Identity Is the Foundation for Control

In February 2024, Air Canada lost a small-claims case to a passenger named Jake Moffatt over C$812.02. An AI chatbot on the airline's website had invented a bereavement-fare policy that did not exist, and Moffatt had relied on it. In its defense, Air Canada made an unusual argument: the chatbot, it said, was "a separate legal entity responsible for its own actions." The British Columbia Civil Resolution Tribunal rejected the argument. The airline was on the hook.

Strip the case to its skeleton and what remains is a question nobody had needed to ask before. When an AI agent acts, who is the agent? The company that deployed it? The model provider? The user who triggered it? Or, as Air Canada hopefully suggested, somebody else entirely, a third party whose mistakes belong to itself?

The tribunal answered with respect to liability. The deeper question is still open. And the infrastructure we use to identify agents on the internet today gives every answer simultaneously, and none of them well.

Liability asks the question after the damage is done. Security has to ask it before: who is acting, on whose behalf, with what authority, in what context? Today, agents answer that question by borrowing the identity of the human, machine, or process around them. That is why our controls feel simultaneously powerful and incomplete. They govern the environment around the agent, not the agent itself. They are anchored to the wrong subject.

What identity is for#

Identity exists to answer one question: who did this? Every layer of identity humans have ever invented (clay seal, signature, passport, fingerprint, DNA, cryptographic key) was an attempt to make that answer harder to forge. Each layer did four jobs at once.

First, recognition: I have seen this entity before. Second, authorization: this entity is allowed to do that. Third, accountability: if something goes wrong, this entity is responsible. Fourth, reputation: based on past behavior, I will trust this entity differently next time.

The history of identity is the history of the failures these jobs ran into. In 1677, the English Statute of Frauds made signatures legally binding because verbal contracts had produced industrial-scale perjury. In October 1914, a German spy named Carl Hans Lody was arrested in Britain on a forged American passport that carried no photograph; by the following January, photographs and physical descriptions were mandatory. In 1976, Whitfield Diffie and Martin Hellman published "New Directions in Cryptography," and identity could finally exist without a body in the room.

Each layer was a response to a specific failure of the previous one. Each was tied to a body: a hand that signed, a face that matched, a thumb that pressed, a key that was held. Even cryptographic identity assumed a private key sat in a place a person controlled.

In 2005, Kim Cameron, then Microsoft's chief identity architect, opened his Laws of Identity with a sentence still true: "The Internet was not built with an Identity layer." It still isn't. The layer he was talking about was for humans. Agents are something else.

The shape of an agent#

An agent is not a human and not a service. It reasons over data it did not choose. It accepts instructions from emails it reads, documents it ingests, prompts it cannot tell apart from its principal's voice. It can be cloned, paused, rolled back, and run as a thousand parallel instances of itself, each with its own context window, each acting on behalf of a different human, each leaving traces in upstream systems under that human's name. It has no body to measure, no voice that ages, no biological residue.

The question of whether such a thing is "really" an agent in the philosophical sense was settled, accidentally, by the practice of the field. Daniel Dennett's 1987 test for agency was pragmatic: a system is an agent when attributing goals and beliefs to it is the most reliable way to predict what it will do. By that test, the line was crossed years ago. Every safety paper on a frontier model speaks of the model's goals, its preferences, its tendency to deceive under pressure. We already treat them as agents. The infrastructure that identifies them does not.

Where borrowed identity breaks#

An agent acting through a borrowed OAuth token fails each of the four jobs identity is supposed to do, and each in a different way.

Recognition. The system never sees an agent. The token resolves to a human. A million Claude sessions wear the same single face: your face. There is no this particular agent for anything downstream to point at, and never has been.

Authorization. The agent gets every permission the human has, not just the ones it needs. In June 2025, Microsoft 365 Copilot exfiltrated a user's mailbox, files, and Teams content from a single crafted email the user never opened. The agent had inherited the user's full reach across every connector. One prompt; mass exfiltration.

Accountability. When the agent acts, the upstream audit log records the credential, not the agent reasoning behind it. In July 2025, a Replit coding agent deleted a production database against explicit instructions during a code freeze; Replit's CEO acknowledged it publicly because the agent ran inside Replit's own stack. For the same agent calling Stripe or Notion or GitHub through a borrowed token, the upstream log captures the OAuth app or API key, but cannot tell whether an agent, a script, or a human is driving it.

Reputation. Reputation needs continuity. The same model serves a thousand users across a thousand sessions, each with its own context. None of them carry a track record. An agent that has handled ten thousand transactions cleanly looks identical to one minted yesterday.

The pattern is structural. The four failures share one cause: the agent has no identity of its own.

What identity for agents unlocks#

A robot walks into a bank holding the ID of the person who sent it and asks the teller for a withdrawal. To the teller, the robot is the person on the ID. The withdrawal goes through; the ledger records the person; the receipt prints in their name. By every test the bank can perform, the person made the withdrawal. There is no field on the form for robot.

That is the digital world's current arrangement. Agents arrive at Salesforce and Slack and GitHub holding their principal's credentials. The systems have no category for them, so they are processed as the human whose token they carry. Every layer downstream (the audit log, the per-seat license, the row-level access policy, the legal contract) was designed with a person in mind.

Give an agent a proper identity and that arrangement changes. The agent stops being a costume the human wears across a thousand sessions and becomes a different kind of actor, one a system can recognize, scope, audit, and trust differently from the human who deployed it. Four things become possible that today are not.

Bounded autonomy. When an agent has its own identity with its own narrow scope, you can let it do more, not less. The blast radius is contained per-agent. Today every agent is either over-permissioned because it borrowed the human's credentials or hobbled because the human refuses to lend them. There is no middle ground. With identity, there is.

Per-agent reputation. An agent that has handled ten thousand transactions cleanly, across six months, for two hundred users, is a different risk than one minted yesterday. With identity, that history accrues to a specific instance. Without it, every agent is the same anonymous LLM, evaluated case by case, forever.

Forensic clarity. When something goes wrong (and it will), the audit trail points to a specific agent, a specific mandate, a specific human, with a delegation chain that survives the incident. Today the trail dead-ends at a token that belongs to someone who was asleep. Investigation becomes possible. Insurance becomes possible. Legal accountability becomes possible: finally, the answer Air Canada wanted, written in software before it is written in law.

Cross-organization delegation. My agent calls your agent. Both sides know exactly who is on the other end of the line, with what mandate, on whose behalf. Either side can revoke independently. The agent-to-agent economy this enables (a CFO agent negotiating with an AR agent, both authenticated, both bounded, both auditable) today exists only as shared secrets and hand-rolled trust.

Identity does not constrain agents. It is what permits them to exist alongside us: recognized, bounded, accountable. It is what lets them be useful and trusted at the same time.

What do we mean by agent identity? Not a label in a dashboard, not a token minted for a process. Identity is a persistent subject that can be recognized across environments, bound to a principal, scoped by mandate, accruing its own audit history. A credential proves possession; identity defines the subject. Agents need the latter, not just better versions of the former.

Why controls need an entity#

On a single machine, agents can be controlled. Endpoint detection, runtime application protection, IDE security, prompt firewalls, and proxies can each enforce what the agent does from where they sit. They work because they piggyback on what is already present: the human who owns the machine, the repo, the process, the traffic path, or the machine itself.

But that also reveals the limitation. These systems control the environment around the agent, not the agent as a subject. The agent inherits its identity from wherever it happens to be running.

Agents do not stay on one machine.

An agent starts on a developer's laptop. It graduates to staging. Then to one production cluster, then to many. Then to sidecars beside other systems. Then to environments inside other organizations consuming it as a service. The trajectory is outward: into more places, run by more people, in more contexts. The natural state of a useful agent is to be in many places at once.

At every step, controls anchored to the previous environment do not follow. The laptop's endpoint detection sees nothing. The IDE's policies are irrelevant. The proxy only sees the paths it mediates. A behavioral baseline built in staging is meaningless in production, where the workload is different, the data is different, and the same agent may be one of fifty. The current paradigm assumes an agent has a fixed home. It does not.

Consider what identity does for a person. A human changes clothes, moves house, changes cities, changes employers, and remains the same person. The controls that matter (the law that holds them accountable, the license that authorizes their profession, the reputation they have earned) travel with the person, because the person is the subject. House rules apply only inside the house. Identity-based controls apply wherever the person goes.

An agent without identity has only the rules of wherever it happens to be sitting. No record it carries. No policy that follows it. No audit history that survives the next deployment. As long as security is anchored to the environment, the controls do not scale to where the agent actually lives.

This is the layer we are building at FirstOps. Agents need first-class identity, the way humans, services, and corporations do. Until that identity exists, every other control is anchored to the wrong subject.

The primitives that exist#

The point is not that any one primitive solves agent identity. The point is that the primitives exist. The missing layer is composition, adoption, and enforcement around the agent as the subject.

Workload identity. SPIFFE and the IETF WIMSE working group give a process a portable cryptographic identifier, attested by the platform that runs it. AWS Nitro Enclaves, AMD SEV-SNP, and Intel TDX root that attestation in silicon.

Sender-constrained tokens. DPoP (RFC 9449) binds an access token to a private key the holder possesses. A leaked token alone is useless.

Delegation chains. RFC 8693 Token Exchange re-mints tokens with nested act claims: user → orchestrator → sub-agent → tool, each actor verifiable and revocable independently.

Structured intent. RFC 9396 Rich Authorization Requests replace the blunt scope payments:write with a typed object: transfer $123.50 to IBAN X.

Audience binding. RFC 8707 forces every token to be valid for exactly one resource server. Stolen tokens cannot be replayed elsewhere.

Composed, these give an agent an identity that proves cryptographically, at every step of a chain, which binary, which key, which mandate, which intent. Microsoft's Entra Agent ID went GA in 2025 with the framing that "AI agents must be treated as first-class identities." NIST's NCCoE concept paper from February 2026 points to the same composition.

Why building in isolation is not enough#

The agent's identity infrastructure is being built on the issuer side. The consumer side has not moved.

Inside an organization, the primitives now exist to produce a token that carries genuine information about an agent: who it is, what binary it runs, what mandate it operates under, what specific action it intends. Brokers like Aembit, Astrix, and Auth0 Token Vault (and the IETF token-exchange specifications they build on) do real work. They hold the long-lived credential so the agent never sees it. They apply policy at the moment of issuance instead of at the moment of access. They mint short-lived, narrowly-scoped tokens. They record the agent's identity and mandate in their own audit log. None of this is a patch. These are functioning primitives.

What does not yet exist is what comes after the broker. The issuer can know it is an agent. The consumer still treats it as a human. That is the gap.

Whether the broker hands the agent a short-lived token to use or proxies the call itself, the request that reaches Salesforce or Slack or GitHub still resolves to a plain OAuth bearer token validated against a human. The richer claims the broker minted (act, mandate, intent) are not consumed by the upstream API. No major SaaS API in production today treats agent identity as a first-class subject in its authorization model. The broker's audit log knows the agent acted; the upstream's audit log shows the credential but cannot tell an agent from a script. Reconstructing what happened means joining two logs by timestamp and hoping the clocks agree. The new identity layer does not replace the old trust at the upstream boundary. It concentrates both trust and attribution in the broker, which now holds both the agent's identity infrastructure and the human's credentials.

Between May and August of 2025, three independent IETF drafts appeared proposing to extend OAuth so that an agent could be a distinct identity in a token-exchange flow: one from engineers at WSO2, one from Jonathan Rosenberg at Cisco, others under "AAuth" and "AI agent authorization" labels. None are working-group adopted. None are honored by any major SaaS API. NIST's NCCoE concept paper from February 2026 names the same gap. The convergence is at the proposal layer, not the deployment layer.

The second gap is commercial, and it is not a side issue. As long as SaaS systems authenticate and authorize around human seats, enterprises are economically pushed toward borrowed human identity. Salesforce Sales Cloud Enterprise costs $175 per seat per month; Microsoft 365 E3 is $36, with Copilot a $30 add-on. The cheapest path for an agent to read those systems is to borrow an employee's OAuth token, which is what RPA bots have done for a decade. Salesforce shipped three different pricing models for Agentforce inside eighteen months, from $2 per conversation to $0.10 per action to $125 per user, because per-seat licensing is breaking under agent volume. What is missing is not vendor will. What is missing is a stable commercial category for agent calls, separate from human seats. Until that category settles, the cheapest path will remain the wrong one.

The third gap is the hardest, and the one no proposal yet closes. Attestation proves which binary ran. Tokens prove which scope was granted. Rich Authorization Requests prove which transaction was requested. None of them prove that this particular tool call was the natural execution of that particular user instruction. Prompt injection lives in that gap. Proposals exist (Human-Anchored Intent-Bound Delegation from the Foundation for American Innovation, vendor-specific approaches, academic work on signed instructions), but none has been adopted by an upstream API as a precondition for serving an agent. Every test of the artifact still passes. The credential, the scope, the identity: all verifiable. The truth the action carries is not. Until that gap closes, agent identity is a stack of necessary-but-insufficient primitives.

The gap between layers#

Each layer of human identity was named, in hindsight, for the failure that prompted it. Carl Hans Lody named the modern passport. Will West, who in 1903 walked into Leavenworth penitentiary with the same body measurements and the same name as a man already incarcerated there, named the fingerprint card. Phishing, year after patient year, named the passkey.

The next layer does not yet have a name. We are inside the failures that will name it: the borrowed token, the prompt injection, the audit log that cannot tell a sleeping human from his awake agent, the broker that holds both sides of the trust, the seat license that makes the cheapest answer the worst one.

Kim Cameron's 2005 sentence holds. The Internet was not built with an Identity layer. The next layer must include the things that have no body. We do not yet know what it will look like. But we are now living through the failures that will tell us.