← Back to all articles
Challenges

(1/3) There Is No Human at the Keyboard Anymore

By Marc Molas·June 21, 2026·9 min read

Lately I've been pondering a lot about identity, personal and public, human and synthetic, and I have not published anything so I could carve out time to work on this. So I've been heads-down on one problem, reading specs and protocol drafts until late, because I think it is about to become one of the load-bearing problems in our field and almost nobody outside a handful of standards groups is talking about it in plain terms.

The problem is this: every identity system we have built in the last thirty years assumes there is a human at the keyboard. A person logs in. A person sees a consent screen. A person clicks "approve" and can, afterwards, be held responsible for what happened next. Authentication answers who are you, authorization answers what may you do, and the audit log answers who did this. All three rest on the same quiet assumption — that behind every action there is a someone. And we've been accounting for the users outside the "someone" assumption with service accounts, and various artifacts, permission systems.

Agents are breaking that assumption and are mixing service workers and real users actions.

As a senior engineers we run IAM, incident responses, and the guardrails that sit between a service and the things allowed to call it. So when I say the current model does not stretch to cover autonomous agents, I do not mean it as a prediction. I mean I have looked at where the seams are, and they are already tearing.

An agent acts with your credentials, indistinguishably from you

Start with the simplest case, because it is already in production everywhere. You give an assistant access to your inbox, your calendar, your repo. Under the hood it reuses your tokens, your cookies, your session. To every downstream service, the agent is you. The OpenID Foundation's recent working group put it cleanly: agents "often act indistinguishably from users, creating accountability gaps and security risks."

This is the confused-deputy problem, except the deputy now reasons, improvises, and runs for hours after you have walked away. A traditional client acts on "structured, unambiguous user inputs" — a button click, a form submit, a clear and auditable grant of intent. An agent interprets unstructured instructions, a forwarded email thread, a screenshot, and decides what to do at inference time. The explicit, machine-readable consent signal that the whole OAuth world was built around is gone. What remains is software acting with your full authority and none of your judgement, and a log that cannot tell the two of you apart.

Anyone can mint an anonymous client, and no one signs for it

Look one layer down, at how agents get their identities in the first place, and it gets worse. The Model Context Protocol — the connector standard most agent tooling has converged on — leaned on Dynamic Client Registration to stay frictionless: any client can register with a server and obtain credentials, no paperwork. Convenient, and a security hole you can drive a fleet through. As the OpenID paper describes it, "an unauthenticated, public registration endpoint allows clients to be created without any link to a real developer… a complete lack of a paper trail," open to "endpoint abuse (e.g., DoS via mass registration)."

So the population of agents is exploding, and a large share of it is anonymous by construction. There is no accountable party on the other end of the credential. When one of those clients does something it should not, you cannot follow the thread back to anyone who can be held to account. The OpenID authors name the result exactly: a "black hole for accountability and forensics." That phrase has stuck with me for a week, because I have stared at logs like that. You see the action. You cannot find the actor.

Delegation breaks the moment it crosses a company boundary

Inside one company, a competent platform team can paper over a lot of this. Give the agent a workload identity, run it through the corporate IdP, scope its permissions, and the single-trust-domain case works reasonably well today. I want to be fair about that: the foundational pieces — OAuth 2.1, PKCE, short-lived scoped tokens — are solid, and for an agent calling internal tools they are, so far, sufficient.

The seam tears the moment an agent reaches across an organizational boundary. A financial agent that pulls from your bank, a market-data API, and a credit bureau is operating across three separate trust domains, and no single identity provider is the source of truth for all three. Workload-identity frameworks like SPIFFE/SPIRE are built on control of a shared infrastructure and, in the paper's words, "do not naturally extend across organizations." True delegation needs the access token to carry two distinct identities — the human who delegated and the agent acting — and to attenuate scope at every hop when one agent sub-delegates to another. Recursive delegation across companies, with the audit trail intact end to end, is mostly an unsolved problem. And the open, cross-org agent economy everyone is racing toward lives entirely on the far side of that seam.

A thousand approval prompts is the same as no approval at all

The instinctive fix to all of this is "keep a human in the loop — make the agent ask." It does not survive contact with scale. One marketing agent optimizing a budget can fire hundreds of discrete actions in seconds; a single person can be standing behind dozens of agents making thousands of decisions a day. The EU AI Act, reasonably, mandates "effective oversight" for high-risk systems. But asking a human to approve each autonomous action produces what the paper calls consent fatigue: an "unmanageable deluge of permission prompts" that "paradoxically reduces security," because a human clicking approve four hundred times a day is not exercising judgement. They are rubber-stamping, and an attacker only needs them to rubber-stamp once.

Oversight that does not scale is not oversight. It is theatre with a worse failure mode than having none, because it looks like control.

Revoking an agent is still a largely unsolved problem

Now assume the worst has happened: an agent is compromised, or simply misbehaving. You want it gone. Here too the honest answer in 2026 is that we are not good at this yet. The OpenID authors call revocation "a critical, and largely unsolved, problem," and it gets sharper with agents because a single compromised identity can "trigger a cascading failure across an entire ecosystem of sub-agents" it had already delegated to. Revoking one bearer token does not reach down a chain of authority that has already been handed off.

And revocation is only the emergency stop. The deeper requirement is de-provisioning — permanently erasing an agent's identity and every entitlement it accumulated, across every system it touched, fast enough that a dormant compromised credential cannot be reactivated later. An agent operates at machine speed with a human's delegated authority and a vastly amplified blast radius. The ability to make one disappear, verifiably and everywhere, is not an operational nicety. It is a precondition for letting them run at all.

You can have accountability or privacy — and today you must choose

I have saved the one that I cannot stop thinking about for last, because it is the knot the rest of this series is about.

Everything above pushes you toward one answer: to make an agent accountable, attach a real, known identity to it. Tie every agent action back to a named human and the black hole closes. But do that and you have built something else — a system where every agent any person runs is permanently linked to their real identity, where the traceability you added for audits "enables cross-domain tracking" and lets anyone assemble "comprehensive and potentially sensitive behavioral profiles" of what people's agents do all day. You solved accountability by deleting privacy.

This is presented, almost everywhere, as a straight either/or. Either agents are anonymous and unaccountable, or they are accountable and surveilled. The OpenID paper is unusually honest that there might be a third door — selective-disclosure techniques, "zero-knowledge proofs and anonymous credentials," which let an agent prove a specific claim without revealing who is behind it — but it is equally honest that "integrating these techniques with existing identity standards and regulatory requirements remains a significant challenge." Path noted. Door not yet built.

Step back from these six pains and they share a common source. Impersonation, anonymous clients, delegation that breaks across boundaries, consent fatigue, agents you cannot cleanly revoke, accountability that costs you privacy — these are not six separate problems. They are six symptoms of one missing guarantee: that behind every action there is a specific, responsible person you can find. Authentication, authorization, and the audit log were all built on top of that guarantee. Agents took away our capacity to clearly recognize authority.

An agent can be autonomous — that is the entire point of building one — but accountability must remain set. An agent is not a legal person: you cannot sue it, fine it, or sit it down and ask what it was thinking. So however many layers of delegation pile up in between, responsibility still has to come to rest on a real, liable human who chose to deploy it. That is the whole problem this series is about — how to make that link, this action traces to that accountable person, provable to whoever needs to check it, without exposing the person to everyone who does not. An agent that traces back to no one is not autonomy. It is unowned risk, running at machine speed: everyone downstream feels it, and no one can be made to answer for it.

Where this goes next

None of this is science fiction, and none of it is far off. The scale alone forces the issue: the OpenID authors describe the destination as "a world populated by millions of non-human actors," and the vendor projections — directional, not gospel — put agents at many times the number of human users within a few months. We are about to deploy a population of autonomous actors larger than the human one, onto an identity stack that assumes each of them is a person who can click a button.

So I went looking for the clearest map of this terrain, and I found one. The next post in this series is a close read of it — the OpenID Foundation's Identity Management for Agentic AI, the most honest survey of these problems I have read, including the ones it admits no one has solved. After that, I will sketch how I would actually attack the hardest knot — accountability and privacy at the same time — because I have been doing more than reading.

If you are building agentic systems today and want the adjacent piece on bounding what an agent is allowed to do once you know who is behind it, I wrote about verifiable governance for agentic AI earlier this year. Identity is the question of who; that one is the question of what. You need both. And we are short on both.

Related Articles

AI Failure Modes Are Now a Top-of-Stack Concern: An Engineering Defense PlaybookChallenges

AI Failure Modes Are Now a Top-of-Stack Concern: An Engineering Defense Playbook

Hallucinations, overtrust, prompt-level adversarial attacks, deepfakes, bias, opacity. Stanford's 2026 review treats these as features of current AI, not bugs. The engineering defenses are concrete and most teams aren't building them.

April 28, 2026·9 min read
AI Agents in 2026: MCP, Memory Limits, and the Interoperability WallChallenges

AI Agents in 2026: MCP, Memory Limits, and the Interoperability Wall

Stanford's 2026 review names the four limits constraining production agents: memory, reliability, interoperability, efficiency. MCP is solving one of them. The other three are still your problem.

April 26, 2026·9 min read
Complexity Reduction, Acceptance, and What 'Consciousness' Means for AI SystemsChallenges

Complexity Reduction, Acceptance, and What 'Consciousness' Means for AI Systems

A theory of consciousness as accepted complexity reduction — and why it's a useful frame for AI engineers debating what current systems can and can't do. The CRPBCE perspective and its engineering implications.

April 20, 2026·10 min read

Ready to build your engineering team?

Talk to a technical partner and get CTO-vetted developers deployed in 72 hours.

Get Started →