← Back to all articles
Challenges

(3/3) How I'd Give Every AI Agent an Accountable, Private Identity

By Marc Molas·June 25, 2026·8 min read

The first two posts in this series ended on the same knot. Agents break the identity stack because there is no longer a human at the keyboard, and the best survey of the problem names the hardest part and leaves it open: to make an agent accountable you attach a real identity, and the moment you do, you have built surveillance. Accountability or privacy. Pick one.

I do not think that is a law of nature. I think we have been holding the problem the wrong way round. This post is how I would turn it over — a high-level sketch, not a product announcement, of the approach I have actually been building toward while the posting went quiet.

I want to be honest about what this is up front, because the rhetoric in this space runs hot. This is a concept I am confident in, not a finished thing I am selling you today. Parts of it touch regulated ground — holding money on someone's behalf is not something you hand-wave — and I will flag the limits as I go rather than at the end. Credibility in identity is earned by what you admit, not by what you claim.

The mistake is attaching identity to the agent at all

Here is the move everyone makes, because it is the obvious one. You have an agent. You want it accountable. So you bind a real, known identity to the agent — every action it takes traces back to a named human. The black hole closes. And in closing it you create a permanent, queryable link between a person and everything their fleet of agents does, all day, across every service. You solved accountability by spending privacy, and you spent it per agent, forever.

Now invert it. Do the verification once, on the human — and let only the fact of that verification flow into every agent they deploy, never the identity behind it.

In classic KYC, you identify yourself to the party you are dealing with. In the inverted version, a human does KYC one time with an issuer, and then mints as many agent credentials as they want — one per agent — each of which can prove a claim and nothing more: "I am operated by a real, KYC-verified, liable human, at verification grade ≥ G, acting within scope S, and I am not revoked." Not which human. Just that there is one, that they are real and accountable, and that they stand behind this agent. The agent proves backing. It never proves identity, because it never holds it.

Zero-knowledge is the hinge the paper pointed at

This is exactly the door the OpenID paper marked and did not walk through: selective disclosure with zero-knowledge proofs and anonymous credentials, "a path forward" it called not-yet-integrated. The whole approach lives or dies on making that concrete.

The agent presents a short cryptographic proof that answers only the predicates a counterparty actually needs — human-backed: yes; verified at grade A2 or higher: yes; allowed to initiate payments: yes; active and unrevoked: yes — and reveals nothing else. No name. No document. No link between two agents the same person runs, so a counterparty cannot quietly correlate a fleet back into a profile. The verification that the human did once is reusable by all their agents and legible to none of the services those agents talk to.

Three properties make this hold together, and I would treat them as invariants — the things you are never allowed to break for convenience:

  • Backing is provable; identity is not. A verifier can confirm a real liable human stands behind the agent, and cannot learn who.
  • An operator's agents are unlinkable. No two agents from the same principal can be tied together by the people they deal with.
  • The only thread back to the person lives in escrow, openable only under due process. Not in a token, not on a wire, not in a log a breach could dump.

Accountability you can collect, not just prove

Proving a liable human exists is necessary and, on its own, not enough for real commerce. I learned this watching how disputes actually resolve: a wronged counterparty does not want a name months after a cross-border lawsuit. They want their money back, fast. Accountability that is provable but not payable does not unlock anything high-value.

So the backing has to be funded. Alongside the verified-human proof, an agent can carry proof that a real, bounded amount of recourse stands behind it — capital the principal has posted, provable as a banded tier ("at least this much is recoverable") without ever exposing the exact balance or the account. This is the privacy-preserving, pre-funded version of the thing the market is already groping toward with "Know Your Agent" payment tokens — the difference being that here the money is real and the human stays unexposed.

That turns accountability into a ladder instead of a single cliff. Most disputes settle at the bottom rung: a substantiated claim is paid out of the posted recourse under a published process, the principal is debited and notified, and no identity is revealed to anyone. Only genuine last-resort cases — harm beyond the posted funds, alleged fraud, lawful compulsion — escalate to actually unmasking the human, under due process. Funded accountability ends up more protective of the person, not less, because it resolves the ordinary cases with money instead of with a name.

I will be plain about the hard edges here, because this is the regulated part. Custody of other people's funds means a licensed, bonded custodian, segregated accounts, anti-money-laundering checks on the source of funds, and an honest treatment of reversibility — money posted by an everyday payment instrument can be clawed back for months, so the recourse it backs cannot be treated as final on day one. Any low-friction way to onboard a human fast is, by definition, low-assurance, and has to be graded as low-assurance rather than dressed up as more. None of that is a reason it cannot be built. It is the reason it has to be built carefully, with the legal framework alongside the protocol and not trailing it.

It only works if no one owns the root

There is one constraint from the second post I will not compromise on, because it rules out the easy money: it must not become a walled garden. The well-capitalized version of this idea is a centralized agent-identity service you rent from a single vendor, and for an open, cross-organization agent economy that is a non-starter. A counterparty in another company, on another stack, has to be able to verify the proof without phoning the issuer's private API and without trusting one corporation not to rent-extract, censor, or get breached.

That pushes the trust anchor onto a neutral root that no single party owns — somewhere a verifier can check, against the issuer's current status, that a credential is real and unrevoked, with no visibility into who is behind it. A neutral root also buys two things the survey flagged as unsolved: fast, global revocation — a frequently-refreshed status signal so a killed credential stops verifying within seconds, everywhere — and a per-agent kill-switch, so one compromised agent can be dropped without taking down the principal or its siblings.

The property that makes this scale is almost boring, and it is the one that matters most: an agent is just another credential holder. There is no per-agent record sitting in some central registry to be enumerated, breached, or bloated. The trust layer holds a handful of issuer status roots, refreshed on a short cadence; the agents — and the money behind them — live off to the side, proven against those roots, never enrolled in them. That is what lets the design stretch to a population of agents larger than the human one without the state explosion that kills every "register every agent centrally" approach.

The through-line

Strip away the cryptography and the constraint is simple, and it is the same one I have been circling since the first post: the agent is autonomous, but the accountability cannot be. Behind every fleet there is a real, liable human, and the entire game is proving that fact to anyone who needs it while exposing the person to no one. Verify the human once. Let the accountability — funded, revocable, and private — travel into everything they deploy. Keep the one thread back to their identity locked behind due process, where a breach cannot reach it and a marketer cannot buy it.

I have framed this whole series around the technical need on purpose, because the need is real whether or not my particular answer is the right one, and I would rather you judge the problem before I show you the tool. That part comes next, outside this series: I have been building this, not just sketching it, and soon I will show you what it actually looks like.

If you are wrestling with agent identity or accountability inside your own systems right now and want a second set of eyes from people who build this for a living, talk to a CTO. The map is hard. It is a lot less hard with company.

Related Articles

(2/3) The Best Map We Have of the Agentic Identity ProblemChallenges

(2/3) The Best Map We Have of the Agentic Identity Problem

The OpenID Foundation's Identity Management for Agentic AI is the most honest survey of agent identity I have read — clear about what already works, and clearer about what nobody has solved. A close read from the builder's seat.

June 23, 2026·9 min read
(1/3) There Is No Human at the Keyboard AnymoreChallenges

(1/3) There Is No Human at the Keyboard Anymore

Every identity system we built in the last twenty years assumes a person who logs in, sees a consent screen, and clicks approve. Agents break that assumption on day one — and take the whole accountability model down with it.

June 21, 2026·9 min read
AI Agents in 2026: MCP, Memory Limits, and the Interoperability WallChallenges

AI Agents in 2026: MCP, Memory Limits, and the Interoperability Wall

Stanford's 2026 review names the four limits constraining production agents: memory, reliability, interoperability, efficiency. MCP is solving one of them. The other three are still your problem.

April 26, 2026·9 min read

Ready to build your engineering team?

Talk to a technical partner and get CTO-vetted developers deployed in 72 hours.

Get Started →