Every identity system of the last twenty years silently assumed the same thing: a human, present at the keyboard, at the moment of the action. Passwords authenticate a person who types them. MFA pushes a prompt to a person’s phone. KYC verifies a person who shows up with documents. Fraud models score a person’s behaviour; CAPTCHAs exist purely to prove a person is there at all. The assumption was so universal it was never written down — and autonomous AI agents have now broken it.
What agents actually change
An agent is not a faster user. It differs from the human it works for in four ways that identity infrastructure was never built to absorb:
- Autonomy. At the moment of the transaction there is no human in the loop to prompt, challenge or hold responsible. The OpenID Foundation’s 2025 paper on agentic identity states the consequence as a principle: with autonomy comes accountability — and today’s stack cannot deliver it.
- Fleets. One operator deploys many agents. Machine identities already outnumber human ones by roughly 50 to 1 in enterprise environments (Omdia, 2024) — and that is before agents, which multiply per person rather than per server.
- Boundary crossing. Agents transact with other organisations’ systems — and with other organisations’ agents. Whatever identity an agent carries internally means nothing on the far side of the boundary.
- Machine speed. A misbehaving agent compounds damage faster than any human review cycle. By the time someone looks, the incident is not one bad transaction but thousands.
And the shift is not gradual. Gartner projects that by the end of 2026, 40% of enterprise applications will embed task-specific agents, up from under 5% in 2025; IDC expects more than a billion active agents by 2029. (Every figure on this site is sourced on where the numbers come from.) Bolted onto service accounts, API keys and OAuth tokens, that population fails in six specific ways.
Failure 1 — Impersonation
A stolen or injected agent credential acts with the principal’s full authority — and nothing proves a liable party stands behind it. This is the classic confused-deputy problem, supercharged: a procurement agent holding a bearer token approves an invoice because a poisoned document told it to, and the token authorises the payment exactly as if the CFO had clicked the button. The relying system cannot distinguish the agent acting as instructed from the agent acting as hijacked — because the credential never said anything about who answers for it in the first place. Worse, when agents borrow their operator’s own credentials, a stolen agent credential is a stolen human credential, with the full blast radius that implies.
Failure 2 — Anonymous clients
Agents register with no paper trail. Dynamic client registration — the mechanism by which software introduces itself to an API — was designed for convenience, not accountability; the OpenID Foundation’s paper calls out the complete lack of a paper trail it leaves. The result is what practitioners call non-human identity sprawl: an API platform hosts thousands of registered clients, and for most of them nobody can say who operates them, who pays for them, or who would be liable if one turned malicious. One operator can spin up unlimited anonymous agents; a defrauded counterparty finds no one to point to.
Failure 3 — Delegation breaks at the boundary
Inside one organisation, delegation more or less works: the IdP knows the user, the service account maps to a team, an audit log exists somewhere. The moment a delegation chain crosses an organisational boundary, it snaps. A person authorises a travel agent; the travel agent engages an airline’s booking agent; the booking agent calls a payment processor. The processor sees only its immediate caller — it cannot verify who ultimately authorised the transaction three hops back, in another company’s identity domain. Each hop is a trust assumption, and the party carrying the risk is the one with the least visibility.
Failure 4 — Consent fatigue
The standard patch for agent risk is to put the human back in the loop — for everything. The result is a person asked to approve dozens of low-stakes actions a day, until approval degenerates into a reflex or a blanket “allow all”. Consent that is demanded constantly stops meaning anything, which is worse than not asking: the system now carries the appearance of human oversight precisely where there is none. Meaningful consent has to be rare, structured and reserved for the decisions that actually warrant a human.
Failure 5 — Revocation is unsolved
When an agent is compromised, there is no fast, scalable way to kill its standing across the ecosystem. Its keys are cached in a dozen services; its OAuth grants live until each provider’s token expiry; certificate revocation lists were slow on the human web and are hopeless at machine speed. The operator revokes at service A while the agent keeps transacting at services B through N. A fleet-scale ecosystem needs the opposite: standing that is checked fresh at every interaction, and a kill switch whose effect propagates in seconds — bounded by rule, not by best effort.
Failure 6 — Accountability or privacy, pick one
Today the only way to make an agent accountable is to attach its human’s real identity — and the only way to stay private is to be unaccountable. A marketplace that demands the operator’s passport behind every agent builds a dossier of who runs what, correlatable across every counterparty, and turns itself into a PII honeypot in the process. A marketplace that accepts anonymous agents eats the fraud. Both options are bad, so the market oscillates between them — and every serious proposal gets pulled toward one pole or the other.
six failures · one pivot
fig. 1 — the sixth failure is the one that locks in the other five
Why the sixth failure is the pivot
The first five failures are, in principle, engineering problems. Better token binding shrinks impersonation; registries reduce anonymous sprawl; delegation standards can cross boundaries; consent can be tiered; revocation can be pushed. The sixth is different in kind — it is a framing error, and as long as it stands, every fix for the other five undermines itself.
Here is the mechanism. Every fix presupposes an accountable party: token binding is worthless if nobody answers for the token; a registry of anonymous entries is a phone book with no names; a delegation chain that terminates in an unidentifiable principal proves nothing; consent needs a consenter of record; revocation needs someone with the standing — and the incentive — to pull the switch. But if the only available form of accountability is attaching a real identity to everything the agent does, then rational operators refuse it, counterparties who insist on it become surveillance infrastructures, and adoption stalls at exactly the boundary where the problem lives. The binary is not one failure among six; it is the reason the other five stay unfixed.
Resolve the sixth, and the other five follow
Now invert it. Suppose an agent could prove, at any moment, a single compound claim: an accountable, KYC-verified human stands behind me, remains liable, and can be reached through due process — and you do not get to learn who they are. Accountability becomes provable while identity stays private, and each of the other failures inherits an answer:
- Impersonation loses its silence: a proof bound to one challenge, one audience and one moment cannot be replayed, and every acceptance carries a provable, liable backer — a stolen credential no longer speaks with an unimpeachable voice.
- Anonymous clients get a paper trail without a registry of names: every agent demonstrably traces to a verified human, yet no public list of who runs what ever exists.
- Delegation stops depending on the chain of intermediaries: the proof travels with the agent, so the relying party at hop three verifies the ultimate authorisation directly instead of trusting everyone in between.
- Consent becomes scarce and therefore meaningful: routine interactions run on provable backing alone, and the human is interrupted only for the rare decisions — like revealing anything at all — that genuinely require one.
- Revocation gets one place to act: standing is a credential, the credential can be killed at its source, and every verifier checks freshness against the same clock instead of hunting grants across N providers.
What an agent identity layer must provide
None of this falls out of a product feature; it is a shape a whole identity layer has to take. Written as requirements, the shape is:
- Provable human backing, private identity. An agent proves an accountable, verified human stands behind it — never which one.
- Unlinkability by construction. One operator’s agents cannot be correlated with each other or with the operator — by counterparties, or by the infrastructure itself.
- Fresh, universal revocation. Standing is checked at every interaction against a bounded clock, and a kill propagates to every verifier at once.
- Recourse before identity. When something goes wrong, money moves first — pre-funded, enforceable — and identification is the last resort under due process, not the first demand.
- Disclosure as the exception. When identity is revealed, it is consented, minimal, and leaves a receipt — never a standing right to track.
That is the shape of the layer. The rest of this site describes one way to build it — starting with Know Your Agent, the practice of verifying the human behind the agent, and the agent KYC layer that turns these requirements into protocol invariants. This article stands on its own, though: the six failures are real whoever solves them, and any serious solution will have to answer all six at once.