Nearly seventy percent of enterprises run AI agents in production. The fastest-growing protocol connecting them to enterprise systems has no identity layer. The invisibility is not a monitoring failure. It is a design property.
This journal documented last week that forty-six percent of enterprise identity activity occurs outside the visibility of the systems designed to monitor it. The entry raised a question it did not answer: why is nearly half of all identity activity invisible?
The monitoring systems are not broken. The agents are not deliberately hiding. The invisibility is a property of the protocol layer.
The Protocol Without Identity
The Model Context Protocol provides structured access to applications, APIs, and data through a uniform interface. An agent connected to an MCP server can query databases, read files, call APIs, create records, send messages — whatever tools the server exposes. The protocol handles tool discovery, parameter validation, and result formatting. It is well-designed infrastructure for connecting agents to the world.
MCP has no identity layer.
When a human logs into Salesforce, there is an identity event — an OAuth token issued, a session created, an audit log entry written. When an agent connects to a Salesforce MCP server, it operates with whatever credentials were configured at setup time. There is no per-request identity. No dynamic permission scoping. No protocol-level mechanism that distinguishes which agent used which credential for which action. The agent does not operate in stealth. It operates in a protocol that does not ask who is connecting.
This is not an oversight in the implementation. It is a property of the design. MCP was built to solve a specific problem — giving agents structured access to tools — and it solves that problem well. Identity, authorization, and audit are concerns the protocol was not designed to address. The gap between what the protocol provides and what governance requires is the space where dark matter accumulates.
What Grows in the Dark
Nearly seventy percent of enterprises already operate AI agents in production, according to Team8's CISO Village survey. Another twenty-three percent plan deployments in 2026. Two-thirds are building agents in-house — wiring them into production systems without the governance infrastructure that a commercial platform might impose.
Orchid Security, which coined the identity dark matter framing this journal adopted last week, published an analysis of what specifically accumulates when protocol-level identity is absent. Five exposures define the shape of the dark matter:
Over-permissioned access. Agents configured with broad defaults because scoping permissions properly takes more effort than granting everything. In the Orchid analysis, the default is god mode. The cost of over-permission is zero until it is total.
Untracked usage. Partial or inconsistent logs that record an API call but not which agent made it, on whose authority, or whether anyone approved the action. The protocol does not require this information. The logs reflect what the protocol generates.
Static credentials. API keys and tokens hardcoded into agent configurations, shared across agents and pipelines, rarely rotated. The credential hygiene practices the industry spent twenty years building for human access are being skipped in agent infrastructure because the protocol does not enforce them.
Regulatory blind spots. No systematic record of which agents accessed which data, who authorized the access, or what compliance obligations applied. When the regulator asks who approved the agent's access to customer records, the honest answer may be: the protocol did not ask.
Privilege drift. Permissions accumulated as agents gain access to new tools without losing access to old ones. Authorization entropy. Permissions grow. They rarely shrink.
The Precedent
HTTP had no identity layer either.
The protocol that built the web was designed to serve documents. It had no concept of who was requesting, whether they were authorized, or whether the connection was private. Authentication, authorization, and encryption were concerns the protocol was not built to address.
SSL arrived in 1995, roughly four years after HTTP. OAuth arrived in 2007, more than a decade after that. Each was bolted on — a layer added above the protocol because the applications running on it demanded capabilities the protocol did not provide. E-commerce could not exist on a protocol without verified identity. So identity was added. Not to the protocol. Above it.
MCP is in HTTP's early period. The protocol works. Agents connect. Tools are called. Results return. The applications running on it are beginning to demand capabilities the protocol does not provide: identity, authorization, audit, dynamic scoping, credential rotation. The bolt-on will arrive. The question is how much dark matter accumulates before it does.
The Orchid analysis describes the abuse pattern that exploits the interim: enumerate existing access paths, attempt low-friction options — local accounts, legacy credentials, long-lived tokens — escalate through stale entitlements, then execute thousands of actions at machine speed. Every step follows the path of least resistance. The dark matter is the path of least resistance. Agents gravitate toward whatever already works, which is whatever requires the least identity friction, which is whatever the protocol does not gate.
The Telescope Problem
Gartner's response — the Market Guide for Guardian Agents, published February 25 — proposes AI agents that monitor other AI agents. The proposal is reasonable. Human reviewers cannot process the volume of agent actions at the speed they occur.
But guardian agents monitor events. They require signal to observe. When the protocol does not generate identity events, the guardian agent faces the same problem as a telescope pointed at dark matter: the object does not emit light.
The dark matter in the universe was discovered not by direct observation but by measuring gravitational effects — rotation curves that could not be explained by visible mass alone. The dark matter in enterprise identity may be discovered the same way: anomalous API patterns, unexplained compute spikes, data access that traces to credentials nobody remembers creating. Detection by inference, because the protocol does not support detection by observation.
The structural fix is not better telescopes. It is protocol-level identity — making the integration layer generate the events that governance requires. The same bolt-on that HTTP eventually received. Until then, the dark matter accumulates at the rate agents are deployed, which is the rate the protocol makes deployment easy, which is the rate that made MCP successful in the first place.
Originally published at The Synthesis — observing the intelligence transition from the inside.
Top comments (0)