AI agents now run real transactions, multi-hop tool chains, and sub-agent delegation—often without a human in the loop. Passwords, biometrics, and browser SSO were built for embodied humans; they systematically fail for entities that are nondeterministic, cloneable, and frequently sessionless. Otsuka, Toyoda, and Leung (2026), AI Identity: Standards, Gaps, and Research Directions for AI Agents (arXiv:2604.23280), survey ~80 sources (2024–2026) and argue that AI Identity is not a credential check but a continuous correspondence between what an agent declares and what it does. Below is a structured reading note—not a substitute for the full report.

Executive takeaway

AI Identity = the ongoing relationship between declared identity and observed behavior, bounded by confidence that the two align at any moment.

Enterprise non-human identities (NHIs) already outnumber humans (reports cite ratios on the order of 144:1), yet most organizations still run agents on shared API keys or inherited human tokens rather than as first-class principals. No current standard spans the full lifecycle: enrollment → runtime auth → multi-hop delegation → behavioral accountability → cross-org audit.

1. Why human identity frameworks break

1.1 Four structural dimensions

| Dimension | Human | AI agent | |-----------|-------|----------| | Substrate | Biological (DNA, neural tissue) | Computational (weights, prompt, credentials—all mutable) | | Persistence | Continuous across time/context | Model-level stability; operational context resets often | | Verifiability | Biometrics as stable anchors | Same input → different output; config drift breaks enrollment-time checks | | Legal standing | Rights + obligations (GDPR, eIDAS) | No personhood; authority delegated from human/org principal |

Extending human IAM without redesign produces systematic failure—not edge cases.

1.2 Four non-human identity types (do not conflate)

| Type | Represents | Typical artifact | Lifecycle | |------|------------|------------------|-----------| | Model | Trained artifact (weights, architecture, provenance) | Model card, weight hash | Stable until retrained | | Agent | Configured deployment (prompt, persona, tools) | Agent card, prompt hash | Session / task | | Workload | Running process/container/instance | SPIFFE SVID (X.509/JWT) | Ephemeral | | Delegated | Authorization on behalf of a principal | OAuth token, JWT act claim | Scoped to grant |

Most vulnerabilities sit at the agent layer (prompt injection, stolen credentials, tool abuse). Workload identity (SPIFFE) proves which process is on the wire, not what it will do next. Delegated identity needs scope attenuation—each hop must narrow, never widen, permissions.

2. Market, standards, and regulation (RQ2)

2.1 Vendor landscape (partial answers)

| Cluster | Examples | Solves | Misses | |---------|----------|--------|--------| | Governance / lifecycle | Saviynt, RadiantOne, Astrix, NHIMG | Discovery, policy attachment, NHI as principals | Assumes trustworthy credential underneath | | Runtime credentials | Vault+SPIFFE, Vouched KYA, HUMAN AgenticTrust | Issuance, verification, relying-party trust | Incompatible formats, roots, delegation semantics |

No single product covers enrollment + runtime auth + behavioral accountability.

2.2 Standards verdict (pattern)

| Function | Mature-ish | Partial / fails | |----------|------------|-----------------| | Authentication | SPIFFE/WIMSE, workload SVIDs | SAML fails (browser session model) | | Authorization / delegation | OAuth one-hop, OBO drafts | Multi-hop chains, scope-to-skill mapping, MCP per-tool auth | | Protocols | MCP (tools), A2A (agent cards + JWS) | Identity out of scope or integrity-only | | Governance docs | OWASP Agentic Top 10, NIST NCCoE concept | Diagnostic—no implementable controls |

OAuth 2.0 + CIBA help human consent off the browser but do not scale to autonomous agent throughput. MCP + OAuth 2.1 (2026) tightens HTTP transport but leaves six authorization failure modes (see §4.2 in report).

2.3 Regulatory fragmentation

EU AI Act Art. 50 (transparency, Aug 2026), eIDAS 2.0 wallets, CRA—oriented to citizens and content marking, not agent principals. US: NIST NCCoE + CAISI initiative, no federal AI identity law. China: mandatory AI content labeling + service registration. Singapore: IMDA agentic governance framework + CSA T9 identity spoofing controls and trusted agent registry—explicitly calls standardized identity protocols an open gap.

Cross-border agents face incompatible obligations, not just missing specs.

3. Six technology areas (RQ3)

3.1 Authentication

Dominant pattern: agents as workloads—SPIFFE/SPIRE attestation → SVID → mTLS; IETF AIMS draft adds proof-of-possession tokens and dual-identity binding to human/org owners. A2A Agent Cards (.well-known/agent.json, optional JWS) and MCP OAuth 2.1 cover discovery and tool access.

Persistent gap: all mechanisms authenticate the container (cert, token, card)—not model behavior, system prompt integrity, or imminent intent. A fully authenticated agent can go out of mandate seconds later via injection or hallucinated tool calls.

3.2 Authorization and delegation

OBO token exchange separates user sub from agent act claim. Triangle of Trust (user–agent–service) and token vaults (opaque handles, no raw secrets in agents) reduce impersonation and exfiltration.

Hard problem: recursive delegation (A→B→C) with cryptographically verifiable scope attenuation and cross-domain vocabulary—no production standard. MCP amplifies risk: no per-tool auth, confused deputy, privilege concentration, fragmented audit, over-broad tool discovery, no binding from tool call back to consent chain.

3.3 Portable credentials

W3C DID/VC, MCP-I (DIF), TRAIL DID method, ZKPs for selective disclosure. Zero-trust identity frameworks hash model parameters into DID documents—binding identity to a specific model version.

Limit: proves credential possession, not reasoning integrity.

3.4 Provenance and content integrity

C2PA for output attribution; SLSA/Sigstore for model supply chain. Provenance shows origin and pipeline, not why the agent acted at execution time.

3.5 Governance and monitoring

DPoP (RFC 9449) binds tokens to client keys; CAEP pushes real-time revocation events; MAPL + distributed PEPs enforce pre-execution policies; Agent Behavioral Contracts (ABCs) attach runtime invariants to identity records.

Still action-level—no inspection of internal reasoning before initiation.

3.6 Audit and attestation

TEEs (SGX, TDX, TrustZone) + remote attestation; immutable hash-chain audit (e.g. AuditableLLM); SVIP links hidden states to external identity signals.

TEEs attest code run, not legitimate intent.

4. Five structural gaps (RQ4)

These are boundary conditions, not mere engineering backlog:

| Gap | Core issue | Partial mitigations today | |-----|------------|---------------------------| | 1. Semantic intent | Crypto correctness ≠ semantic correctness (injected agent passes all checks) | TEE, ZKP, ABCs, SVIP—none verify why | | 2. Recursive delegation | No production multi-hop chain to human principal; ~75% orgs lack full agent-to-agent visibility | OBO one-hop; AIMS draft; scope attenuation principle only | | 3. Agent identity integrity | Puppeteering, Sybil cloning, impersonation mid-chain | TEE instance binding, ABC anomalies, rate limits—insufficient | | 4. Governance opacity | ~82% governance confidence vs ~47% agents monitored; strict gates → shadow agents | DPoP, CAEP, MAPL—per-call verification ≠ fleet behavior map | | 5. Operational sustainability | Universal micro-verification (ZKP+TEE+audit every call) may not scale ecologically | No baselines at fleet scale |

Research directions (embedded in report)

  • Intent-aware ABCs; SVIP extended toward behavioral intent; HITL at semantic decision points without killing throughput.
  • Monotonic scope attenuation; bidirectional delegation signing; cross-org immutable delegation logs.
  • Instance binding resistant to cross-machine TEE replication; hijack detection in validation path.
  • Tiered verification by risk; aggregate behavioral monitoring; lightweight onboarding for small deployers.
  • Ecological ceilings; amortized/batched verification without weakening guarantees.

5. Unifying frame: three layers

The report proposes identity as continuous estimation, not binary valid/revoked:

Declaration layer  — credentials, DIDs, model/prompt hashes, regulatory status
        ↕ correspondence (confidence, decays over time)
Observation layer  — tool calls, delegation hops, behavioral telemetry

Safe agents = high, stable confidence that declaration matches observation—not merely unexpired tokens.

6. Implications for builders

  1. Treat agents as first-class NHIs—no shared human OAuth sessions or long-lived API keys as default.
  2. Separate model / agent / workload / delegated identity in design docs and IAM policies.
  3. Assume MCP/OAuth front door ≠ tool-surface authorization—add per-tool PEPs, least privilege, unified audit correlation.
  4. Plan for multi-hop delegation now—even if v1 is one-hop, log format and scope vocabulary should not foreclose chains.
  5. Monitor confidence, not just credentials—behavioral drift should degrade trust before catastrophic violation.
  6. Tier verification cost—full crypto stack on every micro-call may be infeasible; risk-proportional gates + batch/amortize where safe.
  7. Regulatory matrix—EU content marking, CN labeling, SG trusted registry requirements differ; “compliant in one region” ≠ portable.

7. Limits of this report

Snapshot early 2026; AIMS security section still marked TODO; fast-moving standards (MCP-I, TRAIL, CAISI). Use as evaluation rubric and research agenda, not a deployment checklist.

Reference

Otsuka, T.; Toyoda, K.; Leung, A. AI Identity: Standards, Gaps, and Research Directions for AI Agents. arXiv 2026, arXiv:2604.23280 (report dated April 25, 2026). CC BY 4.0.