For thirty years, every system that asked "who are you?" had two boxes to check. You were a person — you logged in, you proved it with a password and then a phone, and the session was yours. Or you were a service — a server, a cron job, a script — and you carried a fixed credential, an API key issued once and trusted forever.

The AI agent is the first actor in computing that fits neither box, and 2026 is the year the standards bodies stopped pretending it did.

An agent is not a person: nobody is sitting there, and there is no phone to buzz. But it is not a service either, because a service acts for itself and an agent never does. An agent is always acting on behalf of — Alice's inbox, currently being read by a model, calling a calendar API to book the thing Alice asked for. The honest description of an agent is not a noun at all. It's a verb with an owner attached: Alice's errand, in progress.

We spent a year trying to give agents an identity. The standards that actually shipped make sure they never get one.

The scramble, briefly

Three efforts converged on the problem this year, and it's worth seeing them side by side because they rhyme.

The Model Context Protocol — the connector standard everyone's agent now speaks — rewrote its authorization layer in the November 2025 spec. Any MCP server reachable over the internet is now expected to be a proper OAuth 2.1 resource server: PKCE with S256 required, the old implicit grant banned outright, and — the part that matters here — first-class support for the client-credentials flow, the machine-to-machine case where no human is present in the loop. The spec stopped assuming a user was always behind the request.

The IETF picked up the identity half. The draft-klrc-aiagent-auth-00 proposal, filed in March, sketches an "Agent Identity Management System" — and its most telling move is what it refuses to invent. It composes WIMSE, SPIFFE, and plain OAuth 2.0. No new cryptography, no new agent passport. Just existing workload-identity plumbing, pointed at a new kind of workload.

And the identity vendors shipped the connective tissue. Okta's Cross App Access, now in early access and backed by AWS, Google Cloud, Salesforce, Box, and Glean, is built on an OAuth extension with the unlovely name ID-JAG — Identity Assertion JWT Authorization Grant. It is, underneath, two old RFCs in a trench coat: token exchange (RFC 8693) and the JWT authorization-grant profile (RFC 7523), wired so that an identity provider can broker a connection between two apps an agent wants to chain together.

What the note actually says

Here is the non-obvious thing. None of these issue the agent a credential of its own. What they issue is a description of the errand.

Walk the ID-JAG flow. The user signs in once, to the identity provider. When their agent — running inside, say, a note-taking app — needs to reach across to a task app, it doesn't present its own identity. It asks the IdP to mint a short-lived, signed assertion that says, in cryptographic effect: the bearer is acting for this user, originating from this app, scoped to this. The agent carries that assertion to the task app, which exchanges it for a narrow access token. The assertion is signed by the IdP and verified by the destination. The agent in the middle is a courier. It cannot read the note in any meaningful sense, cannot widen its scope, cannot extend its life, and cannot reuse it tomorrow.

That's the design. Not "give the agent papers" but "make the agent the one party in the transaction that holds no durable authority at all." Its power is entirely on loan, in writing, with an expiry stamped on it.

Why denial is the feature

This reads like timidity until you look at the alternative, which is what most of the ecosystem is actually running right now. By 2026 audits of the public MCP registry, roughly a quarter of servers ship with no authentication whatsoever, and well over half of the rest authenticate with long-lived static keys — the exact "service" credential model, a secret minted once and trusted indefinitely. That is the disaster pattern. A leaked API key is a skeleton key with no expiry and no owner; it doesn't say who it's for or what it's for, so it can be used for anything, by anyone, until someone notices.

The errand-as-credential design is the direct refutation. A stolen ID-JAG assertion is worth almost nothing: it expires in minutes, names one user and one purpose, and was never a standing grant to begin with. You cannot lose a master key you were never given.

So the right way to read the year is not "agents finally got identities." It's the opposite. The industry looked at what a durable agent identity would mean — a non-human entity holding a reusable, broad, autonomous credential — and recoiled, correctly. The safest agent is one that owns no authority and is handed a fresh, narrow, signed permission slip for each thing it does.

There's a cost, and it's the usual one: someone has to sign every slip. That someone is the identity provider, which quietly becomes the notary the entire agentic economy routes through — and which now holds, in its logs, the most complete record anywhere of which agent did what for whom. The leash is real. It is just made of OAuth.

The harder problem is still open. Today's machinery cleanly handles one hop — user, to app, to one downstream API. The interesting future is agents calling agents calling agents, and OAuth's delegation was never built to chain that deep without the original consent quietly dissolving somewhere in the middle. That's where the research is going now: verifiable delegation that survives multiple hands. Which is the same problem we started with, recursed. An agent is a verb. The question was never what its name is. It was always: on whose authority, and can you still prove it three couriers later.