By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage and assist in our marketing efforts. More info
DenyAccept

Know Your Agent: Solving Identity for AI Agents [Video and Takeaways]

Published
August 8, 2025
Table of content
This is also a heading
This is a heading

Join 14,000+ identity enthusiasts who subscribe to our newsletter for expert insights.

By subscribing you agree to with our Privacy Policy.
Success! You’re now subscribed to the newsletter.
Oops! Something went wrong while submitting the form.

The rise of AI agents is one of the most significant shifts unfolding across the internet today. From booking travel to managing work tasks, agents are quickly becoming powerful tools that act on behalf of users. In fact, by next year, there may be more non-human agents online than human users. The promise is clear: automate the drudge work and reclaim your time.

But as the excitement grows, a critical piece of the conversation is being overlooked—identity. How do we know which agent is acting? Who authorized it? What is it allowed to do? And how do we prevent misuse when these agents gain access to sensitive systems or personal data?

In our latest live session, Dock Labs CEO Nick Lambert sat down with Peter Horadan, CEO of Vouched, to explore these questions in depth. Peter not only shared his perspective on the growing risks but also gave a live demo of a new identity and delegation framework that makes it possible to verify and control what agents can do on our behalf.

Here are the main takeaways:

Risks of Current Agent Implementations (e.g., ChatGPT Agent Mode)

  • ChatGPT's Agent Mode opens security risks
    • Users log in via a browser controlled by ChatGPT.
    • It captures OAuth session keys and acts on behalf of users without restrictions.
  • Violates long-standing cybersecurity best practices
    • Users are trained not to share credentials with third parties.
    • This model undoes decades of training and introduces massive attack surfaces.
  • Vulnerable to mistakes, misuse, and legal issues
    • Agents may hallucinate or take unintended actions.
    • Agents cannot legally agree to terms on behalf of users (e.g., airline terms and conditions).

The Five Identity Problems with AI Agents

  1. Agent Identity
    • Systems must recognize that an agent, not a human, is performing the action.
    • Each agent needs a unique, verifiable identifier (a DID, Decentralized Identifier).
  2. Delegation
    • Humans must delegate specific authority to agents (e.g., book flights, but not spend points).
    • This delegation must be granular and revocable.
  3. Reputation
    • Agents need reputations like Yelp reviews.
    • Some agents will act maliciously. Bad actors must be identifiable and blockable across services.
  4. Human Identity
    • Humans must be identified once, securely and verifiably, then not needed again for each task.
    • Biometric-bound credentials solve this friction.
  5. Legal Agreements
    • Agents can't click "I agree" checkboxes.
    • Systems must collect durable legal consent from humans before agent actions.

Demo: Know Your Agent in Action

Scenario: Booking a flight via Atlas AI, a fictional travel assistant bot.

  1. Step 1: Identity verification
    • Peter uses a mobile driver’s license verified via biometric match.
    • Integration with Truvera enables secure, privacy-preserving human ID verification.
  2. Step 2: Delegation to Atlas AI
    • Atlas AI contacts "Awesome Airlines" via MCP.
    • The airline has no prior record of delegation, so it requests human authorization.
  3. Step 3: Secure OAuth-style delegation
    • Human logs into airline website directly (not via agent).
    • The airline displays a dialog: “Allow Atlas AI (DID: xyz) to book flights?”
    • The user approves and checks a box to accept blanket legal terms.
  4. Step 4: Durable authorization
    • Permissions are scoped, logged, revocable, and auditable.
    • Airlines can report agent behavior to a rating service (e.g., Yelp for agents).

MCPI (Model Context Protocol – Identity)

  • Extension to Anthropic’s MCP
  • Open and standards-oriented
    • Vouched is contributing to OpenID Foundation and other standards bodies.
    • MCPI SDK and server implementation available as SaaS.

Role of Digital IDs and Wallets

  • EUDI Wallets in the EU
    • By November 2026, all 27 EU countries must issue digital ID wallets.
    • EUDI will enable cryptographic signing and selective disclosure of attributes.
  • Interoperability and reuse

Business Models and Monetization

  • Free tools:
    • MCPI spec and agent reputation system are free and open.
    • Inspired by models like Yelp or Let’s Encrypt.
  • Paid offering:
    • Vouched offers a SaaS security server for MCP sites.
    • Enables sites to plug into identity, delegation, and trust without building in-house.

Implementation and Developer Guidance

  • Anyone can create an agent
    • DIDs are easy to generate (similar to key pairs).
    • Creation platforms already exist, and agents can be built independently.
  • Key infrastructure responsibilities:
    • MCP servers should audit, log, and enforce permissions.
    • Storage and revocation of delegations is left to implementation (e.g., blockchain, traditional DBs).

Advanced Identity and Assurance Questions

  • Agent spoofing & man-in-the-middle
    • DIDs use public-private key cryptography to sign requests and verify authenticity.
  • Preventing agent churn
    • Reputation systems penalize new or frequently changing DIDs (email spam-style warm-up period).
  • Sensitive use cases
    • Regulated industries (e.g., finance, healthcare) must tailor assurance levels and regulator compliance.

Advice for Identity Leaders

  • CTO advice:
    • Step 1: Immediately block ChatGPT and similar agents from accessing internal systems.
    • Step 2: Begin planning to support MCP servers for secure, controlled agent access.
  • The time to act is now
    • Digital IDs and agents are converging rapidly.
    • Every business must rethink identity workflows in the context of non-human actors.
  • Workflows will evolve
    • Password resets will shift from email codes to biometric digital ID checks.
    • ID sharing will become as easy and secure as a thumbprint.

Create your first digital ID credential today

The Truvera platform helps you integrate reusable ID credentials into your existing identity workflows to support a variety of goals: reduce onboarding friction, connect siloed data, verify trusted organizations and customers, and monetize credential verification.

Sign up for free
Request Free Consultation

Ready to get started?

Sign up to TruveraRequest Free Consultation

Company

Truvera Platform

Developers

Industries

Resources

Copyright © 2024 Dock Labs AG