Identity

On Agents and Digital Identity

in , , ,

Over the course of my career, digital identity has applied to many things in an enterprise context. First it was the network, then the device, then the user. And just when organisations got used to, and good at, managing workloads, service accounts, and APIs as “first-class citizens”, AI Agents emerged.

If you've been to a tech conference recently, or have managed to not live under the proverbial rock, you’ve heard the term tossed around a lot lately. Vendors are embracing it, management is overusing the term and engineers are (supposed to be) experimenting with it. You probably have someone at your organisation ask you recently if you’re “using agents yet.” And yet, there’s surprisingly little clarity on what an AI agent actually is, let alone how it should be governed, secured, or identified.

What Is An AI Agent?

Depends on who you ask.

Despite the growing interest, there’s no consensus on what counts as an AI agent. Here’s a rough spectrum of current interpretations as I understand it:

Views on AI Agents

The challenge isn’t just semantic. Each of these interpretations implies very different identity and security requirements.

If an agent is just a stateless function call, maybe you audit the prompt and call it a day. But if it’s an entity that operates over time, remembers context, and initiates actions across systems? That’s not a chatbot. That’s a user you didn’t hire and you very likely won't have full oversight of it. You might want to apply strict governance protocols to it as it snakes its way through your organisation.

Worse, most enterprises don’t yet distinguish between these types (mostly because I don't know of or work with a client that has actually thrown an AI Agent into their organisation just yet). There’s a risk of flattening all AI agents into “non-human identities” and assigning them the same governance as a Terraform script or Slack bot. If you're after just checking a box, that's cool, but it will likely become a headache down the line.

Is An Agent A Glorified Service Account?

It's quite tempting to handle new and emerging concepts by mapping them to older concepts. When APIs proliferated, we gave them service accounts. When bots showed up in business processes, we registered them in the IAM stack like users and called them machine identities. When cloud workloads emerged, we invented workload identity. AI agents will likely be no different.

Faced with unfamiliar behaviours and ambiguous definitions, most orgs will default to what they know: wrap the agent in a generic machine identity, assign it to a system, and Bob's your uncle. It will get an account, some roles, some documentation and if you're lucky, someone remembers to rotate its API key.

Unfortunately, agents aren't just executing logic — they’re interpreting intent. They’re ingesting data, making decisions, and sometimes taking action in ways that aren’t fully transparent to the humans who invoked them.

Traditional Service Accounts vs Agents

From a security perspective, this creates a troubling blind spot. When something goes wrong like say, a leak, a breach or a misfired account termination, you’ll be left staring at an audit trail that says “Agent Smith did it.” But not why, or on whose behalf or with what justification. You'd be lucky if Agent Smith were even still around; after all, agents can be ephemeral depending on what they're meant to do.

So What?

All this begs the question - are our existing identity stacks still fit for purpose?

I have to admit I'm still coming to terms with what a solution to all this will eventually look like. If AI agents are going to become routine actors in the enterprise, our IAM systems will need to evolve well beyond where they are today. Not in the sense of adding another checkbox or creating an “agent” user type. That would be like bolting a sidecar onto a moving train. What’s needed is deeper: a rethink of what identity means when the actor is no longer human or even fully deterministic.

I'm almost certain that we'll see the likes of SailPoint, Okta, Saviynt and others start to address some of these problems in the coming months. Microsoft’s already partnered with ServiceNow and Workday on this front. At the very least, we'll need to look at the following:

  • Creating new identity constructs that are more expressive than a service account and more ephemeral than a workload identity.

  • Audit actual prompts that make agents do what they do - perhaps rethink privileged accounts?

  • Include agents with the remit of workforce identity governance

  • Keep humans in the loop when it comes to making decisions on what agents do

Of course, none of this matters if AI Agents don't take off in a meaningful way within enterprises. But if they do, I'm guessing our identity systems will need to do a whole lot more than just manage access.

———

Postscript:

I used ChatGPT and Claude as a ‘thinking partners’ while developing this piece and am likely to use this method for future posts. It helps me test arguments, identify gaps in logic and explore alternate views. I also used napkin.io for creating the included diagrams. Farhad Manjoo’s take on how he incorporated GenAI into his writing workflow is a useful listen and somewhat similar to how I’ve started using these tools.

Additionally, I drew on some excellent writing that touches on the evolving nature of agency, identity, and AI systems:

  1. Arvind Narayanan & Sayash Kapoor – AI as Normal Technology

  2. Microsoft – 2025: The Year The Frontier Firm Is Born

  3. Benedict Evans – Looking For AI Use-Cases

  4. Identity Defined Security Alliance (IDSA) – Managing Non-Human Identities (2021)

(Meredith Whittaker) On Signal, Encryption and AI

in , , ,

Wired has an interview with Meredith Whittaker from Signal - her stances on Surveillance Capitalism, Signal’s not-for-profit structure and AI make for very interesting reading.

Yeah. I don’t think anyone else at Signal has ever tried, at least so vocally, to emphasize this definition of Signal as the opposite of everything else in the tech industry, the only major communications platform that is not a for-profit business.

Yeah, I mean, we don’t have a party line at Signal. But I think we should be proud of who we are and let people know that there are clear differences that matter to them. It’s not for nothing that WhatsApp is spending millions of dollars on billboards calling itself private, with the load-bearing privacy infrastructure having been created by the Signal protocol that WhatsApp uses.

Now, we’re happy that WhatsApp integrated that, but let’s be real. It’s not by accident that WhatsApp and Apple are spending billions of dollars defining themselves as private. Because privacy is incredibly valuable. And who’s the gold standard for privacy? It’s Signal.

I think people need to reframe their understanding of the tech industry, understanding how surveillance is so critical to its business model. And then understand how Signal stands apart, and recognize that we need to expand the space for that model to grow. Because having 70 percent of the global market for cloud in the hands of three companies globally is simply not safe. It’s Microsoft and CrowdStrike taking down half of the critical infrastructure in the world, because CrowdStrike cut corners on QA for a fucking kernel update. Are you kidding me? That’s totally insane, if you think about it, in terms of actually stewarding these infrastructures.

So you’re saying that AI and surveillance are self-perpetuating: You get the materials to create what we call AI from surveillance, and you use it for more surveillance. But there are forms of AI that ought to be more benevolent than that, right? Like finding tumors in medical scans.

I guess, yeah, although a lot of the claims end up being way overhyped when they’re compared to their utility within clinical settings.

What I’m not saying is that pattern matching across large sets of robust data is not useful. That is totally useful. What I’m talking about is the business model it’s contained in.

OK, say we have radiological detection that actually is robust. But then it gets released into a health care system where it’s not used to treat people, where it’s used by insurance companies to exclude people from coverage—because that’s a business model. Or it’s used by hospital chains to turn patients away. How is this actually going to be used, given the cost of training, given the cost of infrastructure, given the actors who control those things?

AI is constituted by this mass Big Tech surveillance business model. And it’s also entrenching it. The more we trust these companies to become the nervous systems of our governments and institutions, the more power they accrue, the harder it is to create alternatives that actually honor certain missions.

Just seeing your Twitter commentary, it seems like you’re calling AI a bubble. Is it going to self-correct by imploding at some point?

I mean, the dotcom bubble imploded, and we still got the Big Tech surveillance business model. I think this generative AI moment is definitely a bubble. You cannot spend a billion dollars per training run when you need to do multiple training runs and then launch a fucking email-writing engine. Something is wrong there.

But you’re looking at an industry that is not going to go away. So I don’t have a clear prediction on that. I do think you’re going to see a market drawdown. Nvidia’s market cap is going to die for a second.

On Worldcoin, DAOs and digital identity black markets

in , , ,

Molly White has a great essay on Sam Altman’s iris scanning orb and its purported use cases.

Much of Worldcoin’s promises are predicated on the questionable idea that highly sophisticated artificial intelligence, even artificial general intelligence, is right around the corner. It also hinges on the “robots will take our jobs!” panic — a staple of the last couple centuries — finally coming to bear. Worldcoin offers other use cases for its product too, like DAO voting, but it is not the promise to solve DAO voting that earned them a multi-billion dollar valuation from venture capitalists.

Other use cases that Worldcoin has offered seem to assume that various entities — governments, software companies, etc. — would actually want to use the Worldcoin system. This seems highly dubious to me, particularly given that many governments have established identification systems that already enjoy widespread use. Some even employ biometrics of their own, like India’s Aadhaar. There’s also the scalability question: Worldcoin operates on the Optimism Ethereum layer-2 blockchain, a much speedier alternative to the layer-1 Ethereum chain to be sure, but any blockchain is liable to be a poor candidate for handling the kind of volume demanded by a multi-billion user system processing everyday transactions.

What will happen when you promise people anywhere from $10 to $100 for scanning their eyeball? What if that’s not dollars, but denominated in a crypto token, making it appealing to speculators? And what if some people don’t have the option to scan their own eyeballs to achieve access to it?

A black market for Worldcoin accounts has already emerged in Cambodia, Nigeria, and elsewhere, where people are being paid to sign up for a World ID and then transfer ownership to buyers elsewhere — many of whom are in China, where Worldcoin is restricted. There is no ongoing verification process to ensure that a World ID continues to belong to the person who signed up for it, and no way for the eyeball-haver to recover an account that is under another person’s control. Worldcoin acknowledges that they have no clue how to resolve the issue: “Innovative ideas in mechanism design and the attribution of social relationships will be necessary.“ The lack of ongoing verification also means that there is no mechanism by which people can be removed from the program once they pass away, but perhaps Worldcoin will add survivors’ benefits to its list of use cases and call that a feature.

Relatively speaking, scanning your iris and selling the account is fairly benign. But depending on the popularity of Worldcoin, the eventual price of WLD, and the types of things a World ID can be used to accomplish, the incentives to gain access to others’ accounts could become severe. Coercion at the individual or state level is absolutely within the realm of possibility, and could become dangerous.

On Facial Recognition and Identity Proofing

in ,

Wired has a good piece on the IRS in the US caving to public outcry and ditching its integration with ID.me - a service that was supposed to verify identities (by matching video selfies to existing records). It’s understandable why this would cause concerns given that facial recognition is rife with false matches, biases and a reputation for invasiveness. With fraud being a pressing issue now when a majority of us (at least in Australia) access nearly every civic service online, governments are going to want to think about how they balance policy, privacy and messaging.

Unfortunately, the landscape at the moment is messy and populated by a number of third-party vendors still finding their feet in an area where privacy and policy concerns are outweighed by sexier usability and convenience use cases.

“The fact we don’t have good digital identity systems can’t become a rationale for rushing to create systems with Kafkaesque fairness and equity problems.” - Jay Stanley, ACLU

It’ll be interesting to see how Australia’s Trusted Digital Identity Framework (TDIF) will look to address some of these inherent problems through a continuous expansion of its standards.