STACK vs. Keycard

Both STACK and Keycard call themselves “the control plane” for agents. The phrase is identical in marketing materials. The architectural bets behind it are not.

Keycard's wedge: workload attestation

Keycard (keycard.ai) gates hard at credential issuance. Their Security Token Service runs a policy-evaluated challenge-response: when an agent (or any non-human identity) wants to act, the STS verifies the runtime environment cryptographically (SPIFFE, mTLS, Kubernetes service accounts, cloud instance ID), evaluates a policy against composite identity (user, device, agent, task), and issues an ephemeral token bound to that combination. The token is trusted within its scope until session end.

They've shipped quickly: SOC 2 Type II is in place. Three deployment tiers are published (Cloud multi-tenant, Dedicated Enterprise Cloud single-tenant, BYOC coming soon). CMEK lets the customer disable their own AWS KMS key from their own account if they want to cut Keycard off entirely. Their standards posture is broader than STACK's today: OAuth 2.1, RFC 8693 Token Exchange, SPIFFE issuer, WIMSE, MCP, A2A, OIDC, SAML, JWT, JWK.

If your security model treats the agent's runtime environment as the trust anchor (which pod, which mTLS-bound process, which cloud instance is making the call), Keycard's architecture matches that posture cleanly.

Note on Keycard's Smallstep partnership (announced March 23, 2026): the integration uses ACME Device Attestation (ACME-DA), not SPIFFE/SPIRE. Per their announcement: “ACME-DA, developed in collaboration with Apple and Google.”

STACK's wedge runs further down the chain

STACK gates at issuance and again on every outbound call. Once an agent has any token (one Keycard issued, one another OIDC provider issued, a SPIFFE SVID, or a STACK passport), every outbound call routes through a credential-injecting proxy that re-checks intent and scope, then runs 23 named detectors on the call payload. The detectors include a 3-layer prompt-injection chain that scores F1 0.86 / R 0.77 on a 1087-sample public benchmark with regression CI, plus output exfiltration, scope drift, and behavioral anomaly.

Every action lands in a hash-chained per-tenant audit log that's externally verifiable by structural property of the chain. A single revocation cascades through passport, proxy, audit, and delegated children in under sixty seconds. EU AI Act Article 14 is mapped clause-by-clause publicly. Pricing tiers are visible on the homepage.

STACK accepts SPIFFE SVIDs as identity input, including ones Keycard issues. We don't issue SVIDs; that's Keycard's lane. We secure what the agent does once it has identity.

If your security model treats what the agent does after it has identity as the trust-anchor question (credential leakage, prompt-injected actions, scope drift over a long session, output exfiltration), STACK's architecture matches that posture.

Talk to us if you're sizing the comparison. We'll tell you straight where each side is in front, including which procurement bars Keycard clears today that STACK does not.

Talk to usSee all alternatives

Last reviewed 2026-05-09. Keycard claims sourced from keycard.ai, docs.keycard.ai, and reporting from October 2025 onwards.

stack | STACK vs. Keycard