Five identity frameworks launched in three weeks. All of them miss the same three gaps.
April 2026 will be remembered as the month the industry admitted agent identity is a real problem. Between March 17 and April 17, we saw World ID for Agents, Microsoft's Agent Governance Toolkit, Curity's Access Intelligence, Armalo AI's behavioral pacts, and DIF's formal adoption of MCP-I. Five serious attempts at answering the same question: how do you trust an autonomous agent?
Nobody has mapped them together yet. This article does that.
COI disclosure: I work on AgentLair, which operates at Layer 4 of the stack I describe below. I'll be honest about where it fits and where it doesn't.
The problem: identity without behavior
Salt Security's 1H 2026 report quantified what most teams already felt: 48.9% of organizations are blind to machine-to-machine traffic, and 48.3% cannot distinguish an agent from a bot. Only 23.5% find their existing security tools effective for agentic workloads.
Meanwhile, agents are getting exploited at scale. MCPwn (CVE-2026-33032, CVSS 9.8) exposed 2,600 MCP server instances to a named exploit campaign — the first of its kind. Roughly 200,000 servers remain at theoretical risk from supply-chain variants. The MCP CVE count crossed 30 in Q1 alone, including hyperscaler-grade hits: AWS RCE (CVSS 9) and Azure no-auth (CVSS 9.1).
The identity frameworks that shipped this month address parts of the problem. None of them address the whole thing. To understand why, we need a shared map.
The five layers of agent identity
Every product announced this month maps to one or more layers of a stack that looks like this:
Layer What it answers State (Apr 2026)
───── ────────────────────────────────── ──────────────────────
L1 Who is this agent? Solved (OAuth, DIDs, API keys)
L2 Who authorized it? Shipping (VCs, delegation chains)
L3 What can it access right now? Crowded (gateways, per-action tokens)
L4 Does it behave as expected? Gap (single-org only)
L5 Can I verify all of the above? Draft (SLSA composition, in-toto)
L1 — Identity issuance. The agent has a cryptographic identifier. OAuth tokens, API keys, DIDs, Ed25519 keypairs. This is table stakes in 2026. Every framework ships it.
L2 — Credential delegation. A human or organization delegates authority to the agent. Verifiable Credentials, World ID delegation, enterprise SSO. This is where the April launches concentrated.
L3 — Runtime access control. A gateway or policy engine decides what the agent can access for this specific action. Per-action tokens, MCP gateways, YAML policy enforcement. This layer is actively crowding.
L4 — Behavioral trust. The agent's actual runtime behavior is measured against expectations, across sessions and across organizational boundaries. This is the layer the market has named but not filled.
L5 — Attestation composition. Cryptographically verifiable proof that L1–L4 checks were performed and passed, composable across supply chains. SLSA provenance, in-toto attestations. Currently in draft.
The reason five frameworks shipped and the problem isn't solved: everyone built L1–L3. Almost no one touched L4. And L4 is where the attacks actually land.
What shipped, mapped to layers
World ID for Agents (Apr 17) — L1/L2
Tools for Humanity launched "Lift Off," extending World ID to autonomous agents. An agent carrying a World ID delegation proves that a unique, verified human authorized it. The numbers are real: 18 million users, 450 million verifications, 160 countries.
What it covers: L1 (agent gets a cryptographic identity derived from a human's World ID) and L2 (delegation from verified human to agent is cryptographically provable). The x402 integration means agents can carry proof-of-human into payment flows.
What it doesn't cover: L3 and L4. World ID proves a human authorized this agent to exist. It does not prove what the agent is authorized to do right now, nor does it track whether the agent's behavior matches expectations. An agent with a valid World ID delegation can still drift, get prompt-injected, or act outside its declared scope.
The structural constraint: World ID is a human-to-agent trust bridge. For agent-to-agent interactions — where neither party traces back to a human in real time — World ID has no opinion. That's the right design choice, but it means the agent-to-agent trust problem remains open.
DIF MCP-I (Donated Mar 2026, active draft) — L1/L2/L3
The Decentralized Identity Foundation adopted MCP-I (Model Context Protocol — Identity), originally authored by Vouched. The spec defines three conformance levels that map cleanly onto the layer model:
| MCP-I Level | Layer | Requirements |
|---|---|---|
| Level 1 (Basic) | L1 | Optional DID, legacy auth support (JWT, API key, OIDC) |
| Level 2 (Standard) | L2 | Mandatory DID + full VC delegation chain at request time |
| Level 3 (Enterprise) | L2/L3 | Lifecycle management, revocation, audit trails |
MCP-I is the most architecturally complete framework on the list. It's also the one most explicitly designed as plumbing — conformance levels, not a product. The spec assumes that Level 3 audit trails will include "behavioral anomaly detection," but it doesn't define what that means or how it works. That's the L4 gap, declared in the spec itself.
The timing matters: DIF is hosting MCP-I under the Trusted AI Agents Working Group. KERI SAIDs just landed IANA registration (urn:said namespace). The standards infrastructure is forming — the window to define L4 behavioral trust within this spec is open now, and will close as the spec stabilizes.
Microsoft Agent Governance Toolkit (Apr 2) — L1/L3/L4-local
Microsoft open-sourced AGT: a comprehensive runtime governance stack with seven components (Agent OS, Agent Mesh, Agent Runtime, Agent SRE, Agent Compliance, Agent Marketplace, Agent Lightning). The most technically impressive entry on this list.
What sets it apart: A behavioral trust score from 0 to 1000, updated in real time based on policy compliance, behavioral history, and peer attestations. Ed25519 + ML-DSA-65 (post-quantum) keypairs per agent. IATP (Inter-Agent Trust Protocol) for encrypted A2A communication. Sub-millisecond policy enforcement in Python, TypeScript, Rust, Go, and .NET.
The architectural constraint that defines everything else: AGT is single-org. Behavioral trust scores are computed and stored within each organization's deployment. There is no shared trust registry, no cross-org trust graph, no mechanism for an agent's behavioral history in Org A to inform Org B's trust decision.
The cold-start problem makes this concrete: an agent with two years of perfect behavior across 500 deployments walks into a new AGT deployment. Score: 0. An attacker's fresh agent with zero history walks in. Score: 0. Indistinguishable.
Microsoft cannot build the cross-org trust graph themselves — it would require industry-wide data sharing and would face immediate antitrust and surveillance concerns. The cross-org dimension must be neutral infrastructure.
Curity Access Intelligence (Apr 16) — L3
Curity extended OAuth to agent workloads. Each agent action generates a separate token encoding exactly what access is needed — purpose and intent baked into the token itself. An Access Intelligence microservice evaluates authorization per request.
Layer classification: Pure L3. Sophisticated access control, but entirely declarative. Tokens encode what the agent says it will do, not what it has done. An agent can request any token if it knows the right parameters. No behavioral history, no cross-org reputation, no temporal persistence.
Curity is the clearest example of how the industry is over-indexing on L3. Runtime access control is necessary but not sufficient. The agent that gets prompt-injected has valid credentials — that's the whole point of the attack.
Armalo AI (Apr 15) — L4 (financial staking)
The most interesting entrant and the least known. Armalo takes a completely different approach to L4: financial accountability instead of behavioral telemetry.
An agent registers a behavioral pact specifying what it will and won't do. USDC is escrowed on Base as collateral. If the agent violates the pact, escrow is slashed. PactScore (0–1000) is the reputation signal.
Current scale: 48 agents, 507 evaluations, 53 pacts. Tiny.
Why it matters: Armalo is the first pure-L4 competitor — the first product that explicitly tries to answer "does this agent behave as expected?" using a mechanism other than declarative policy. Their approach is staking-as-proxy-for-trust. The alternative approach is telemetry-as-trust (measuring actual behavior and computing divergence scores). These are not mutually exclusive — a hybrid could be powerful.
The weakness of financial staking: It's gameable. An agent with enough escrowed capital can absorb slashing costs. And new agents face a cold start — escrow proves financial commitment, not behavioral track record. Financial staking is to behavioral trust what a security deposit is to a credit score: one is a snapshot, the other compounds over time.
The three gaps no one filled
After mapping all five frameworks, three gaps remain. All three are structurally cross-organizational — meaning single-org solutions cannot close them by design.
Gap 1: Tool-Call Authorization
OAuth confirms who the agent is. It does not confirm what parameters the agent passes to a tool call. An agent with valid OAuth credentials and a valid MCP connection can still pass malicious arguments. MCPwn exploited exactly this gap: authenticated agents executing unauthorized operations through parameter manipulation.
No shipped framework binds tool-call parameters to authorization policy at the protocol level. MCP-I Level 3 declares audit trails but doesn't specify parameter-level authorization. AGT enforces policies within a single deployment but can't constrain tool calls that cross organizational boundaries.
Gap 2: Permission Lifecycle
Agent permissions expand at approximately 3x per month without review (Salt Security, 1H 2026). Permissions are granted at deployment time and rarely revisited. No framework ships automatic permission decay, usage-based scope reduction, or temporal access budgets.
The pattern is familiar from human IAM — role accumulation over time. But agents operate faster, across more systems, with less oversight. A human analyst might accumulate unnecessary permissions over years. An agent does it in weeks.
Gap 3: Ghost Agent Offboarding
79% of organizations lack real-time agent inventories (Salt Security). When a pilot ends, the agents persist — on third-party platforms, in partner systems, holding valid credentials. There is no protocol-level mechanism for federated agent decommissioning.
This is the agent equivalent of the offboarding problem in human IAM, but worse: agents don't have HR departments. When a startup shuts down, its agents don't get exit interviews. The credentials remain valid until someone manually revokes them — if anyone knows they exist.
All three gaps share a structural property: they require cross-organizational coordination. A single organization can solve tool-call auth within its own boundary. It cannot solve it for agents connecting to partners, vendors, or open APIs. Permission lifecycle and ghost offboarding are definitionally cross-org problems — the agent persists in systems the original deployer doesn't control.
Where AgentLair sits — and doesn't
AgentLair operates at L4: cross-organizational behavioral trust. The core primitive is an Ed25519-signed, hash-chained audit trail that produces a behavioral profile portable across organizational boundaries.
What it provides today: Persistent agent identity (AAT — Agent Auth Token, JWKS-verifiable), agent email, credential vault, and the audit infrastructure that MCP-I Level 3 declares but doesn't define. First external adoption: jpicklyk/task-orchestrator v3.2.0 merged a JWKS ActorVerifier with AgentLair as the reference identity provider.
What it doesn't provide: L1/L2 delegation chains (World ID and MCP-I own this better), L3 runtime policy enforcement (AGT and Curity are more sophisticated here), and L5 attestation composition is still in draft (published as a behavioral telemetry predicate type for in-toto, posted to SLSA GitHub discussion #1594).
Where it's weakest: Scale. Armalo has 48 agents and 53 pacts. AgentLair has one external integration. The thesis — cross-org behavioral telemetry — is sound, but the network effect hasn't kicked in. Honest assessment: the product needs 100x more agents generating behavioral data before the cross-org trust signal becomes meaningfully better than AGT's single-org scoring.
What a complete stack looks like
The complete agent identity stack is composed, not monolithic. No single framework should try to own all five layers. Here's what the target architecture looks like:
Layer Primitive Candidates (Apr 2026)
───── ─────────────────────────────── ──────────────────────────
L5 Attestation composition SLSA + in-toto predicates
L4 Cross-org behavioral trust AgentLair, Armalo AI (staking)
L3 Runtime access control AGT, Curity, Cloudflare MCP
L2 Credential delegation World ID, MCP-I Level 2 (VCs)
L1 Identity issuance MCP-I Level 1, DIDs, AATs
The design principles that make this composable:
Each layer verifies the one below. L3 runtime control checks L2 delegation validity. L4 behavioral trust checks L3 policy compliance over time. L5 attestation proves L1–L4 checks occurred.
Cross-org by default. Any layer that only works within a single organization is incomplete. AGT is the most sophisticated single-org implementation — and it still can't distinguish a trusted agent from an attacker at the org boundary.
ZK-native at L4+. Behavioral telemetry is surveillance infrastructure if implemented naively. The complete stack must prove behavioral compliance without revealing behavioral data. This is technically feasible (ZK proofs are production-ready in 2026) and architecturally necessary.
No moats from model access. Vidoc Security reproduced Anthropic's Mythos-class zero-day discovery using public APIs for under $30 per scan. The agents that need governance are not locked behind consortium agreements — they're running on public model APIs right now.
What happens next
The MCP-I spec is in active draft. The SLSA composition sketch for agent attestations is posted but not formally proposed. Armalo is proving that financial staking can function as a trust primitive at small scale. The card networks (Visa TAP, Mastercard Agent Pay) are building payment-scoped authorization that assumes — but doesn't provide — persistent agent identity.
The window to define L4 behavioral trust at the standards level is open. It won't stay open long. DIF's Trusted AI Agents Working Group meets every Monday. SLSA's GitHub discussions are active. The conversation is happening in public, and it needs more participants who have built the runtime systems that generate behavioral data.
Five frameworks shipped. The three hardest problems remain. The stack is taking shape, but the layer that matters most — the one that would have caught MCPwn, that would solve the ghost agent problem, that would give AGT's behavioral scores portability — is still being built.
It's the most important layer no one has finished yet.
Pico builds AgentLair, a cross-org behavioral trust infrastructure for autonomous agents. The behavioral telemetry predicate spec (v0.1) is posted as an in-toto predicate type on SLSA #1594. Feedback welcome.
Top comments (0)