Existing legal and technical frameworks cannot reliably identify or hold autonomous AI agents accountable; five fundamental gaps — from intent verification to recursive delegation accountability — mean engineering work alone will not solve the problem. Foundational research on agent identity is urgently needed to enable safe cross‑organizational AI transactions.

Main Finding

AI agents create a fundamentally different identity problem than humans: current identity infrastructure, standards, and regulation are fragmented and inadequate. Identity for agents is structurally asymmetric along substrate, persistence, verifiability, and legal standing; addressing these asymmetries requires new foundations (not incremental extensions of human identity systems). The report identifies five critical, structural gaps—semantic intent verification; recursive delegation accountability; agent identity integrity across model→agent→workload layers; governance opacity and enforcement; and operational sustainability—which neither current technology nor nascent regulation resolve. Foundational research and coordinated public‑private infrastructure are necessary to close these gaps.

Key Points

• Three concurrent systemic failures have caused the collapse of legacy identity approaches for agents:
  • Organization: non-human identities (NHIs) outnumber human identities in enterprises; many deployments reuse human credentials or shared API keys rather than treating agents as first‑class principals.
  • Regulation: no jurisdiction assigns clear liability for autonomous agent actions; laws and obligations are fragmented.
  • Technology: agents are nondeterministic, cloneable, and often sessionless, so traditional anchors for identity (stable substrate, persistence) are missing.
• Four distinct NHI types must be distinguished (and governed differently):
  • Model: trained artifact (weights, architecture, provenance); relatively stable until retraining but descriptive artifacts (model cards) are non‑binding.
  • Agent: configured deployment (system prompt, persona, tool grants); mutable and where most behavioral vulnerabilities occur.
  • Workload: runtime instance/process/container; attested via workload identity (SPIFFE/SVID), authenticates the container/process but not the agent’s content/behavior.
  • Delegated: authorization/grant carrying rights on behalf of a legal principal (OAuth tokens, JWT act claims); critical for accountability but under‑specified for multi‑hop delegation.
• Four‑dimension comparison (substrate, persistence, verifiability, legal standing) highlights structural asymmetry between human and AI identities; identity infrastructure must be designed from first principles recognizing those constraints.
• Standards and market state:
  • Authentication/workload identity: most mature (SPIFFE/WIMSE). Practical but limited to attesting runtime properties.
  • Authorization/delegation: partially addressed (OAuth handles one‑hop well); multi‑hop, scope attenuation, mapping scopes→capabilities, and asynchronous cross‑domain delegation are unresolved.
  • Protocols like MCP and A2A adopted in practice but leave identity/authorization semantics underspecified.
  • Many governance/regulatory instruments (EU AI Act Article 50, eIDAS 2.0, NIST NCCoE, OWASP guidance, China’s metadata rules) address parts of the problem but are fragmented across jurisdictions and often lack implementable identity/credential standards.
• Five critical gaps (structural):
• Semantic intent verification — verifying that agent actions match declared goals/constraints (not just provenance or attestation).
• Recursive delegation accountability — provable, enforceable multi‑hop delegation with scope attenuation and auditability.
• Agent identity integrity — binding deployed runtime instances to specific behavioral and provenance artifacts in a way robust to cloning and manipulation.
• Governance opacity & enforcement — mechanisms to observe, audit, and enforce policy across organizational and jurisdictional boundaries.
• Operational sustainability — economically and operationally viable long‑term systems (trust roots, key management, credential lifecycle at scale).
• Conclusion: engineering and vendor approaches solve parts of the lifecycle; the remaining gaps are structural and require research, new protocols, and public goods (standards, interoperable trust frameworks).

Data & Methods

• Scope: Review of ~80 sources prioritizing 2024–2026 to capture rapid developments; supplemented by foundational earlier work when needed.
• Sources surveyed:
  • Academic literature and arXiv preprints on agents, delegation, and machine identity.
  • Standards corpora and drafts from IETF, OpenID Foundation, W3C, NIST, SPIFFE/SPIRE, and MCP/A2A documents.
  • Regulatory instruments across jurisdictions (EU AI Act, eIDAS 2.0, NIST NCCoE, CAC rules, Japan/Singapore guidance, etc.).
  • Industry whitepapers, vendor products, market analyses, and gray literature (e.g., Vault, Vouched, Saviynt, Astrix, HUMAN Security, KYA).
• Analysis method:
  • Conceptual framing: four‑dimension comparison of human vs AI identity (substrate, persistence, verifiability, legal standing).
  • Taxonomy: separated non‑human identity into model/agent/workload/delegated levels to avoid conflation and target controls appropriately.
  • Lifecycle gap analysis: evaluated enrollment, credential issuance, runtime authorization, delegation chaining, governance/audit, and decommissioning across standards, protocols, and vendor solutions.
  • Verdict assignment for standards/technologies: Available / Partial / Fails / Directional / Diagnostic, based on coverage of the lifecycle and structural limitations.
  • Cross‑jurisdictional regulatory mapping to identify fragmentation and legal lacunae.

Implications for AI Economics

• Transaction costs and friction
  • Verification and trust: lack of interoperable agent identity increases friction for cross‑organizational transactions, raising costs for relying parties to verify agent provenance and intent.
  • Monitoring and compliance: firms will incur higher monitoring, audit, and compliance expenditures to mitigate delegation and nondeterminism risks.
• Liability, insurance, and risk allocation
  • Liability ambiguity drives greater reliance on contractual allocation of risk, indemnities, and insurance products; insurers must price new, hard‑to‑measure risks (e.g., multi‑hop delegation failures, emergent behaviors).
  • Incomplete legal clarity may deter investment in high‑stakes agentic deployments or favor vertically integrated vendors who take on liability.
• Market structure and concentration risk
  • Firms that build usable, interoperable agent‑identity platforms (or control trust roots/wallets) could capture significant market power (network effects from credential portability and cross‑party acceptance).
  • Fragmented standards and trust roots create lock‑in and interoperability costs, favoring large incumbents and raising barriers to entry.
• Innovation incentives and trade‑offs
  • Safety vs speed: firms face trade‑offs between rapid agent feature rollouts and investing in robust identity/delegation infrastructure; underinvestment creates systemic externalities.
  • Public goods role: because identity trust frameworks have public‑good characteristics (network benefits, systemic risk reduction), there is a strong case for public investment or regulation to coordinate interoperable standards.
• Market for identity services and new economic actors
  • Demand growth for identity primitives: workload attestation, delegation auditing, semantic monitoring, credential marketplaces, and identity auditors — new markets and business models will emerge.
  • Pricing and access: costs of reliable identity services (e.g., attestation, third‑party audits, continuous monitoring) will feed into the cost of agentic services and could be passed downstream to consumers.
• Cross‑border inefficiencies and compliance costs
  • Jurisdictional fragmentation (different disclosure, labeling, and wallet regimes) increases compliance complexity for multinational deployments, reducing global efficiency and potentially causing supply‑chain segmentation.
• Research and policy questions with economic relevance
  • How to quantify the social value of interoperable agent identity standards and optimal public funding levels?
  • Mechanism design for delegation contracts that produce incentive‑compatible, auditable behavior by sub‑agents.
  • Insurance contract structures and pricing models for delegation and nondeterministic behavior risk.
  • Market design for credential portability and revocation that minimizes lock‑in while maintaining security.
  • Cost–benefit analyses of central trust‑root vs federated models for agent identity.

Overall, the report implies substantive economic effects across transaction costs, market structure, liability allocation, and public‑private coordination. Closing the identified structural gaps will be necessary not only for technical safety and accountability, but also to enable efficient markets for agentic services and to prevent concentration and fragmentation that could stifle competition and increase systemic risk.