-based flows.
Run a driver-license ID match against DMV and carrier records, then poll it to a verdict. Real document checks, not a knowledge quiz the caller can fake.
The bearer token is read straight into the Authorization header and never written to disk. A doctor.sh check validates the setup locally before any live credential is used.
Install
The body is plain Markdown plus bash, so the skill is portable by design. Clone it, set two environment variables, and the agent discovers it through SKILL.md.
doctor.sh to validate locally, then describe an identity task.# 1. Clone into your Claude skills directory git clone https://github.com/trusona/atop-agent-skill.git \ ~/.claude/skills/atop-api # 2. Point it at AuthCloud export ATOP_TOKEN='eyJ...' # Bearer JWT from the dashboard export ATOP_BASE_URL='https://authcloud.trusona.net' # 3. Validate locally before a live token scripts/doctor.sh # then just ask your agent: # "verify this user before resetting MFA"
Where it fits
The help desk taught us that impersonation beats authentication. As agents take on more of the work, the same defense has to travel with them.
The skill calls AuthCloud directly, the verification engine behind Trusona IDV. Same checks, now callable from an agent.
It confirms a real person against real records. An agent stops trusting how a request sounds and starts checking who is behind it.
Pairs with Agent Verify as Trusona moves identity assurance into the systems that now act for people.
Get started
The repo is public and Apache 2.0, with runnable scripts, pinned API specs, and editable example requests. Bring a token and start verifying. Want to talk through where this fits in your stack? We're happy to walk through it.