The Identity Problem AI Agents Haven’t Solved Yet

--

There’s a question the AI industry is moving too fast to properly answer:

When an autonomous AI agent takes an action in the world — who is it, really? And how do you know?

No philosophically. Technically.

The Credential Gap

Most AI agents today are identified by API keys, session tokens, or access credentials. These are functional. They work well enough for the use cases we’ve had so far. But they share a fundamental property: they are revocable, transferable, and exist outside the agent itself. The credential and the agent are separate things.

This matters more than it might seem.

If an agent’s identity can be transferred, it can be impersonated. A credential issued to one agent can be copied, stolen, or reassigned. The system has no structural way to know whether the entity presenting a credential is the entity the credential was issued to.

If it can be revoked centrally, it depends on a trusted authority that may not always be trustworthy — or available. Centralised revocation creates single points of failure in systems increasingly designed to operate without human supervision.

If identity doesn’t persist across sessions, you can’t build a coherent audit trail. When something goes wrong — and in high-stakes environments, something will go wrong — you need to be able to reconstruct exactly what an agent did, in what state, at what point in its operational history. Ephemeral credentials make this structurally impossible.

These aren’t edge cases. They are predictable failure modes for any system that deploys AI agents at scale.

Press enter or click to view image in full size

Why Existing Frameworks Fall Short

The identity infrastructure we have was built for humans.

W3C Decentralised Identifiers (DIDs) and Verifiable Credentials are genuinely useful innovations. They enable portable, cryptographically verifiable identity without relying on centralised registries. But they were designed for human holders with legal standing, continuous existence, and a single instantiation. AI agents don’t have any of these properties.

An AI agent can run as thousands of simultaneous instances. It can be copied, forked, modified, or deprecated without notice. It has no legal standing in any jurisdiction. The assumption of a single, persistent, legally accountable holder — which underlies the DID/VC model — simply doesn’t apply.

OAuth 2.1 and OpenID Connect, now being extended to AI agent contexts, address authorisation rather than identity. They tell you what an agent is permitted to do, not what it fundamentally is or what its operational history has been. Token expiry and revocation are post-hoc mechanisms applied after credential issuance; they don’t constrain the directionality of identity state transitions at the protocol layer.

Press enter or click to view image in full size

Soulbound tokens, originally proposed by Vitalik Buterin for binding credentials to human wallets, get closer. The non-transferability property addresses the impersonation problem in a structurally interesting way. But existing soulbound token implementations don’t address the lifecycle management an AI agent actually needs: provisioning, activation, suspension, and termination, with each state transition permanently recorded and cryptographically linked to its predecessor.

The gap isn’t just a missing feature. It’s an architectural mismatch. We are applying identity frameworks designed for one kind of entity to a fundamentally different kind of entity, and hoping the corners square.

The Direction Worth Exploring: Irreversible State Machines

One architectural approach worth serious attention treats AI agent identity not as a credential to be issued, but as a state machine to be advanced.

The core idea is this: instead of issuing a credential that exists independently of the agent’s history, you model the agent’s identity as a sequence of states — provisioned, active, suspended, terminated — where each transition is recorded on a distributed ledger as an irreversible state change. Once an agent reaches a terminal state, no further transitions are possible. The identity cannot be reassigned or reactivated.

The cryptographic structure matters here. Each state transition generates a new state record containing a hash of the prior state — a previousStateHash field — creating a tamper-evident chain: each successor state is mathematically bound to its predecessor. Any attempt to modify a prior state, or to roll back the agent’s identity to an earlier configuration, produces a detectable hash mismatch on verification.

Two enforcement rules make the structural guarantees concrete:

Anti-rollback: a smart contract execution rule requires that any proposed new state carries a version index exactly one greater than the current state. No gaps, no backwards movement. Prior states cannot be reintroduced.

Anti-fork: a second rule ensures that at any given time, exactly one valid credential exists per agent identifier across all distributed nodes. The agent cannot maintain multiple simultaneous valid identities.

Together, these rules address the three failure modes described above. Impersonation is constrained because credentials are structurally bound to the agent’s operational history — there is no credential to steal without the entire state chain. Dependence on centralised revocation is eliminated because irreversibility is enforced by smart contract execution logic, not by a trusted authority. Audit trail continuity is guaranteed because the state chain is permanent and tamper-evident.

What This Doesn’t Solve

It would be misleading to present this as a complete solution. Several significant problems remain open.

Key rotation and compromise recovery: if the cryptographic keys underpinning an agent’s identity chain are compromised, the current architectural direction provides limited recovery mechanisms. This is a genuine open problem.

Cross-chain interoperability: an agent operating across multiple blockchain networks needs a consistent identity representation that remains coherent regardless of which chain it is operating on. The synchronisation problem here is non-trivial.

Integration with existing AI frameworks: the major AI agent frameworks — LangChain, AutoGen, CrewAI, and others — have their own identity and session management assumptions. Integrating a state-machine-based identity layer with these frameworks requires careful interface design.

The behaviour signal problem: one compelling property of the state machine approach is that state transitions can be triggered by AI-derived behavioural signals — a deviation from the agent’s historical baseline that exceeds a threshold triggers a mandatory state transition. But designing the behavioural analysis module, defining appropriate thresholds, and preventing adversarial manipulation of the signal are all open research questions.

These are real limitations. The architectural direction is promising, but the engineering work is substantial.

Why the Urgency Is Real

AI agents are moving into high-stakes environments faster than the identity infrastructure can keep up.

In decentralised finance, AI agents are executing trades, managing liquidity positions, and participating in governance votes. A compromised or impersonated agent in this context has direct financial consequences.

In legal and compliance contexts, AI agents are drafting documents, reviewing contracts, and in some jurisdictions beginning to take on advisory functions. The ability to verify exactly what an agent did, in what state, and under whose authorisation is not optional.

In healthcare, AI agents are beginning to interface with patient data, assist in diagnostic workflows, and coordinate care. The consequences of identity failure here are not abstract.

In the creative industries — including digital art, where AI agents are beginning to act as curators, authenticators, and market participants — the question of whether an agent’s identity and operational history can be trusted bears directly on the provenance and value of the work it touches.

As the deployment of autonomous AI agents scales, identity infrastructure that was adequate for experimental use cases will cease to be adequate for production ones. The architectural questions being asked now will determine what is and isn’t buildable later.

The window for getting this right is narrowing.

______

NexArt Limited is a London-based technology company working at the intersection of AI infrastructure and the digital creative economy. NexArt’s research includes the NexAuth Protocol, an AI agent identity authentication system based on irreversible credential state machine architecture. A UK patent application has been filed with the UKIPO (GB 2604570.8). Learn more at nexartlimited.com.