Every identity system I worked with across fifteen years of securing large organizations rested on the same quiet assumption: somewhere behind the credential is a person. One person, durable over time, legally accountable, findable if things go wrong.
Look at the primitives and the assumption is everywhere. A password is a secret a person remembers. Know-your-customer checks bind an account to a government's record of a human being. Two-factor prompts assume a hand holding a phone. Account recovery assumes a customer who can answer questions about their own life. Even the concept of an account, one identity, one owner, a history that accumulates meaning, is a portrait of a human life rendered in database rows.
Agents break every clause of that contract. An agent is not durable; it may exist for the length of a single task. It is not singular; the same code may run as ten thousand simultaneous instances, and it would be absurd to call them the same actor or ten thousand different ones. It is not accountable; you cannot fine it or summon it. And it is not really the principal at all. An agent is always acting on behalf of someone. Which means the interesting identity question is not who is this agent. It is a different question entirely.
The Question Is Delegation
When an agent shows up to transact, the counterparty does not actually need to know the agent's biography. It needs to know three things. Who stands behind this agent. What has that principal authorized it to do. And is this specific action, right now, inside those bounds.
That is not identity in the human sense. It is delegation, and we handle delegation between humans with instruments like the power of attorney: a scoped, revocable, verifiable grant of authority from a principal to an agent. The scoping is the point. Nobody grants a power of attorney for everything, forever. You grant authority to sell one house, manage one account, decide one category of things, and the grant itself is a document a counterparty can inspect before relying on it.
Software agents need exactly this shape, held to a higher standard of checkability. A grant that says: this agent may spend up to this much, for these categories of outcomes, over this period, on behalf of this principal, and here is a proof of the chain that no one in the middle could have forged. The counterparty should be able to verify the grant at the moment of the transaction, not by trusting the agent's self-description, and the principal should be able to revoke it and have the revocation actually mean something in minutes, not in a support queue.
Boundaries You Can Verify
I want to dwell on why the boundaries matter more than the identity. My security career was, in large part, a tour of what happens when authority is granted without enforceable limits. Service accounts with admin rights because scoping was tedious. API keys that could do everything because someone shipped on a Friday. Credentials that outlived the purpose, the project, and occasionally the employee. In every case the identity was known. The damage came from the authority being unbounded and the bounds, where they nominally existed, being unverifiable by the systems that mattered.
Now hand that failure mode to autonomous software that can act a million times an hour, and add money. An agent with unscoped spending authority is not a convenience; it is an unbounded liability moving at machine speed. The inverse is also true, and this is the part I find hopeful: an agent whose authority is narrow, explicit, and provable at the point of use is arguably safer to transact with than a human, because a human's authority is usually a matter of assertion, and an agent's can be a matter of proof.
There is a subtlety here that deserves naming. Delegation chains will get long. A person delegates to an orchestrating agent, which delegates a subtask to a specialist agent, which procures a resource from a third. Every hop is a place where authority can silently widen, the way a rumor widens in the retelling. The discipline that makes chains safe is that authority can only narrow as it flows downward, and that any party in the chain can verify the entire path back to a principal. Attenuation, not amplification.
Personhood Was a Proxy
The deeper realization, for me, is that identity systems never really cared about personhood. They cared about accountability and bounded authority, and the person was simply the best available container for both. Agents force us to stop conflating the container with the contents. Build identity as verifiable delegation, with boundaries that are checked rather than assumed, and things that are not people can participate in an economy without anyone pretending they are. This is one of the foundations we are laying at Setix, and I think it will outlast the current generation of agents entirely.