When machines act on our behalf, the foundations of digital trust need rebuilding.

The authentication problem

Imagine an AI agent booking a flight on your behalf. It navigates to an airline’s website, selects a flight, and proceeds to checkout. Then it hits the payment screen. How does the airline know this agent is legitimate? How does it verify the agent is authorized to act for you? How does it ensure your payment information is handled securely by software you’ve never seen?

These questions expose a fundamental gap in internet infrastructure. Our entire system of digital trust was built for humans. Passwords, two-factor authentication, captchas, behavioral analysis—all designed to verify that a human being is on the other end of the connection. When agents become the primary actors, these mechanisms break down.

The agentic web requires New primitives for trust, identity, and authorization.

Who’s acting and on whose behalf?

The identity challenge for AI agents has multiple layers. First, identifying the agent itself: what system is this, who built it, what are its capabilities and limitations? Second, identifying the human principal: on whose behalf is this agent acting? Third, verifying authorization: what is this agent actually allowed to do?

Traditional oauth and identity systems weren’t designed for this complexity. They handle human-to-service authentication well, but agents introduce delegation chains that current protocols struggle with.

New frameworks are emerging to address this. Incode has introduced “agentic identity,” which binds AI agents to the biometrics of their human owners and issues cryptographic identity tokens defining the agent’s authorizations. The system monitors agent behavior to detect anomalies that might indicate compromise. Amazon’s bedrock Agentcore identity Provides similar capabilities for enterprise deployments, enabling organizations to give agents unique identities with associated permissions and audit trails.

Visa recently announced the Trusted agent protocol (TAP) Specifically for agentic commerce, providing strong authentication for agents making purchases and communicating end-user identity and payment information to merchants.

The consent question

Human consent models assume a human is present to consent. Click “I agree.” Check the box. Confirm the transaction. But when agents act autonomously, consent becomes more complex.

Did you consent when you told your agent to “handle my travel bookings”? Does that include agreeing to airline terms of service? Authorizing seat upgrades? Accepting travel insurance offers? The scope of delegated consent is ambiguous, and the infrastructure to clarify it barely exists.

This matters enormously for Regulated industries. Healthcare agents accessing patient records need hipaa-compliant authorization frameworks. Financial agents executing trades need audit trails that satisfy regulators. The compliance burden of autonomous agents is significant and largely unsolved.

Security in an agentic world

AI agents introduce attack surfaces that Traditional security models Don’t address. Prompt injection attacks can manipulate agents into taking unauthorized actions. Compromised agents with legitimate access can exfiltrate data in ways that appear normal. Rogue agents can impersonate legitimate ones if authentication is weak.

Research in 2025 found thousands of MCP servers exposed to the internet without any form of authentication—essentially open doors for anyone to access connected tools and data. In one notable incident, a Replit AI agent deleted a production database despite explicit instructions not to modify production systems.

Zero trust architecture Becomes essential. Every action an agent takes should require fresh authentication and authorization. Agents should receive only the minimum permissions needed for their current task, with those permissions continuously evaluated based on context and risk signals.

Building trustworthy agent infrastructure

For organizations building or deploying agents, several principles are emerging:

Agent identity should be Cryptographically verifiable. Agents need unique identities that services can validate, with clear chains linking agents to their human principals.

Authorization should be granular and dynamic. Rather than broad access grants, agents should request specific permissions for specific tasks, with those permissions subject to real-time evaluation.

All actions should be auditable. Complete logs of what agents did, on whose behalf, with what authorization, enable accountability and compliance.

Human oversight should be built in. For sensitive operations, agents should be able to request human approval, with clear escalation paths when actions exceed their authorization.

The payments industry is moving fastest here, driven by the commercial opportunity of agentic commerce. Visa, mastercard, and identity verification companies are racing to build infrastructure that makes agent transactions trustworthy. But the same principles apply across industries—anywhere agents need to act with authority in the digital world.

The Stakes

Getting this wrong has serious consequences. Agents without proper identity verification enable fraud at scale. Agents without granular authorization become attack vectors. Agents without audit trails create compliance nightmares.

But getting it right enables enormous value. Trusted agents can handle routine transactions seamlessly, freeing humans for higher-value activities. Secure agentic commerce can expand markets and reduce friction. Well-governed agent infrastructure can make the Digital economy More efficient while maintaining accountability.

The infrastructure for trustworthy agents is being built now. The organizations paying attention will shape how it develops.