Good news I have found a pathway forward for the newsletter and will be getting this new system working in the coming weeks. We will return to “weekly” updates soon. For the next 10 newsletters we will catch up in time with curated sets of links on particular themes.

This special thematic issue collects the best recent writing on the emerging challenge of identity for AI agents — how they authenticate, who they act for, and what governance frameworks must look like when software acts autonomously on behalf of humans.

New Podcasts

Decoded by Identity at the Center is a sub-series hosted by Jeff Steadman and Sean O’Dell

First issue has Pieter Kasselman, VP of Open Standards at Defakto Security and chair of the WIMSE working group, was invited to dig into agentic identity. His answer is that agents are workloads: SPIFFE, OAuth, and transaction tokens already solve 95% of the agentic identity problem. A pragmatic take grounded in existing infrastructure.

Overviews

IETF Individual Drafts Looking at Agents — George Fletcher

IETF drafts examining standards for AI agents.

Protocols & Standards

A-Auth: Agent Identity and Confidential AI

Aaron Fulkerson explains Dick Hardt‘s new authentication protocol for AI agents AAuth, requiring identity verification and auditable delegation — a foundational building block for agentic trust.

Four Open-Source Agentic Authorization Alternatives: OAuth was built for people, not for AI. - Bruno Pedro

If the “Allow” button is dead, what takes its place? The Agentic Authorization OAuth 2.1 Extension is an IETF draft.

Agent Trust Is Getting Its First Protocol Layer — George Vagenas

Lyrie.ai released Agent Trust Protocol with five cryptographic primitives alongside IETF proposals — an early attempt at a trust layer purpose-built for agents.

Workload Identity Federation - Anthropic

Pieter Kasselman comments on this on his LinkedIn.

Delegation & Authority

Delegation Is the Real Identity Problem in Agentic AI — Khaled Zaky

The core identity challenge is delegation — how AI agents act on behalf of humans, and how that chain of authority remains verifiable and revocable.

The Laws of AIdentity— Patrick Parker

Inspired by Kim Cameron’s Laws of Identity: A proposed framework for governing delegated AI action across digital and physical systems. Applies to: AI agent security, identity and access management, non-human identity, agentic AI governance, dynamic authorization, MCP and tool governance, delegated action, embodied and cyber-physical AI, audit and compliance.

[Research] Authorization Propagation in Multi-Agent AI Systems: Identity Governance as Infrastructure

This paper argues that multi-agent systems also create a distinct authorization problem: maintaining authorization invariants as non-human principals retrieve data, delegate tasks, and synthesize results across changing boundaries. We call this problem authorization propagation.

Agent Authorization — A New Twist — Christian Posta

Prior decisions and tool calls impact current authorization checks — the context-dependent nature of agent authorization breaks traditional static access models.

Agents Don’t Need Your Passport. They Need Your Authority

Enterprise IAM was designed for human-paced execution. Agents remove the presence, pacing, and natural scope-limiting that made those controls work. The result is a structural gap that stronger credentials, tighter scopes, and faster JIT provisioning cannot close.

Delegated Intelligence: The Next Compute Paradigm

The last decade of AI innovation revolved around prediction. Enterprises deployed machine learning as a decision-support layer that absorbed data, generated probabilities, and helped humans adjudicate uncertainty. The posture was passive. Models remained downstream from institutional authority. They did not act; they informed action. Everything that mattered - intent, responsibility, legitimacy, liability, remained squarely within human jurisdiction.

Digital ID for AI Agents Is Going to Be Complicated — Jamie Smith

Unpacks the emerging complexity of giving AI agents verifiable digital identities.

Trust Me, I’m Your Agent — Peter Davis

Explores the trust challenge when AI agents act on behalf of humans.

Payments & Commerce

When AI Agents Start Buying Things Online — Heather Flanagan

Fundamental questions about digital identity, payment, and liability arise when autonomous agents make purchases — who pays, who is liable, and how do merchants verify authority?

𝗗𝗶𝗴𝗶𝘁𝗮𝗹 𝗽𝗮𝘆𝗺𝗲𝗻𝘁𝘀 𝗵𝗮𝘃𝗲 𝗯𝗲𝗲𝗻 𝗼𝗻 𝗮 𝘀𝗲𝘃𝗲𝗿𝗮𝗹-𝗱𝗲𝗰𝗮𝗱𝗲 𝗷𝗼𝘂𝗿𝗻𝗲𝘆 - now Delegated Payments — David Jegerson

“Identity is the new money” — as delegation increases, responsibility must crystallize around cryptographic identity rather than institutional trust.

[Research] Digital banking in the artificial intelligence era: Strategies for serving nonhuman customers — Kirsty Rutter & David Birch

Published paper on how banking transforms when AI agents become the primary customer interface, with the idea of a “bot agency.”

Agents Don’t Care About Your Brand. What AIs Want — David Birch

AI agents prioritize clean data, reliable APIs, and trustworthy partners over brand marketing — a wake-up call for businesses built on human attention.

Governance & Accountability

AI Can Prove It’s Authorized — But Can It Prove Who’s Responsible? — Thomas Mayfield

Organizations must establish clear accountability frameworks before incidents occur. Authorization without attribution is a governance gap waiting to be exploited.

Four Failure Modes in Agentic Governance — Sankarshan

Delegation without mandate, mandate without revocation, action without audit, redress without attribution — four ways agentic governance is already failing in practice.

The Ward: A Governance Primitive for the Agentic Era — Paul Knowles

Historical governance models — wardship, fiduciary duty, guardianship — as solutions for managing autonomous AI agents. The legal patterns already exist.

Identity Security of Agentic AI — Philip Muehleck

Identity security must move to the point of every action with continuous verification and traceability — static perimeter controls cannot govern agents that cross boundaries.

What Is the Agent’s Identity? Wrong Question. — Nicola Gallo

The real question is about agency and shared memory rather than identity labels — a philosophical reframe that challenges the assumptions behind the entire agentic identity debate.

Protocols & Standards (continued)

[Video] Stop Building Custom Agent Identity — Sarah Cecchetti & Clawdrey Hepburn

Using SPIFFE, OAuth, OIDC for AI agent identity instead of custom solutions.

Mission Architecture on AAuth - Karl McGuinness

Mission-Bound OAuth argues for a durable Mission object that governs delegated authority across approval, lifecycle, delegation, and termination. This follow-up asks whether Dick Hardt’s AAuth draft is a better protocol substrate for the same model, and where AAuth still appears to need an explicit Mission-like authority object.

Agentic Trust Layer: Building the Foundation of Trust for the Age of AI Agents(Whitepaper) — NTT + AWS

Most existing AI security and governance solutions focus on model robustness and data input/output control. However, the third layer—a mechanism to prove “what AI actually did” at the workflow level—remains an industry-wide gap. This white paper aims to provide a concrete technical answer to this gap.

Cedar v Rego — Mike Schwartz

Policy language comparison for identity and authorization. Cedar is for policy management. Its defining property is analyzability. Rego is for policy orchestration. Rego, used by Open Policy Agent, excels at iteration and logical composition.

Delegation & Authority (continued)

A Framework for Delegated, Authorization — George Fletcher

Six components, four primary questions, and why the shape of delegation matters more than the syntax.

Who Is the AI Agent? — Matthias Buchhorn-Roth

The identity question for AI agents has already been settled. It took eighteen months. Here’s what the answer tells us and where it leaves Europe’s decentralized bet.

AI Browsers and the Web User Agent: What Might Need to Change? — Heather Flanagan

AI shifting from passive tool to active actor — identity and accountability implications.

Agent Readiness Assessment — Richard MacManus

Designed for product teams, publishers, platforms, and developer-focused companies. AI agents are becoming a new class of user for websites and products. They don’t browse like humans. They discover, extract, compare, summarize, and increasingly act on behalf of users. This assessment shows how well your site, content, documentation, APIs, and product surfaces work from an agent’s point of view.

Governance & Accountability (continued)

Discussion Paper Legal Responsibility for AI Agents — Peter Slattery

This paper is divided into three parts:
• Part 1 sets out its scope, objectives, and foundational concepts
• Part 2 lays out a high-level overview of the group’s discussions and its views on the application of conventional legal principles
• Part 3 seeks to explore the solution space, examining how two different liability regimes (fault-based and strict) may operate in a hypothetical scenario

The Most Important Governance Shift in Agentic Systems — Sankarshan

Authority being made executable before control is made legitimate — “sanctioned execution” vs mature governance.

Agentic AI Governance — Frederic Verhelst

McKinsey & Company published four steps for agentic AI at scale this month. Step two is the semantic layer. They named it as required infrastructure. They did not name who owns it.

AI Agents Are Moving Fast from Assistants… — Resilient Cyber

AI agents moving from assistants to autonomous actors, raising new security and governance questions.

Most Identity Programs Were Built for Humans — Josh S.

Machine identities outnumber human ones 10x; organizations must shift to workload identity federation and policy-as-code governance.

(Paper) The AI Vulnerability Storm — Jakub Szarmach

Expedited Strategy Briefing By the CSA CISO Community, SANS, [un]prompted, the OWASP Gen AI Security Project, and the wider community.

Case study on the Responsible Deployment of OpenClaw — Vadym Honcharenko

Agentic AI’s biggest vulnerability is agents’ inability to understand contextual integrity.

Microsoft Scout Autopilot Agent - MSFT Announcement

and commentary by James Monaghan