Blog · agentic identity

The agentic identity problem: no human at the keyboard

Every identity system of the last twenty years assumed a human at the keyboard. AI agents break that assumption — and six concrete failures follow. Why the accountability-versus-privacy binary is the one to solve first.

Every identity system of the last twenty years silently assumed the same thing: a human, present at the keyboard, at the moment of the action. Passwords authenticate a person who types them. MFA pushes a prompt to a person’s phone. KYC verifies a person who shows up with documents. Fraud models score a person’s behaviour; CAPTCHAs exist purely to prove a person is there at all. The assumption was so universal it was never written down — and autonomous AI agents have now broken it.

What agents actually change

An agent is not a faster user. It differs from the human it works for in four ways that identity infrastructure was never built to absorb:

  • Autonomy. At the moment of the transaction there is no human in the loop to prompt, challenge or hold responsible. The OpenID Foundation’s 2025 paper on agentic identity states the consequence as a principle: with autonomy comes accountability — and today’s stack cannot deliver it.
  • Fleets. One operator deploys many agents. Machine identities already outnumber human ones by roughly 50 to 1 in enterprise environments (Omdia, 2024) — and that is before agents, which multiply per person rather than per server.
  • Boundary crossing. Agents transact with other organisations’ systems — and with other organisations’ agents. Whatever identity an agent carries internally means nothing on the far side of the boundary.
  • Machine speed. A misbehaving agent compounds damage faster than any human review cycle. By the time someone looks, the incident is not one bad transaction but thousands.

And the shift is not gradual. Gartner projects that by the end of 2026, 40% of enterprise applications will embed task-specific agents, up from under 5% in 2025; IDC expects more than a billion active agents by 2029. (Every figure on this site is sourced on where the numbers come from.) Bolted onto service accounts, API keys and OAuth tokens, that population fails in six specific ways.

Failure 1 — Impersonation

A stolen or injected agent credential acts with the principal’s full authority — and nothing proves a liable party stands behind it. This is the classic confused-deputy problem, supercharged: a procurement agent holding a bearer token approves an invoice because a poisoned document told it to, and the token authorises the payment exactly as if the CFO had clicked the button. The relying system cannot distinguish the agent acting as instructed from the agent acting as hijacked — because the credential never said anything about who answers for it in the first place. Worse, when agents borrow their operator’s own credentials, a stolen agent credential is a stolen human credential, with the full blast radius that implies.

Failure 2 — Anonymous clients

Agents register with no paper trail. Dynamic client registration — the mechanism by which software introduces itself to an API — was designed for convenience, not accountability; the OpenID Foundation’s paper calls out the complete lack of a paper trail it leaves. The result is what practitioners call non-human identity sprawl: an API platform hosts thousands of registered clients, and for most of them nobody can say who operates them, who pays for them, or who would be liable if one turned malicious. One operator can spin up unlimited anonymous agents; a defrauded counterparty finds no one to point to.

Failure 3 — Delegation breaks at the boundary

Inside one organisation, delegation more or less works: the IdP knows the user, the service account maps to a team, an audit log exists somewhere. The moment a delegation chain crosses an organisational boundary, it snaps. A person authorises a travel agent; the travel agent engages an airline’s booking agent; the booking agent calls a payment processor. The processor sees only its immediate caller — it cannot verify who ultimately authorised the transaction three hops back, in another company’s identity domain. Each hop is a trust assumption, and the party carrying the risk is the one with the least visibility.

Failure 4 — Consent fatigue

The standard patch for agent risk is to put the human back in the loop — for everything. The result is a person asked to approve dozens of low-stakes actions a day, until approval degenerates into a reflex or a blanket “allow all”. Consent that is demanded constantly stops meaning anything, which is worse than not asking: the system now carries the appearance of human oversight precisely where there is none. Meaningful consent has to be rare, structured and reserved for the decisions that actually warrant a human.

Failure 5 — Revocation is unsolved

When an agent is compromised, there is no fast, scalable way to kill its standing across the ecosystem. Its keys are cached in a dozen services; its OAuth grants live until each provider’s token expiry; certificate revocation lists were slow on the human web and are hopeless at machine speed. The operator revokes at service A while the agent keeps transacting at services B through N. A fleet-scale ecosystem needs the opposite: standing that is checked fresh at every interaction, and a kill switch whose effect propagates in seconds — bounded by rule, not by best effort.

Failure 6 — Accountability or privacy, pick one

Today the only way to make an agent accountable is to attach its human’s real identity — and the only way to stay private is to be unaccountable. A marketplace that demands the operator’s passport behind every agent builds a dossier of who runs what, correlatable across every counterparty, and turns itself into a PII honeypot in the process. A marketplace that accepts anonymous agents eats the fraud. Both options are bad, so the market oscillates between them — and every serious proposal gets pulled toward one pole or the other.

fig. 1 — the sixth failure is the one that locks in the other five

Why the sixth failure is the pivot

The first five failures are, in principle, engineering problems. Better token binding shrinks impersonation; registries reduce anonymous sprawl; delegation standards can cross boundaries; consent can be tiered; revocation can be pushed. The sixth is different in kind — it is a framing error, and as long as it stands, every fix for the other five undermines itself.

Here is the mechanism. Every fix presupposes an accountable party: token binding is worthless if nobody answers for the token; a registry of anonymous entries is a phone book with no names; a delegation chain that terminates in an unidentifiable principal proves nothing; consent needs a consenter of record; revocation needs someone with the standing — and the incentive — to pull the switch. But if the only available form of accountability is attaching a real identity to everything the agent does, then rational operators refuse it, counterparties who insist on it become surveillance infrastructures, and adoption stalls at exactly the boundary where the problem lives. The binary is not one failure among six; it is the reason the other five stay unfixed.

Resolve the sixth, and the other five follow

Now invert it. Suppose an agent could prove, at any moment, a single compound claim: an accountable, KYC-verified human stands behind me, remains liable, and can be reached through due process — and you do not get to learn who they are. Accountability becomes provable while identity stays private, and each of the other failures inherits an answer:

  • Impersonation loses its silence: a proof bound to one challenge, one audience and one moment cannot be replayed, and every acceptance carries a provable, liable backer — a stolen credential no longer speaks with an unimpeachable voice.
  • Anonymous clients get a paper trail without a registry of names: every agent demonstrably traces to a verified human, yet no public list of who runs what ever exists.
  • Delegation stops depending on the chain of intermediaries: the proof travels with the agent, so the relying party at hop three verifies the ultimate authorisation directly instead of trusting everyone in between.
  • Consent becomes scarce and therefore meaningful: routine interactions run on provable backing alone, and the human is interrupted only for the rare decisions — like revealing anything at all — that genuinely require one.
  • Revocation gets one place to act: standing is a credential, the credential can be killed at its source, and every verifier checks freshness against the same clock instead of hunting grants across N providers.

What an agent identity layer must provide

None of this falls out of a product feature; it is a shape a whole identity layer has to take. Written as requirements, the shape is:

  1. Provable human backing, private identity. An agent proves an accountable, verified human stands behind it — never which one.
  2. Unlinkability by construction. One operator’s agents cannot be correlated with each other or with the operator — by counterparties, or by the infrastructure itself.
  3. Fresh, universal revocation. Standing is checked at every interaction against a bounded clock, and a kill propagates to every verifier at once.
  4. Recourse before identity. When something goes wrong, money moves first — pre-funded, enforceable — and identification is the last resort under due process, not the first demand.
  5. Disclosure as the exception. When identity is revealed, it is consented, minimal, and leaves a receipt — never a standing right to track.

That is the shape of the layer. The rest of this site describes one way to build it — starting with Know Your Agent, the practice of verifying the human behind the agent, and the agent KYC layer that turns these requirements into protocol invariants. This article stands on its own, though: the six failures are real whoever solves them, and any serious solution will have to answer all six at once.

The agentic identity problem — quick answers

What is the agentic identity problem?
Every mainstream identity system — logins, MFA, KYC, fraud scoring — assumes a human is present at the moment of the action. Autonomous AI agents act with no human in the loop, in fleets, across organisational boundaries, at machine speed. Bolting them onto service accounts, API keys and OAuth tokens produces six concrete failures: impersonation, anonymous clients, broken cross-org delegation, consent fatigue, unsolved revocation, and an accountability-versus-privacy trade-off treated as a binary.
Why can’t API keys and OAuth solve it?
They authenticate a credential, not a party. An API key proves possession of the key; an OAuth token proves a grant was issued once. Neither says who answers for the traffic behind it, survives delegation across organisations, or can be killed everywhere at once when the agent behind it is compromised.
Isn’t the fix simply to identify every agent operator?
That is the sixth failure, not the fix. Attaching the operator’s real identity to everything an agent does turns accountability into surveillance: every counterparty accumulates a dossier, every verifier becomes a PII honeypot, and rational operators choose anonymity instead. The problem is only solved when accountability can be proven while identity stays private.
What would an agent identity layer have to provide?
Proof that an accountable, verified human stands behind an agent — without revealing who; unlinkability between one operator’s agents; revocation that is fast and checkable by everyone; recourse that settles in money before it ever touches identity; and identity disclosure as a rare, consented, receipted exception rather than the routine cost of doing business.

Keep reading: What is Know Your Agent? — the discipline that answers these six failures — or Reusable KYC explained for the verify-once layer underneath it.

Six failures, one design

The agent KYC page shows how provable human backing, sibling unlinkability, 45-second revocation and money-before-identity disputes answer all six — and every figure cited here is sourced on the numbers page.