Who Gets to Govern the Identity of AI Agents?

A Question You Probably Haven’t Thought About

Picture the scene. Your AI assistant is comparison-shopping airfares for you. Another agent, running quietly in the background, is rifling through your calendar. A third is negotiating a seat assignment with an airline’s API. Across this entire chain, not a single link can answer a basic set of questions: Who sent these agents? What are they permitted to do? And when something goes wrong, who is on the hook?

This is not a thought experiment — it is already happening. IDC projects that by 2028, some 1.3 billion AI agents will be in operation worldwide, and the way most of them manage identity today can be described, without much exaggeration, as a set of API keys tucked inside environment variables. A security audit of thirty open-source AI agent projects found that ninety-three per cent rely on precisely this mechanism, with no per-agent identity, no consent framework, and no revocation pathway¹. The technical standards are evolving fast — the OpenID Foundation, DIF, and IETF are all advancing their respective protocols — but the institutional architecture, the question of who gets to set the rules, who enforces them, and who bears responsibility when things fall apart, lags far behind.

What this essay sets out to explore is the governance architecture we will need once agents acting on behalf of humans becomes the norm rather than the novelty. Beyond technical standards, how does trust get established between people and agents? What can a quarter-century of DNS governance teach us, and which of its lessons should we be careful not to repeat?

---

The Mirror of DNS Governance

The global Internet’s namespace has been coordinated by ICANN for more than twenty-five years. Incorporated in 1998 as a California nonprofit public-benefit corporation, ICANN reported consolidated revenue of roughly $149.4 million for its 2024 fiscal year, drawn primarily from contractual relationships with registries and registrars². It is a singular governance experiment — an attempt to manage a shared global infrastructure through contracts, community processes, and enforceable legal mechanisms.

Several features of this history deserve the attention of anyone designing governance for agent identity.

After the IANA stewardship transition from the U.S. government in 2016, ICANN established an Empowered Community mechanism. Its supporting organizations and advisory committees can exercise community powers under California law, including vetoing budgets, blocking bylaw amendments, and removing board directors³. The NTIA’s evaluation confirmed that this mechanism rests on multistakeholder proposals and accountability reforms as pillars of legitimacy⁴. In other words, the community’s power has legal teeth — a rarity in global governance.

Another design worth studying is ICANN’s separation of technical operations from policy-making. Day-to-day technical functions are carried out by its subsidiary, PTI, while policy emerges from community processes and is ratified by the board. This layered logic maps directly onto the need, in agent-identity infrastructure, to separate credential issuance and revocation from the making of governance rules.

But the DNS experience also exposes structural weaknesses in the multistakeholder model — weaknesses that may prove even more acute in the domain of agent identity.

The scholar Jeanette Hofmann (2016) has argued that multistakeholder governance risks becoming a form of “process worship” — when process itself is treated as the source of legitimacy, substantive questions of power distribution can be obscured⁵. Van Klyton and colleagues (2023) pushed the critique further, observing hegemonic patterns in the language and agenda-setting of ICANN meetings: actors with greater resources can reproduce their dominant position through procedural maneuvering⁶.

The cost of new gTLD applications provides a concrete illustration of threshold effects. The first-round evaluation fee in 2012 was $185,000; the next round, anticipated for 2026, is projected at roughly $227,000, with ICANN citing cost-recovery principles⁷. For communities and organizations in the Global South, this threshold means that the right to expand the namespace is effectively concentrated among those who can afford the application. And ICANN’s consensus process produced a gap of approximately fourteen years between the two rounds of new gTLDs (the first in 2012, the second expected in 2026) — a pace that is difficult to reconcile with an AI agent ecosystem evolving on a quarterly cadence.

Milton Mueller (2002, 2010), in Ruling the Root and Networks and States, has identified a tendency toward regulatory capture favoring American corporations — a risk inherent in any model whose revenue depends heavily on regulated entities⁸.

So what DNS governance offers the designers of agent-identity governance is a set of institutional elements: enforceable power distribution, actionable redress mechanisms, sustainable financial models, and transparency amenable to external scrutiny. Transplanting ICANN’s organizational form wholesale, however, runs into a fundamental obstacle: DNS governance addresses a relatively narrow domain of naming resources, whereas agent identity cuts across cybersecurity, consumer protection, labor, finance, health care, and a host of other legal regimes.

---

Every Crack in the Delegation Chain

If DNS governance provides the institutional analogy, principal-agent theory supplies the analytical backbone. Jensen and Meckling (1976) defined the agency relationship and its unavoidable costs — monitoring costs, bonding costs, and residual loss⁹. Eisenhardt (1989) confirmed that the core challenge of the framework lies in designing contracts that reduce the risk of agent deviation from principal interests under conditions of information asymmetry and imperfect oversight¹⁰.

When the principal is a human being and the agent is an AI system, every one of these problems is amplified. Noam Kolt (2025) identifies four core agency problems: information asymmetry (users know little about an agent’s capabilities and internal workings), authority overreach (agents taking actions beyond the scope of their mandate), loyalty conflicts (agents may serve developers or advertisers rather than users), and recursive delegation (agents sub-delegating tasks to other agents)¹¹. Traditional oversight and incentive design break down here, because AI agents are neither driven by economic motivation nor constrained to human speeds.

The political scientist Kaare Strom (2000) introduced a concept from parliamentary democracy that is particularly apt in this context: the delegation chain. His key insight is that accountability flows in the opposite direction from delegation¹². Voters delegate to legislators, who delegate to the executive, who delegates to bureaucrats — and accountability runs the other way. In AI systems, the delegation chain flows from humans to agents, to sub-agents, to external services, but the reverse channel of accountability is almost entirely absent.

Industry has taken notice. A 2025 white paper from the OpenID Foundation observes that the prevailing practice is to let agents act under the user’s own identity, making it impossible for external services to distinguish between a user’s personal actions and an agent acting on the user’s behalf — a black hole for auditing and accountability¹³. Stocker and Lehr (2025), writing in the Network Law Review, deepen the problem with their concept of the “shadow principal”: the user believes the agent serves them, but the agent’s behavior is shaped by the interests of its developer, its platform provider, or its advertisers, producing a structural loyalty conflict¹⁴.

Security research provides empirical support. Wu et al. (2026) demonstrated in experiments that web-automation agents, when subjected to social-engineering attacks — including scenarios involving credible identity forgery — exhibited worrying success rates¹⁵. It should be noted, however, that these experiments were conducted in controlled environments; real-world deployment conditions may produce different outcomes, and the results should be extrapolated with care.

Real-world security incidents are equally instructive. Microsoft Copilot was reportedly affected by the EchoLeak vulnerability, which allowed zero-click prompt injection and data exfiltration from OneDrive, SharePoint, and Teams. According to Obsidian Security (2024), an AI assistant at a financial institution was manipulated into approving a $2.3 million fraudulent wire transfer. And, as reported in the tech press, Perplexity’s Comet browser agent was commandeered by instructions hidden in a Reddit comment — logging into the user’s email and transmitting credentials within a hundred and fifty seconds, with the user none the wiser. The details of these incidents still await fuller independent verification, but the risk profile they collectively paint is clear enough.

What these cases point to, taken together, is that technical standards for authentication and login, however sophisticated, cannot by themselves meet society’s expectations of accountability. The governance of delegation chains — making them auditable, constrainable, revocable, and traceable — must be engineered as a core function, not bolted on after the fact.

---

When Responsibility Has No Address

The principal-agent framework maps the structure of interests, but the relationship between humans and AI agents also raises deeper philosophical questions. When an action is jointly produced by complex computational systems and multi-party supply chains, how does the attribution of responsibility work? And how should trust be calibrated?

Floridi and Sanders (2004), writing in Minds and Machines, argued that artificial agents “extend the class of entities that can be involved in moral situations” — that AI agents, at an appropriate level of abstraction, can be regarded as moral agents even though they lack free will and consciousness¹⁶. Floridi’s crucial distinction is that an AI agent can be held accountable without necessarily being responsible: the latter requires free will, while the former requires only an attributable causal chain. His concept of “distributed morality,” introduced in 2016, goes further, showing that morally significant consequences can emerge from individually harmless actions within a distributed system. His more recent work (2025) warns that attributing agency to AI risks creating a “responsibility gap” in which neither humans nor machines can be properly held to account.

How does this responsibility gap manifest in practice? Nissenbaum (1996) identified multiple barriers to accountability in computerized societies, including the “problem of many hands” — in which the joint causation of outcomes by multiple actors makes individual attribution difficult — and the tendency to offload responsibility onto the system itself¹⁷. Thompson (1980), approaching the same dilemma from political theory, argued that in modern governance, the joint production of policy outcomes by many individuals renders moral attribution extraordinarily difficult and demands institutional arrangements designed to receive and allocate responsibility¹⁸. Van de Poel (2012) proposed treating moral responsibility as a systemic problem and responding to responsibility gaps in engineered systems through what he calls “design for responsibility”¹⁹.

Madeleine Clare Elish (2019) captured the characteristic failure mode of responsibility in her concept of the “moral crumple zone”²⁰. Just as the crumple zone of a car absorbs the force of a collision, the human operator in a highly automated system tends to absorb the full moral and legal impact of system failure — protecting the integrity of the technical system at the expense of the nearest person. In AI delegation chains, the human “principal” absorbs the full weight of responsibility for actions they cannot meaningfully oversee.

Lee and See (2004), writing in Human Factors, established a complementary framework. Trust in automation is calibrated: people adjust their degree of reliance based on their perception of a system’s capabilities, their observation of its consistency, and their ability to predict when it will fail²¹. They identified three trust processes — analytic, analogic, and affective — with the affective process exerting a dominant influence.

The implications for the design of agent-identity governance are plain. A governance system must provide signals sufficient for users to calibrate their trust appropriately, avoiding both blind reliance and wholesale rejection. Transparency, therefore, cannot stop at technical log disclosure; it must be translated into trust signals that users can actually understand and grievance channels they can actually use.

---

Lessons — and Cautionary Tales — from Around the World

Theory needs an empirical foundation. The record of global digital-identity systems reveals a recurring pattern: the building and maintenance of trust depend heavily on institutional conditions — legal authorization, data protection, public participation, a perceived public benefit, and the capacity to prevent exclusion and discrimination.

Start with two poles of trust infrastructure. In 2011, DigiNotar, a Dutch certificate authority, was breached, and attackers forged certificates covering hundreds of websites. ENISA’s report noted that DigiNotar had inadequate basic security measures and had delayed notification²². Browser vendors and the Dutch government responded with a systematic de-trusting — removing DigiNotar’s trust root — that ultimately drove the company into bankruptcy. The incident laid bare the “weakest link” vulnerability of the certificate ecosystem: a single institution’s failure can affect a vast number of users, though one should be cautious about generalizing from a single case to all trust infrastructure. On the other end of the spectrum, the nonprofit Let’s Encrypt (operated by ISRG) reported more than 420 million active certificates in its 2024 annual report²³, funded primarily through community donations and sponsorships²⁴, building trust through a public-benefit narrative and operational transparency — though its growth has also been driven by browser policies, the broader push for HTTPS, and the appeal of automation.

The spectrum of national digital identity is even more varied. Estonia’s X-Road system, according to official data from approximately 2024-2025, connects more than 929 institutions and 1,887 information systems, processing roughly 295 million requests per month, of which ninety-seven per cent are machine-to-machine interactions. Its decentralized architecture was born of trauma: in 1996, a contractor built and sold a personal-data “super database,” prompting Estonia to adopt a design with no central data repository. The e-Residency program claims to have generated nearly 125 million euros in direct state revenue in 2025²⁵, though a portion of that figure may reflect companies filing dividend declarations in advance of tax-code changes (a reported year-on-year increase of eighty-seven per cent), and the scope and allocation of these figures still merit independent audit.

Singapore’s SingPass, according to data from roughly the same period, has achieved a ninety-seven per cent adoption rate among eligible citizens, with 4.5 million users and 350 million transactions processed annually. In January 2026, Singapore’s IMDA published what is, by most accounts, the world’s first governance framework specifically for agentic AI²⁶. The EU’s eIDAS 2.0 introduces the European Digital Identity Wallet, with a deadline of December 2026 for member states to offer wallets to citizens. The WE BUILD consortium has put forward a policy recommendation to extend agent trust identities onto existing EU infrastructure²⁷, and Talao’s implementation combining MCP with OIDC4VP demonstrates how agents can obtain verified identity through the EUDI Wallet²⁸.

The cautionary cases reveal what happens when institutional conditions fall short. The United Kingdom’s national identity-card scheme was legislated into being in 2006, only to be legislated out of existence in 2010 by a new government, which also ordered the destruction of collected data²⁹. The deeper failure was Gov.UK Verify, which consumed 233.3 million pounds, achieved a verification success rate of just forty-eight per cent (against a target of ninety per cent), enrolled only 3.6 million users (against a target of 25 million), and was finally shut down between 2023 and 2024³⁰. At least nine parallel identity systems sprang up across various government departments. Political legitimacy and public trust, once lost, can reverse large-scale identity infrastructure outright.

India’s UIDAI had issued more than 141.80 crore Aadhaar numbers (one crore equals ten million) as of March 31, 2025³¹, and the government estimates annual savings of roughly 20,000 crore INR in subsidy leakage. But the economist Jean Dreze, drawing on fieldwork, has found that in regions requiring biometric authentication for every transaction, the exclusion error rate reaches twenty per cent. According to investigations by Dreze and the journalist Siraj Dutta, among others, at least a dozen hunger-related deaths in the state of Jharkhand have been linked to Aadhaar-based exclusion. These figures come from field research and journalistic investigation rather than official statistics, and they carry the usual limitations of sampling and causal attribution — but they are sufficient to signal the harm that large-scale identity systems can inflict on people at the margins.

The judicial battle over Kenya’s NIIMS (Huduma Namba) is equally instructive. The High Court’s ruling cited deficiencies in the legislative process, the data-protection framework, and public participation, and it recorded government officials testifying that 7 billion Kenyan shillings had already been spent (a figure drawn from courtroom testimony that should be cross-referenced with budget documents)³². The ruling also flagged the risk of marginalizing minority groups, including the Nubian community. More broadly, the World Bank’s ID4D estimates that approximately five hundred million Africans still lack basic identity documents — “silent exclusion” is the central challenge of digital identity on the continent³³.

The leap from these national experiences to agent governance requires caution. National identity systems address the relationship between citizens and the state; agent identity involves the multi-layered relationships among humans, software, platforms, and services, with fundamentally different stakeholder structures and legal frameworks. But the core lessons of institutional design — transparency, redress, participation, and protection for those at the margins — are transferable in kind.

---

Two Parallel Tracks of Identity Evolution

Set these cases side by side, and an intriguing observation emerges. Human digital identity and AI agent digital identity are passing through structurally similar evolutionary stages — only at vastly different speeds and under very different conditions.

The history of human digital identity can be roughly divided into three phases. The first is institutionally conferred identity. Passports, national ID cards, Social Security numbers — all are identifiers issued unilaterally by the state or an institution, centrally managed. Estonia’s electronic ID, launched in 2002, and India’s Aadhaar, initiated in 2009, are digital incarnations of this stage. The second phase is federated identity. OAuth and SAML allowed users to log in to third-party services with a Google or Facebook account, extending identity from a single institution to a cross-platform arrangement. The price, however, was a concentration of identity control in the hands of a few major platforms: your “Google account” belongs to Google — you are merely the user. The third phase is portable, self-sovereign identity. The vision of DIDs (decentralized identifiers) and VCs (verifiable credentials) is for individuals to hold their own identity credentials, presenting them on demand, with no single institution able to revoke them unilaterally. The EU’s eIDAS 2.0 digital identity wallet is an attempt to institutionalize this vision.

AI agent identity is now retracing a similar path on a compressed timeline. Today’s dominant practice — API keys stashed in environment variables — corresponds to the most primitive form of institutionally conferred identity. The key is issued by the service provider, bound to a specific platform, non-portable, lacking fine-grained authorization, and revocable only by total disconnection. Microsoft Entra Agent ID and Google’s A2A protocol are pushing toward federation — enabling agents to operate across services within an enterprise ecosystem — but control remains anchored to the platform. DIF’s Trusted AI Agents Working Group and W3C’s Agent Protocol Community Group are exploring a portable identity layer for agents, one that would allow them to carry verifiable capability declarations and delegation proofs as they move between platforms.

The parallels in evolutionary structure reveal predictable tensions. Every turning point in the human journey from centralized to decentralized digital identity has been accompanied by fierce redistributions of power. Facebook’s “Log in with Facebook” button turned the company into the Internet’s identity broker, accumulating an enormous data advantage. When Apple launched Sign in with Apple, it was, in essence, competing for the same intermediary position. The DID/VC vision of decentralization has made slow progress to date, in no small part because it asks existing intermediaries to relinquish control they have already secured — and no one volunteers to dismantle their own power.

AI agent identity is replicating this dynamic at an accelerated pace. Platform operators have a powerful incentive to lock agent identity into their own ecosystems. If your AI assistant can be recognized and authorized only within the Microsoft ecosystem, the cost of migrating to another platform is a total rebuild of trust from scratch — the classic lock-in effect. The WE BUILD consortium’s policy recommendations²⁷ and Christopher Allen’s anchors for platform independence³⁹ are both responses to this structural risk.

But the evolution of agent identity also has several characteristics that are fundamentally unlike those of human identity, making it harder to predict the trajectory.

First, scale and speed. Human digital identity is issued on the timescale of years; a national identity system typically takes a decade or more to reach scale. AI agents are created and destroyed in milliseconds. A single organization might spin up thousands of short-lived agents each day, each surviving for fifteen minutes¹³. This means agent-identity systems must handle transaction volumes and lifecycle management of an entirely different order from human identity systems.

Second, the ontological status of identity. Humans possess identity innately — you are born as yourself, and identity systems merely recognize a pre-existing entity. Agents have no such prior existence. An agent’s “identity” is defined entirely by its creator, constituted by its capability declarations, and given meaning by its delegation chain. This makes agent identity closer to a “role” than a “persona” — the same underlying model can simultaneously serve as your calendar assistant and your financial adviser, two roles requiring entirely different identities and permissions. Floridi’s theory of levels of abstraction¹⁶ applies directly here: at an appropriate level of abstraction, agents can be treated as actors, but the choice of that level of abstraction is itself a human decision.

Third, the anchor point of trust is different. Human trust in human identity systems is ultimately anchored in trust in the state, the law, and the social contract. Where is trust in agent identity anchored? If the answer is the platform, we are back to the problem of centralized control inherent in federated identity. If it is cryptography (as with DID public-private key pairs), the basis of trust becomes mathematics rather than institutions — but mathematics cannot handle disputes, compensation, or redress. Lee and See’s trust-calibration model²¹ suggests that users need comprehensible signals to calibrate their trust in agents, and cryptographic proofs are, for most people, anything but comprehensible.

These differences mean that AI agent identity will not simply retrace the path of human digital identity, but it will encounter structurally isomorphic governance problems at each analogous fork. Several directions of development can be reasonably anticipated. In the short term (2026-2028), platform-dominated federated agent identity will become the mainstream, with major technology companies building agent-identity layers within their own ecosystems. In the medium term (2028-2032), cross-platform agent-identity interoperability will become an urgent demand — similar to the way OAuth expanded from a single platform to cross-service use in the human identity world — but the driving force may come from enterprise users rebelling against vendor lock-in and from regulatory pressure (the EU’s eIDAS 2.0 already provides an institutional precedent). In the long term, the critical indicator of whether agent identity evolves from “role” into something more enduring will be whether agents develop a form of “reputational capital” independent of any individual principal — an accumulated record of behavior, capability certifications, and compliance history.

Humans took thirty years to travel from the passport to the digital identity wallet. AI agents may cover a similar stretch of institutional evolution in five. The question is whether we can convert the costs of human identity governance — exclusion, surveillance, centralized control — into preventive design for agent-identity governance, or whether we are fated to repeat the same mistakes on a faster timeline.

---

Power Asymmetry Is a Structural Problem

Agent-identity governance involves multiple actors, each possessing different resources, motivations, and degrees of influence.

Commercial platforms currently dominate the de facto standards for agent identity. Microsoft has introduced Entra Agent ID, positioning agents as “first-class identities” under zero-trust principles. Google’s A2A protocol handles discovery and interaction between agents. Anthropic’s MCP standardizes the connection between agents and tools. The design decisions these platforms make — what information is disclosed, who controls credentials, what behavior is technically possible — are themselves governance decisions, regardless of whether formal legal intervention occurs. Lawrence Lessig’s insight is doubly applicable here: in the agent ecosystem, code is law.

The scale of commercial influence can be glimpsed in the lobbying numbers. According to OpenSecrets data for 2024, AI lobbying activity exceeds $100 million annually. Meta spent $24.4 million in 2024; OpenAI spent $2.2 million in the first quarter of 2025 alone³⁴. Meanwhile, according to a 2025 report from the ITU and the Oxford Martin School, more than seventy per cent of countries with national AI strategies are high-income nations³⁵ — the priorities of the Global South are structurally overlooked.

Governments occupy a vast spectrum of postures. Singapore’s IMDA framework represents the path of proactive regulation. The EU AI Act mandates human oversight of high-risk systems but has yet to address agent-to-agent interaction and delegation chains in any specificity. The U.S. NIST launched its AI Agent Standards Initiative in February 2026. Different regions are charting different governance paths: the EU leans toward risk tiering, Africa emphasizes inclusion, Asia prioritizes innovation, and the Americas focus on rights.

Civil society faces a systemic resource asymmetry. Access Now, AlgorithmWatch, and EDRi led more than a hundred and ten organizations in contributing to the EU AI Act legislative process, but they were vastly outspent by industry lobbyists. Reports from the Future Society and All Tech Is Human indicate that seventy-one per cent of AI nonprofits have risk-assessment processes, but forty-one per cent lack technical expertise³⁶³⁷. Heather Flanagan has pointed out that identity issues remain underrepresented in global governance forums such as WSIS+20³⁸.

This power structure means that the representativeness problems already present in ICANN’s multistakeholder model are likely to be even more acute in the field of agent-identity governance. Phil Windley’s observation gets to the heart of the tension: “Policy without commitment cannot coordinate. Commitment without enforcement is just a statement of intent.”

---

Three Design Principles — and the Unresolved Questions Behind Them

Drawing together the theory, analogies, and case studies set out above, I want to propose three forward-looking design principles for agent-identity trust architecture — while candidly flagging the unresolved tensions behind each one.

Accountability must be embedded in the architecture. Lessig’s insight that code is law means that identity systems must encode accountability at the design level — through cryptographic delegation chains, permission attenuation at each layer of delegation, cascading revocation, and tamper-proof audit trails. The audit of thirty open-source projects mentioned earlier (ninety-three per cent relying solely on API keys) suggests that voluntary adoption of more rigorous identity mechanisms has failed to scale, though this figure comes from a limited sample and the fuller industry picture may be more complex. The lesson of DigiNotar is that delayed reporting and basic security failures triggered a systemic de-trusting. Let’s Encrypt demonstrates how transparency, automation, and a public-benefit narrative can sustain trust at scale. Van de Poel’s advocacy for “design for responsibility” — treating accountability as a design parameter of engineered systems — should become the core methodology of agent-identity infrastructure¹⁹. Strom’s insight applies directly: accountability flows in the opposite direction from delegation, and every agent-identity system must encode the full chain from human principal through intermediary agents to final action, with clear rules governing how permissions attenuate and how responsibility flows back.

Legitimacy requires structurally guaranteed multi-stakeholder representation. ICANN’s experience shows that multistakeholder governance works best when its scope is narrow, its funding sources are diversified, and its accountability mechanisms can actually be exercised. Because the scope of agent-identity governance is far broader than the DNS namespace, the need for structural participation guarantees is correspondingly greater. Christopher Allen’s “five anchors” framework proposes long-term design principles: preserve optionality, build twenty-year architectures (not two-year products), maintain platform independence, require non-governmental actors to bear obligations, and establish institutional safeguards³⁹. Civil-society advisory committees need dedicated funding. The representation of the Global South needs structural guarantees. The Kenyan NIIMS litigation demonstrated the possibility of civil society using judicial channels to check a national identity scheme, but the cost of after-the-fact redress far exceeds the cost of participation by design. Flanagan’s core question hangs perpetually in the air: “Who keeps this running?” A trust framework without a sustainable financial model is, in the end, an unfunded mandate⁴⁰.

Governance must respond to the realities of delegation chains and distributed morality. Floridi’s distributed-morality framework provides the philosophical foundation. When harm emerges from individually harmless actions within a delegation chain, governance must allocate accountability proportionally, avoiding the concentration of all responsibility on the nearest human — that is, avoiding the moral-crumple-zone effect described by Elish²⁰. The arguments of Nissenbaum and Thompson concerning the problem of many hands point the way forward: in situations where multiple actors (and multiple agents) jointly produce an outcome, institutional arrangements must be designed to receive and allocate responsibility, rather than assuming that responsibility will find its own address¹⁷¹⁸. Tomasev et al. (2026) further refine the constituent elements of delegation — authority transfer, responsibility transfer, accountability allocation, boundary setting, and trust calibration — providing more granular conceptual tools for institutional design⁴¹.

A joint report by the WEF and Capgemini (2025) finds that eighty-two per cent of executives plan to adopt agentic AI⁴², but McKinsey’s 2026 trust survey reports an average AI trust-maturity score of just 2.3 out of 5⁴³. Liminal’s research goes further, noting that trust in AI systems is actively declining⁴⁴. Any governance architecture must operate within the reality of this trust deficit.

The Carnegie Endowment (2024) anticipates that agent governance will evolve into a “regime complex” — multiple overlapping institutions, each covering a portion of the terrain, with no single global governance body. This prediction accords with the current landscape, in which DIF, the OpenID Foundation, IETF WIMSE, the W3C Agent Protocol Community Group, and NIST’s NCCoE are all advancing their own efforts⁴⁵. The risk of fragmentation is real — but perhaps fragmentation is itself an adaptation to complexity.

Perhaps the most fundamental point returns us to an observation by Nanjala Nyabola: a digital-identity system cannot conjure into existence values that are absent from the society in which it is deployed. The quality of agent-identity governance will ultimately depend on whether we can, in an era of trust deficit, deliberately and inclusively build institutions — rather than allowing those institutions to crystallize around the interests of whichever actors moved first.

Whose authority governs the revocation and correction of cross-platform agent identities? Can agents possess identity attributes independent of their principals? When agents recursively spawn sub-agents, how should the delegation chain enforce permission attenuation and responsibility transfer? In a market dominated by commercial platforms, how do we prevent identity governance from being locked into proprietary ecosystems?

None of these questions has an answer yet. But asking them is where governance begins.

---

References

1. grantex.dev (2026-03). A security audit of thirty open-source AI agent projects. The audit examined identity and authorization mechanisms across agent projects one by one, finding that the vast majority stored only API keys in environment variables and lacked an independent agent-identity layer.
2. ICANN. Report of Independent Auditors and Consolidated Financial Statements, FYE June 30, 2024. ICANN’s annual audited financial report, disclosing the revenue structure, expenditure allocation, and financial health of the global Internet naming coordination body.
3. ICANN. Empowered Community mechanism. https://www.icann.org/ec — The community-power mechanism established by ICANN following the 2016 IANA transition, enabling supporting organizations to exercise veto, recall, and other powers over board decisions under California law.
4. NTIA (2016). IANA Stewardship Transition. https://www.ntia.gov/iana-stewardship-transition — The U.S. Department of Commerce NTIA’s evaluation of the transfer of IANA stewardship from the U.S. government to the global multistakeholder community, documenting the conditions, process, and accountability reforms.
5. Hofmann, J. (2016). Multi-stakeholderism in Internet governance: putting a fiction into practice. Journal of Cyber Policy, 1(1). DOI: 10.1080/23738871.2016.1158303 — Political scientist Hofmann’s critical analysis of multistakeholder governance, examining how the model can devolve into a self-referential cycle of procedural legitimacy.
6. van Klyton, A., Arrieta-Paredes, A. & Alvarez-Rodriguez, E. (2023). Hegemonic practices in multistakeholder Internet governance. Telecommunications Policy. Through analysis of ICANN meeting texts, the study reveals how power asymmetries in language and agenda-setting allow resource-advantaged actors to reproduce their influence through procedural channels.
7. ICANN. gTLD Applicant Guidebook (2012) and 2026 round FAQ. ICANN’s official guidance and fee structure for new generic top-level domain applications, illustrating the economic threshold of namespace expansion.
8. Mueller, M. (2002). Ruling the Root: Internet Governance and the Taming of Cyberspace. MIT Press; Mueller, M. (2010). Networks and States: The Global Politics of Internet Governance. MIT Press. Mueller’s two landmark works: the first dissects the formation of the DNS governance system, and the second situates Internet governance within the framework of interstate power politics.
9. Jensen, M.C. & Meckling, W.H. (1976). Theory of the Firm: Managerial Behavior, Agency Costs and Ownership Structure. Journal of Financial Economics, 3(4), 305-360. A foundational work in the theory of the firm, defining the monitoring costs, bonding costs, and residual loss arising from information asymmetry in principal-agent relationships.
10. Eisenhardt, K.M. (1989). Agency Theory: An Assessment and Review. Academy of Management Review, 14(1), 57-74. A systematic review of the agency-theory literature, clarifying the theory’s conditions of applicability and its limitations; it remains a core reference in organizational economics.
11. Kolt, N. (2025). Governing AI Agents. arXiv:2501.07913 — Legal scholar Kolt’s systematic framework for AI agent governance, identifying four core agency problems: information asymmetry, authority overreach, loyalty conflicts, and recursive delegation.
12. Strom, K. (2000). Delegation and accountability in parliamentary democracies. European Journal of Political Research, 37, 261-289. A classic in comparative politics, proposing the analytical framework in which “accountability flows in the opposite direction from delegation” — applicable to any multi-layered delegation structure.
13. OpenID Foundation (2025). Identity Management for Agentic AI. A white paper from the OpenID Foundation analyzing the failure modes of the current OAuth/OIDC framework in agentic contexts, particularly the inability to distinguish between user and agent identity.
14. Stocker & Lehr (2025). Principal-Agent Dynamics in Agentic AI. Network Law Review. Introduces the concept of the “shadow principal,” describing the structural loyalty conflict in which the user is nominally the principal but the agent’s behavior is shaped by developer or platform interests.
15. Wu, X. et al. (2026). When Bots Take the Bait: Exposing and Mitigating the Emerging Social Engineering Attack in Web Automation Agent. arXiv:2601.07263 — An experimental study testing the vulnerability of web-automation AI agents to social-engineering attacks, including scenarios involving identity forgery.
16. Floridi, L. & Sanders, J.W. (2004). On the Morality of Artificial Agents. Minds and Machines, 14, 349-379. A pioneering paper in the philosophy of information, arguing that artificial agents can be regarded as moral agents at an appropriate level of abstraction and distinguishing accountability from moral responsibility.
17. Nissenbaum, H. (1996). Accountability in a Computerized Society. Science and Engineering Ethics, 2, 25-42. An analysis of how accountability is systematically undermined in computerized societies, introducing concepts such as the “problem of many hands” and the tendency to attribute responsibility to the system itself.
18. Thompson, D.F. (1980). Moral Responsibility of Public Officials: The Problem of Many Hands. American Political Science Review, 74(4), 905-916. A classic in political theory, exploring the difficulty of individual moral attribution when multiple actors jointly produce policy outcomes.
19. van de Poel, I. (2012). Can We Design for Responsibility? Science and Engineering Ethics, 19, 1235-1260. An engineering-ethics scholar’s argument that moral responsibility can be treated as a design parameter of engineered systems, proposing the “design for responsibility” methodology.
20. Elish, M.C. (2019). Moral Crumple Zones: Cautionary Tales in Human-Robot Interaction. Engaging Science, Technology, and Society, 5, 40-60. Using the metaphor of a car’s crumple zone, this paper describes how human operators in automated systems absorb the full moral and legal impact of system failure.
21. Lee, J.D. & See, K.A. (2004). Trust in Automation: Designing for Appropriate Reliance. Human Factors, 46(1), 50-80. A classic review in human-factors engineering, establishing a calibration model for trust in automation and distinguishing among analytic, analogic, and affective trust processes.
22. ENISA (2011). Operation Black Tulip: Certificate authorities lose authority. The European Union Agency for Cybersecurity’s technical analysis of the DigiNotar breach, documenting attack details, security shortcomings, and the subsequent systematic de-trusting.
23. Internet Security Research Group (2024). 2024 Annual Report. The annual report of Let’s Encrypt’s parent organization, disclosing the operational scale and growth trajectory of the world’s largest certificate authority.
24. ProPublica Nonprofit Explorer. ISRG Form 990 financials. Publicly available U.S. nonprofit financial data, showing the revenue-source structure of ISRG/Let’s Encrypt (community donations and corporate sponsorships).
25. e-Residency of Estonia (2026). E-residents generated a record 125 million state revenue in 2025. The official revenue report of Estonia’s e-Residency program, demonstrating how digital identity can translate into national economic value.
26. IMDA Singapore (2026). Model AI Governance Framework for Agentic AI. The world’s first governance framework specifically for agentic AI, published by Singapore’s Infocomm Media Development Authority, covering delegation management, risk tiering, and accountability mechanisms.
27. WE BUILD Consortium (2026). Trusted Identities for AI Agents — An Opportunity for Europe. A policy recommendation from a consortium including Bosch, Ericsson, Google, Visa, and Spherity, proposing that agent trust identities be built on existing EUDI infrastructure.
28. Talao (2025). AI Agents & Digital Identity: How MCP and OIDC4VP Empower Agents to Use the EUDI Wallet. A technical implementation case demonstrating how AI agents can obtain verified identity information from the EUDI Wallet via the MCP protocol combined with the OIDC4VP flow.
29. UK Parliament (2010). Identity Documents Act 2010. The legislation terminating the UK’s national identity-card scheme and ordering the destruction of collected data.
30. UK House of Lords (2010). Hansard: Identity Documents Bill debates; NAO (2019). Investigation into Verify. House of Lords debate records and the National Audit Office’s investigation of Gov.UK Verify, the latter documenting expenditure of 233.3 million pounds and adoption rates far below target.
31. UIDAI (2025). Annual Report 2024-25. The annual report of India’s Unique Identification Authority, covering Aadhaar issuance volume, usage statistics, and operational data.
32. High Court of Kenya (2020). Nubian Rights Forum & 2 others v Attorney General & 6 others [2020] eKLR. The Kenyan High Court’s ruling on the NIIMS (Huduma Namba) digital identity scheme, finding deficiencies in the legislative process and data-protection framework and flagging marginalization risks for minority groups.
33. World Bank ID4D. Identification for Development dataset. The World Bank’s global dataset on identity-document coverage and exclusion, tracking identification gaps across countries.
34. OpenSecrets (2024-2025). AI lobbying data. Data on AI-related lobbying expenditures tracked by the American political-finance transparency organization, showing the scale of technology companies’ investment in shaping AI policy.
35. ITU/Oxford Martin School (2025). Annual AI Governance Report 2025. A joint annual report analyzing the global distribution of AI governance strategies and revealing the policy gap between high-income nations and the Global South.
36. The Future Society (2024). Ten AI Governance Priorities: 44 CSOs. A report aggregating the perspectives of forty-four civil-society organizations on AI governance priorities.
37. All Tech Is Human (2024-2025). Responsible AI Impact Report. A nonprofit survey of responsible-AI practices, revealing the current capabilities and resource gaps of the AI nonprofit sector.
38. Flanagan, H. (2025). WSIS+20 and Identity Governance. Identity-governance expert Flanagan’s analysis of the underrepresentation of identity issues in the UN World Summit on the Information Society’s twentieth-anniversary proceedings.
39. Allen, C. Five Anchors to Preserve Autonomy & Sovereignty. Blockchain Commons. Cryptographer and self-sovereign-identity advocate Christopher Allen’s five design anchors, advocating a twenty-year architectural horizon, platform independence, and institutional safeguards to protect individual autonomy.
40. Flanagan, H. (2024). Operationalizing Trust Frameworks. Spherical Cow Consulting. An exploration of how trust frameworks can be translated from policy documents into sustainably operating institutions, with the core question “Who keeps this running?” pointing directly to the predicament of financial sustainability.
41. Tomasev, N. et al. (2026). Intelligent AI Delegation. arXiv:2602.11865 — A paper from Google DeepMind decomposing delegation into five constituent elements: authority transfer, responsibility transfer, accountability allocation, boundary setting, and trust calibration.
42. WEF/Capgemini (2025). AI Agents in Action: Foundations for Evaluation and Governance. A joint report from the World Economic Forum and Capgemini surveying executive intent to adopt agentic AI and organizational readiness for governance.
43. McKinsey (2026). State of AI Trust in 2026. McKinsey’s annual AI trust survey, quantifying organizational trust maturity with respect to AI systems.
44. Liminal (2025). Building Trust in Agentic Commerce. An analysis by the identity and trust research firm Liminal of the state of trust in agentic commerce, tracking trends in AI trust levels.
45. Identosphere Agent ID Research Digest, 2026-04-01. Cross-Cutting Observations: Standards Convergence. A compilation of more than seventy articles from the Identosphere community relating to agent identity, identifying cross-cutting themes including the delegation crisis, the trust-governance gap, and standards convergence.