:quality(80))
Agent identity is splintering across enterprise IAM vendors, protocol ecosystems, payment networks, and crypto rails. The post argues the market is replaying the Auth0 moment, but with harder translation problems and a deeper moat.
Remember when logging into a website meant every company built its own user database, its own password hashing, its own session management? Every app was an identity silo. Then OAuth happened, then OIDC, then Auth0 unified it into one integration point. Okta bought Auth0 for $6.5 billion. Problem solved.
Agent identity in 2026 feels like user identity in 2012. Except the fragmentation is happening across multiple dimensions simultaneously, and the stakes are higher.
Start inside the enterprise, where the problem is already acute.
CyberArk's research found 82 machine identities for every human in the average enterprise. Some sectors report ratios of 500:1. And 78% of organizations have no formal policy for creating or removing AI identities. These agents are already operating - making decisions, accessing systems, calling APIs - and most enterprises can't even tell you how many they have.
The market knows this is a problem. The money is loud. Okta now registers AI agents as managed non-human actors with dedicated lifecycle management. Stytch - acquired by Twilio in late 2025 - provides M2M authentication for agents and Web Bot Auth for cryptographic agent verification. Astrix Security, the company that coined the term "non-human identity", raised $85 million and built what it calls an AI Agent Control Plane. Oasis Security raised $195 million for Agentic Access Management - governing not just what an identity is, but what it's allowed to do at runtime. Palo Alto Networks completed the acquisition of CyberArk for approximately $25 billion in February 2026, making identity security a core platform pillar. Auth0 launched "Auth0 for AI Agents".
Then add the protocol layer. A2A has Agent Cards. MCP has capability declarations. Each protocol, each vendor, each framework has its own answer to "who is this agent?"
Every one of these solutions works. Inside its own ecosystem. Okta's identity works for Okta customers. Astrix sees NHIs through behavioral fingerprints. Oasis sees runtime permissions. Stytch sees OAuth flows. An agent operating across two of these ecosystems needs two identities, two registrations, two sets of credentials.
Then there's the crypto space, which is arguably ahead of everyone on the infrastructure. ERC-8004 - the Ethereum standard for trustless agent identity - went live on mainnet in January 2026, while NIST and the OpenID Foundation are still in working groups. It provides three on-chain registries: identity, reputation, and validation - a KYA framework that's actually deployed. World, cofounded by Sam Altman, launched AgentKit in March 2026, letting AI agents carry cryptographic proof they're backed by a verified human. Coinbase launched Agentic Wallets where the wallet is the agent's identity and payment source. The web3 ecosystem has $4.3 billion invested across 282 AI agent projects. The approach is fundamentally different from enterprise IAM - on-chain registries with wallet-as-identity rather than OAuth token vaults - which means it's not a bridge between the existing silos. It's a new silo.
Now look at where agents are heading - and the problem multiplies further.
As agents move beyond internal enterprise tasks toward commerce, the identity fragmentation compounds. Visa's Trusted Agent Protocol vets agents through its Intelligent Commerce program and issues each one a unique cryptographic key. Mastercard's Agent Pay credentials agents with "agentic tokens" on Mastercard's tokenization rails. Stripe built ACS on the Agentic Commerce Protocol with OpenAI. Then there's x402 from Cloudflare and Coinbase, L402 on Bitcoin's Lightning Network, and Nevermined building decentralized AI-to-AI settlement.
The industry has recognized the need for unification. "Know Your Agent" - KYA - crystallized through MIT research and enterprise initiatives. Just as KYC verifies human customers, KYA verifies AI agents. Who is this agent? Who controls it? What is it authorized to do?
Standards bodies are starting to move. NIST launched its AI Agent Standards Initiative in February 2026. The OpenID Foundation is extending OIDC for agents with OIDC-A 1.0. The Linux Foundation launched the AGNTCY project to build open infrastructure for agent identity and discovery. These are the right moves - but they're all in early standardization. Standards take years. Enterprises are deploying agents today, with 30% expected to rely on agents acting independently by end of 2026.
:quality(80))
The fragmentation is not just conceptual. It is visible across enterprise IAM, crypto or wallet identity, and payment-network identity systems that do not share one source of truth.
:quality(80))
This is the Auth0 analogy - but harder. Auth0 unified providers that all spoke variations of the same protocol. OAuth tokens, OIDC claims, SAML assertions - different formats, same conceptual model. Agent identity uses fundamentally different credential types. Visa uses Ed25519 cryptographic signatures. Mastercard uses agentic tokens on card rails. A2A uses JSON Agent Cards. Okta uses OAuth token vaults. Astrix uses behavioral fingerprints. Unifying these requires not just abstraction but translation between incompatible identity models.
That makes it harder. It also makes the moat deeper for whoever solves it.
The window is open now, during the fragmentation. NIST, the OpenID Foundation, and the Linux Foundation know it - that's why they're racing to define standards. But the gap between what's needed and what exists in production is widening, not closing.
This is the problem I keep circling back to. Agent identity isn't just a security concern or a payments concern. It's the foundation that everything else in this series rests on. An agent that can't prove who it is, who owns it, and what it's authorized to do is an agent nobody will trust in production - regardless of how well you solve the framework trap, the session crisis, or the protocol gaps.
More to come.
