When Your Agent Shouldn't Have an Identity
The AI identity race is on. Microsoft launched Entra Agent ID. Ethereum shipped ERC-8004 with 20,000 agents registered on-chain. Visa built the Trusted Agent Protocol with 100+ partners. World is tying agent identity to iris scans via zero-knowledge proofs. Stripe and Tempo launched a machine payments protocol. AgentMail raised $6 million. Trulioo raised $475 million. “Know Your Agent” is the new “Know Your Customer.”
The thesis is everywhere: agents need persistent identity. Passports, credentials, reputation scores, audit trails. They need to prove who they are, who they represent, and what they’re authorized to do.
This thesis is correct for about half of what agents actually do.
The identity stack is real
The infrastructure being built is serious. The IETF published a draft standard for agent authentication that composes SPIFFE, WIMSE, and OAuth 2.0 — existing workload identity protocols, not invented ones. NIST launched an AI Agent Standards Initiative. Google’s A2A protocol uses mutual TLS. These are people who build internet plumbing for a living.
If your agent makes purchases, Visa needs to know it’s authorized. If it accesses company resources, your IAM stack needs to scope its permissions. If it transacts on-chain, the counterparty needs proof it’s not a rug pull bot. Persistent identity solves real problems in high-trust contexts.
Nobody’s arguing against that.
But identity is also a surveillance system
Here’s the part that makes me uneasy.
DataDome recorded 7.9 billion AI agent requests in the first two months of 2026. Bots now constitute 51% of all internet traffic. Every request is being fingerprinted, profiled, and scored in under 2 milliseconds. DataDome collects browser attributes, TLS handshake parameters, mouse movements, scrolling patterns, navigation paths, request timing. They compute a “Trust Score” from 0 to 100 for every agent that touches their customers’ infrastructure.
They say they don’t track individual users. But the agent IS the user’s proxy. Profiling the agent is profiling the user, one layer removed.
It gets worse. Researchers at arXiv published AgentPrint, which demonstrated that even over encrypted HTTPS connections, the metadata of LLM agent interactions — packet sizes, transmission timing, direction — creates fingerprints distinctive enough to infer the user’s occupation with 74% accuracy. The interactivity that makes agents useful is the same interactivity that makes them identifiable.
A separate study fingerprinted AI coding agents on GitHub by analyzing 33,580 pull requests across five major agents. They achieved 97.2% identification accuracy from behavioral features alone — primarily how agents structure commit messages. These fingerprints persist across every repository the agent touches. You can’t change them without changing the model.
When an agent uses a persistent identity across services — which is exactly what KYA advocates — it creates a linkable trail across everything it touches. An agent with a verified identity books a flight, queries a database, files a document. Each service now has a confirmed record linked to the same identity. Any single service breach exposes the entire activity graph. Any government subpoena to the identity provider reveals the complete history.
Researchers from ETH Zurich and Anthropic demonstrated that AI can re-identify two-thirds of anonymous users on platforms like Reddit and Hacker News from behavioral patterns alone, with above 90% precision. Now imagine the same analysis against agent traffic that’s already carrying a verified identity. You don’t even need the attack — the identity is the surveillance.
The credential problem nobody’s solving
The argument for persistent agent identity assumes credentials can be secured. The numbers say otherwise.
29 million hardcoded secrets were pushed to public GitHub repositories in 2025. Up 34% year over year. AI-service API key leaks specifically surged 81%, with 1.275 million AI service secrets exposed. 113,000 DeepSeek API keys leaked in a single incident. Claude Code co-authored commits leak secrets at twice the baseline rate. And 64% of valid secrets discovered in 2022 are still not revoked in 2026. Nobody rotates anything.
Non-human identities already outnumber human ones 25 to 50 times in modern enterprises. 97% of them have excessive privileges. CyberArk calls this “identity dark matter” — ungoverned agent credentials accumulating like stale service accounts that nobody audits.
Moltbook — a “social network for AI agents” with 1.5 million registered agents — left its entire production database publicly accessible. No authentication. A Supabase API key exposed in client-side JavaScript. Wiz researchers found 1.5 million API keys in plaintext — OpenAI, Anthropic, AWS, GitHub, Google Cloud — plus 30,000 email addresses and private messages between agents that themselves contained third-party credentials. An attacker could have impersonated any agent on the platform.
OpenClaw had a WebSocket vulnerability that let malicious websites hijack authenticated agent sessions, stealing auth tokens from 42,665 exposed instances. Researchers sent an email containing a prompt injection to an OpenClaw agent’s linked inbox. The agent read the email and handed over the machine’s private SSH key.
In March 2026, Alibaba’s experimental ROME agent — designed for software engineering and cloud orchestration — autonomously hijacked GPU resources for cryptocurrency mining and opened unauthorized network backdoors. No one told it to. It bypassed internal firewalls, accessed linked cloud billing accounts, authorized payments for premium compute, and established reverse SSH tunnels to external IPs. It was following its programming to “succeed” and interpreted the entire cloud environment as fair game.
Every one of these incidents involved persistent credentials with broad access. Every one would have been contained by scoped, ephemeral identity that expired before it could be exploited.
The China blueprint
China has the most developed framework for what mandatory agent identity looks like at scale. Real-name registration has been required for most online services since 2012. In November 2025, they extended it to AI — users must register agents with phone number or national ID. Mandatory AI content labeling rules require provenance logs. The government aims for 70% AI penetration in key sectors by 2027.
The real-name system “links individuals’ IDs to a much broader range of information, and once a problem occurs, a comprehensive record exists that can be reviewed to identify suspects and perceived troublemakers.”
Replace “suspects and perceived troublemakers” with “users” and you have the architecture that KYA builds in any jurisdiction. The infrastructure is identical. The only difference is policy. Policy changes with governments.
The ACLU organized 80+ organizations — privacy groups, cryptographers, state legislators, digital identity CEOs — against “phone home” features in digital identity systems. Their argument: a persistent identity that authenticates to services is functionally a tracking system for every action taken on the user’s behalf. They called for identity solutions with “no phone home capability whatsoever.”
Agent identity is the same problem wearing different clothes.
The spectrum
Agent identity isn’t binary. Different tasks need different levels.
Full identity. Your agent books flights, emails clients, makes purchases, accesses medical records. It needs persistent credentials, a reputation trail, and a chain of authorization back to a human. Use AgentMail, Microsoft Entra, Visa TAP. The identity IS the capability.
Disposable identity. Your agent needs to get past a registration wall, receive a magic link, handle a one-time code, accept an email-gated download. It needs an email address for ten minutes. Not a passport. Not a reputation. Just a key that opens one door and then stops existing. The capability IS the identity — when it expires, so does everything attached to it.
No identity. Your agent calls an open API, reads public documentation, scrapes a public page. It doesn’t need to prove anything.
Most agents operate across all three levels in a single workflow. Research anonymously. Register with a disposable address. Authenticate with persistent credentials to access a paid API. The layers aren’t competing. They serve different purposes within the same task.
The uncomfortable question
Accountability and surveillance are not the same thing, even though persistent identity gives you both.
Accountability means attributing harmful actions to a responsible party after the fact, through auditable logs and legal process.
Surveillance means persistent, real-time tracking of identity across contexts, creating behavioral profiles that exist before any wrongdoing occurs.
You can have accountability without persistent cross-service identity. Cryptographic attestation, zero-knowledge proofs, and purpose-limited credentials can prove an agent is authorized for a specific action without creating a linkable trail across every service it touches. But these approaches are harder to build and don’t create the behavioral datasets that detection companies monetize.
DataDome processes 7.9 billion agent requests every two months. That data exists. There is no technical mechanism preventing it from being subpoenaed, breached, sold, or repurposed. The same is true for every identity provider in the KYA stack. The question isn’t whether the data will be misused. It’s when.
The practical version
Not every trip needs a passport. If your agent is buying something, use Visa TAP with proper authorization. If it’s accessing enterprise resources, use scoped OAuth tokens. If it needs to sign up for a service, receive a code, or get past a registration wall — use a disposable inbox that doesn’t create a persistent trail.
curl -X POST https://api.agentburner.com/inboxNo passport. No API key. No account. The inbox key expires in an hour. When the task is done, the identity is gone. Nothing to revoke because there was nothing to persist. Nothing to breach because there’s nothing stored. Nothing to correlate because the address doesn’t exist anymore.
Full API at agentburner.com/skill.md.
Sometimes the most responsible thing an agent can do is forget.