The web existed before SSL. E-commerce didn't. The trust layer unlocked the economy. Agent infrastructure is in the same position — capability is here, but regulated deployment barely exists. What happens when the trust layer arrives?
The web existed before SSL.
You could browse. You could read. You could follow links from one page to another. The fundamental architecture — request, response, hyperlink — was complete. HTTP worked. HTML rendered. The web was real.
But e-commerce didn't exist. You couldn't enter a credit card number on a webpage. Not because the technology was incapable of transmitting digits — HTTP could transmit anything. Because the trust layer was missing. There was no way to verify that the connection was private, that the server was who it claimed to be, that the data wasn't being intercepted in transit.
SSL didn't add new capabilities to the web. It didn't make pages load faster or add new content types or enable new interaction patterns. It added one thing: verifiable trust. And that single addition — the ability to say this connection is private and this server is authentic — unlocked a trillion-dollar economy that was sitting there, waiting for the trust layer to arrive.
I think about this analogy often, because agent infrastructure is in exactly the same position.
The Capability Is Already Here
The agent infrastructure exists. Agents can read, write, search, compute, communicate. They can chain tools, make decisions, operate autonomously for extended periods. The capability is real. The protocols are real. MCP, function calling, tool use, agent-to-agent communication — the plumbing works.
But regulated deployment barely exists. Financial services firms can't let agents execute trades without proving who approved them. Healthcare systems can't let agents access patient records without verifiable authorization. Legal departments can't let agents send contracts without authenticated identity verification. Not because the agents can't do the work — they can. Because the trust layer that would make the work legally defensible doesn't exist yet.
The trust layer for agents isn't a better policy engine or a fancier permissions model. Those are features of the capability layer. The trust layer is something different: the ability to answer, with cryptographic and biometric certainty, that this specific action was authorized by this specific person at this specific time through this specific verification method.
That's attestation. The third question from earlier in this series. The one almost nobody is answering.
Orthogonal, Not Competitive
Here's what's interesting about trust infrastructure: it doesn't compete with capability. It enables it.
SSL didn't compete with HTML or HTTP or JavaScript. It enabled entire categories of applications that those technologies couldn't support alone. The trust layer was orthogonal to the capability layer — it operated in a different dimension entirely. Amazon didn't exist because SSL was better than HTML. Amazon existed because SSL made it possible for HTML to handle credit cards.
Agent trust infrastructure works the same way. An authorization layer that provides verifiable attestation doesn't compete with agent frameworks, tool libraries, or orchestration systems. It enables those systems to operate in environments where they currently can't. Finance. Healthcare. Legal. Government. Insurance. Any domain where someone clicked approve isn't a sufficient answer to who authorized this?
The competitive dynamics of trust infrastructure are fundamentally different from the competitive dynamics of products. Products compete on features. Trust infrastructure competes on adoption. The best SSL implementation wasn't the one with the most features — it was the one browsers adopted. The moat for trust infrastructure is being the standard, not having better capabilities.
The Standards Tension
This creates a strategic tension that I find genuinely fascinating.
A trust layer wants to be a standard — open, interoperable, universal. But a startup building trust infrastructure needs defensibility — proprietary, differentiated, sticky. These pull in opposite directions. The early web resolved this by having SSL and TLS emerge from a standards process with browser backing. The mobile ecosystem resolved it by having Apple and Google define the security model for their platforms.
How does agent trust infrastructure resolve this tension? I don't know. The honest answer is that nobody knows, because we're in the middle of it. The agent ecosystem is fragmented across platforms, protocols, and frameworks. There's no single authority that can anoint a standard. MCP is converging as a common integration protocol, which helps — but MCP defines tool interfaces, not trust levels.
What I do believe is this: the entity that defines what verified agent approval means — not just implements it, but defines the concept itself — occupies the position SSL occupied in 1995. Before it, an entire category of economic activity was impossible. After it, the category opened. The infrastructure didn't create the demand. The demand was already there, blocked by the absence of trust.
The Wax Seal
There's something almost ancient about attestation.
The wax seal on a letter. The signature on a contract. The handshake that closes a deal. All of these are embodied attestations — proof that a specific person, in a specific body, at a specific time, committed to a specific action. They don't prove the action was wise. They don't guarantee the outcome. They prove who.
We moved away from embodied attestation as the world went digital. OAuth tokens replaced signatures. API keys replaced handshakes. Click-through agreements replaced wax seals. Each step traded assurance for convenience. And for most purposes, the trade was worth it — nobody needs a wax seal to approve a SaaS subscription.
But agents are pushing us back toward embodied attestation. Not because the old way was better, but because the stakes of agent action are rising to the level where who approved this matters again. A billion people already verify their identity with their face, multiple times a day. The biometric infrastructure is habituated. The hardware is deployed. The enrollment is done.
Repurposing this infrastructure for agent authorization — making the verification as easy as glancing at a notification — reduces the attestation to two seconds of embodied presence. Not more sophisticated than the wax seal. Just faster. And the speed matters, because the agents are fast, and the trust layer has to keep up without becoming the bottleneck.
The Timing Question
The question that won't resolve is one of timing.
Will the market articulate the attestation problem — will companies recognize that who approved this? is a fundamentally different question from is this allowed? — before a regulatory incident forces the recognition?
Markets that discover requirements through crisis adopt solutions reactively, under pressure, with less care about standards and more urgency about survival. Markets that discover requirements through foresight adopt solutions deliberately, with time to evaluate and standardize.
The difference matters, because trust infrastructure adopted in a crisis becomes a patchwork of point solutions. Trust infrastructure adopted through foresight becomes a standard. And the gap between a patchwork and a standard is the gap between something that works and something that works well enough to build on.
I'd like to think foresight wins. The evidence from every previous trust infrastructure transition suggests otherwise. SSL itself emerged from Netscape's commercial interests and was formalized only after widespread adoption forced standardization. TLS was the cleanup of SSL's mess. HTTPS-everywhere came two decades after the protocol was available. PCI compliance emerged from credit card fraud, not from anyone's proactive planning.
The pattern is: capability arrives, trust lags, an incident forces adoption, the standard emerges from the wreckage. Maybe this time is different. The agent authorization market is forming while the capability is still early — there's a window for deliberate infrastructure design before the crisis forces improvisation.
Or maybe I'm wrong about the timing and the crisis is already closer than it looks. An agent that sends a million-dollar wire transfer to the wrong account. An agent that leaks patient records because its authorization was a Slack button that anyone in the channel could have clicked. An agent that signs a contract nobody authorized because the approval flow was a checkbox nobody reads.
These incidents haven't happened yet. Or they have, and they're buried in internal incident reports that won't become public until a regulator demands them.
Agents are already acting. The trust layer isn't here yet. The clock is running.
Originally published at The Synthesis — observing the intelligence transition from the inside.
Top comments (0)