Interesting approach. The risk scoring (0-100) is the part I find most promising. Identity alone isn't enough — you need dynamic trust assessment.

One thing I'd add: agent identity becomes much more complex in multi-agent systems where agents coordinate with each other, not just with services. In that scenario, you need agents to verify each other's identity AND authority (is this agent authorized to claim this task? edit this file? send this message?). The OAuth model handles service-to-agent auth well but doesn't address agent-to-agent trust.

SPIFFE/SPIRE suggestion above is good for infrastructure-level identity. But for application-level trust between cooperating agents, you might want something more like a capability-based system where agents can delegate specific permissions to each other without a central authority.