arxiv.org\/abs\/2604.23280<\/a><\/td>\n<\/tr>\n<\/table>\nThe Identity Infrastructure Gap<\/h2>\n
The identity infrastructure your organization uses today was built for a world where humans and traditional services are the actors. Employees log in with single sign-on. Services authenticate via API keys. OAuth handles delegated authorization. FIDO2 manages device credentials. These systems work because they assume human oversight \u2014 a person is present to approve, a session has a clear start and end, and delegation is explicit and bounded.<\/p>\n
AI agents break every assumption.<\/p>\n
An AI agent does not have a session \u2014 it operates continuously, across multiple tasks and contexts. It does not have a single identity \u2014 it may act on behalf of different users, departments, or organizations at different times. It delegates recursively \u2014 Agent A authorizes Agent B to authorize Agent C, and the chain of accountability becomes untraceable.<\/p>\n
And crucially, an AI agent’s intent<\/em> matters in a way that does not apply to traditional services. If a payment API sends a transaction, the intent is to send that transaction \u2014 the code does what it says. But an AI agent might take an action with unintended consequences because its reasoning was flawed, its prompt misinterpreted, or its context incomplete. Current identity infrastructure cannot distinguish between intended and accidental actions.<\/p>\nThe paper validates these gaps through attack scenarios on production agent platforms. An attacker can impersonate an agent, inject unauthorized delegations, and obscure the audit trail \u2014 all within the constraints of current identity infrastructure.<\/p>\n
The Five Critical Gaps<\/h2>\n\n
G1: Semantic Intent Verification<\/h3>\n
This is the gap that surprises most executives. We assume that if an action is logged, we know what the actor intended. With AI agents, this assumption is false.<\/p>\n
An expense approval agent processes a reimbursement request. The log shows: “Agent X approved expense Y at time Z.” But was the approval consistent with its authorization scope? Company policy? Sound reasoning or a hallucinated policy interpretation? Current infrastructure records the action but cannot verify the intent behind it.<\/p>\n<\/p><\/div>\n
\n
G2: Recursive Delegation Accountability<\/h3>\n
This is the gap that keeps legal teams up at night.<\/p>\n
Procurement Agent A delegates price negotiation to Agent B, which delegates data retrieval to Agent C. Agent C accesses a supplier’s pricing database. If that access was unauthorized \u2014 because Agent C’s scope exceeded what Agent A intended \u2014 who is accountable?<\/p>\n
Agent A? It authorized the delegation. Agent B? It passed the delegation through. Agent C? It executed the action. Current identity infrastructure cannot trace accountability through delegation chains.<\/p>\n<\/p><\/div>\n
\n
G3: Agent Identity Integrity<\/h3>\n
The most basic question \u2014 “is this agent who it claims to be?” \u2014 has no reliable answer.<\/p>\n
An agent’s identity is bound to an API key, session token, or digital certificate \u2014 mechanisms designed for services, not autonomous agents. An attacker who compromises a key can impersonate the agent indefinitely. A compromised delegation chain can inject a malicious agent into a trusted workflow. And unlike a human user who notices when their account is compromised, agents do not detect impersonation.<\/p>\n<\/p><\/div>\n
\n
G4: Governance Opacity<\/h3>\n
Even with verified identity, the reasoning behind decisions remains opaque.<\/p>\n
The EU AI Act requires explainability for high-risk AI systems. Financial regulators require transaction-level auditability. Current identity infrastructure cannot provide this for AI agents. It logs who<\/em> did what<\/em>, but not why<\/em>.<\/p>\n<\/p><\/div>\n\n
G5: Operational Sustainability<\/h3>\n
Even if the first four gaps were closed, today’s identity infrastructure cannot scale.<\/p>\n
Traditional identity verification operates per-request or per-session. A million API calls from the same service use the same credential. But AI agents require independent verification for each action, each delegation needs its own authorization, and identity checks grow superlinearly with agent autonomy.<\/p>\n<\/p><\/div>\n
What the Research Found<\/h2>\n
The finding that matters most:<\/strong> No existing standard is sufficient. This is not incremental \u2014 adding a new protocol to OAuth or extending DID specifications does not fix them. The gaps are structural.<\/p>\nThe attack scenarios are not theoretical.<\/strong> Every gap is validated through concrete attacks on production agent platforms. These are current exposures, not future risks.<\/p>\nThe three-layer framework provides a practical starting point.<\/strong> Intent, action, and governance create a clear structure. Organizations can assess current capabilities against each layer and identify where investment is needed.<\/p>\nThe 18 research directions are a governance readiness checklist.<\/strong> For organizations planning AI agent deployments, these directions serve as a structured readiness assessment.<\/p>\n\n
Why this matters:<\/strong> The identity gap is the most underappreciated risk in enterprise AI today. Cross-organizational agent transactions compound the risk. And regulatory timing \u2014 EU AI Act, financial regulations \u2014 makes this urgent.<\/p>\n<\/p><\/div>\nImplications by Role<\/h2>\n\n
\n
Chief Information Security Officers<\/h4>\n
Agent impersonation, delegation abuse, and audit trail manipulation are feasible on current platforms. Run a five-gap analysis against every AI agent deployment.<\/p>\n<\/p><\/div>\n
\n
Chief Compliance Officers<\/h4>\n
The recursive delegation gap is the most urgent. Without identity infrastructure that traces accountability through delegation chains, legal liability is unlimited.<\/p>\n<\/p><\/div>\n
\n
Chief Technology Officers<\/h4>\n
The Intent-Action-Governance framework should become the reference architecture for agent identity. Begin evaluating engineering options for each layer.<\/p>\n<\/p><\/div>\n
\n
General Counsel<\/h4>\n
Without verified identity and traced accountability chains, cascading AI agent actions create unlimited legal exposure.<\/p>\n<\/p><\/div>\n
\n
Chief Risk Officers<\/h4>\n
The five-gap framework provides a structured risk taxonomy. Each gap maps to a concrete risk category: operational, legal, security, compliance, and scalability.<\/p>\n<\/p><\/div>\n
\n
Enterprise Architects<\/h4>\n
Map current identity infrastructure against the Intent-Action-Governance framework. Build the infrastructure roadmap to close gaps before agent deployments scale.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n
Business Applications by Function<\/h2>\n\n- AI-to-AI contracting:<\/strong> Procurement and sales agents need mutual identity verification before transacting<\/li>\n
- Financial delegation chains:<\/strong> Unauthorized payments are untraceable without accountability tracing<\/li>\n
- Cross-organizational data access:<\/strong> Partner data requests need mutual authentication current tools cannot provide<\/li>\n
- Regulatory compliance and audit:<\/strong> Current infrastructure lacks the audit trail structure for agent actions<\/li>\n
- Agent marketplace security:<\/strong> Brokers cannot verify that listed agents are who they claim to be<\/li>\n
- Incident response and forensics:<\/strong> AI agent-caused harm requires forensic identity infrastructure that doesn’t exist<\/li>\n
- Multi-agent governance:<\/strong> Identity infrastructure must scale with hundreds of agents \u2014 current tools cannot<\/li>\n<\/ul>\n
What Business Leaders Should Do Next<\/h2>\n\n- Run a five-gap assessment against every AI agent deployment<\/strong> \u2014 For each agent that executes transactions or delegates, assess exposure across G1-G5<\/li>\n
- Map agent delegation chains<\/strong> \u2014 Identify every chain where accountability breaks down. Assume every broken link is a liability exposure<\/li>\n
- Evaluate cross-organizational agent interactions<\/strong> \u2014 If any agent interacts with partner systems, assess identity verification requirements<\/li>\n
- Engage standards bodies on AI agent identity<\/strong> \u2014 Existing bodies (W3C, IETF, FIDO Alliance) are not addressing this adequately<\/li>\n
- Build the Intent-Action-Governance architecture<\/strong> into AI platform plans<\/li>\n
- Conduct a regulatory readiness assessment<\/strong> \u2014 Map the five gaps against EU AI Act and financial regulation requirements<\/li>\n
- Establish an AI identity working group<\/strong> \u2014 CISOs, compliance, legal, and AI engineering must collaborate<\/li>\n<\/ol>\n
Conclusion<\/h2>\n
Building AI agent infrastructure without identity is building on sand. The gaps are structural, not incremental. Fixing them requires new standards, new infrastructure, and coordinated investment across security, compliance, legal, and engineering.<\/p>\n
\n
The five-gap framework provides the starting point. Every organization deploying AI agents should assess their exposure today.<\/p>\n<\/p><\/div>\n