feat(C9): add A2A task handoff identity validation control (9.5.5)

[RicoKomenda]

Summary

Adds 9.5.5 to C9.5 (Secure Messaging and Protocol Hardening) to address trust boundary enforcement during structured agent-to-agent task delegation.

New control:

Verify that when agents accept structured task handoffs from peer agents (e.g., via A2A or equivalent delegation protocol), the receiving agent validates the sending agent's identity and authorized scope against an approved agent registry before accepting the task, and rejects handoffs from agents not present in or explicitly excluded from that registry.

Level: 2

Why this is needed

Structured agent-to-agent delegation protocols (Google A2A, OpenAI's emerging multi-agent patterns, AutoGen, LangGraph) allow one agent to hand off tasks with full context to another. This creates a lateral movement path: a compromised or malicious agent can impersonate a legitimate orchestrator and inject tasks into a trusted downstream agent's execution context.

Existing C9.5 controls cover channel encryption and mutual authentication (9.5.1), schema validation (9.5.2), and replay protection (9.5.3), but none require the receiving agent to validate the sender against an explicit approved registry. An agent that accepts tasks from any authenticated peer is vulnerable to task injection from a compromised peer that passed authentication but was never supposed to delegate to it. The approved registry creates a second check: even a valid identity must be on the pre-approved list of agents authorized to delegate.

This is AI-specific because task delegation in multi-agent systems has no direct analogue in traditional web service authorization: the "message" is an agent task with a goal and partial context, not a simple API call, and the downstream agent may take significant actions based on it.

Changes

• 1.0/en/0x10-C09-Orchestration-and-Agentic-Action.md: add 9.5.5
• 1.0/en/0x93-Appendix-D_AI_Security_Controls_Inventory.md: add entry to AD.2