Inside the identity layer

An agent that buys something on your site today is carrying four or five identities, and none of them are the same identity.

It might hold a W3C DID issued by its framework. It might present a FIDO Agentic Auth credential at login. If it operates in Europe after August 2, it touches an EUDI wallet. It connects to your tools over an MCP session that carries its own connection identity. And when it pays, it routes through a Stripe Connect account that knows it as a merchant sub-entity. Five identifiers. Five trust models. No canonical way to say that they all describe the same agent.

That gap is the identity layer. It is the deepest of the five layers in the agentic stack, the one that opens widest and closes slowest. This essay walks it: what is shipping, what is missing, what a portable agent credential actually has to contain, and why Major Labs publishes about identity in 2026 but does not ship into it until 2027.

Why identity is the hard one

The other four layers have a shape you can ship against. Discovery is a scanning and measurement problem. Commerce is a mandate-and-receipt problem. Observability is an attribution problem. Provenance is a labeling-and-evidence problem. Each one has a clear artifact and a clear buyer.

Identity does not resolve to a single artifact, because identity is a coordination problem dressed as an engineering one. The standards exist. The hard part is that no two of them agree on what an agent is, and getting them to agree requires three regulatory bodies and four working groups to move in the same direction at the same time. That does not happen on an engineering timeline.

So the question for identity is not "can you build it." It is "what can you build before the standards settle, and what should you wait for."

What is shipping in identity today

More than most people think. The pieces are real; the seams between them are not.

W3C DID Core is at v1.0, with v1.1 in flight. Decentralized identifiers are a stable, implementable spec. An agent can hold a DID, resolve it, and prove control of it. This is the closest thing the layer has to a foundation.

FIDO stood up an Agentic Auth working group in February 2026, shortly after Google donated AP2 to FIDO. That donation matters more than the working group does, because it pulled agent payment authorization into the same body that already owns passkeys. WebAuthn has quietly become passkeys-as-default in every mainstream browser, which means the human side of agent authentication is largely solved. The agent side is what FIDO is now chasing.

The EU Digital Identity Wallet, EUDI, becomes legally enforceable in member states on August 2, 2026. That is the same enforcement date as the AI Act provisions we wrote about in the provenance essay. Identity and provenance hit the European wall on the same morning. EUDI gives every EU citizen a wallet; what it does not give is a clean way for an agent acting on that citizen's behalf to present a derived, scoped credential.

The IETF has a draft Agent Identity Protocol, AIP. It is early. Drafts are not RFCs, and an RFC is not adoption.

And the platforms have shipped their own answers. Anthropic's MCP servers carry agent identity at the connection layer but do not standardize it, so identity is present in the session and invisible across sessions. Stripe routes agent transactions through its existing merchant trust framework, which works precisely because it does not wait for a standard.

Read that list again. Every item is real. Not one of them references the others.

What is missing

Five gaps, in rough order of how much they hurt.

The cross-walk. There is no canonical mapping between a W3C DID, a FIDO Agentic Auth credential, and an EUDI wallet entry. An agent that holds a DID has no automatic equivalent in EUDI, and an EUDI credential does not resolve to a DID. The three models describe overlapping things in incompatible terms. Until something bridges them, every operator that wants to accept agents from more than one ecosystem writes the mapping by hand, badly.

Portability across model providers. An agent's identity today is tied to the provider that runs it. Move the same agent from one foundation model to another and its identity does not come with it. There is no equivalent of porting a phone number. For a layer whose entire premise is that agents act on your behalf over time, an identity that dies when you switch vendors is not an identity. It is a session token.

Reputation that travels. Nothing carries an agent's track record from one service to the next. A merchant meeting an agent for the first time has no way to know whether that agent has a clean history or a string of disputes behind it. Every interaction starts from zero. The web solved this for humans with slow, ugly, centralized credit and reputation systems. The agentic web has not solved it at all.

Capability attestation. A merchant accepting an agent transaction cannot programmatically verify what the agent is actually allowed to do, beyond what the mandate in that one transaction asserts. There is no standard, signed statement of "this agent may spend up to X, in these categories, on behalf of this principal." The mandate proves intent for a single purchase. It does not prove standing.

Fast revocation. When an agent is compromised, there is no revocation mechanism that propagates in hours. The certificate world measures revocation in days and tolerates weeks. An agent with a payment mandate and a stolen key cannot be a multi-week problem. This is the gap that turns into a headline.

What a portable agent credential has to contain

If you are going to bridge the cross-walk, you have to be concrete about the artifact. Here is the minimum a portable agent credential needs, the identity-layer equivalent of the disclosure receipt we defined for provenance.

It needs a stable agent identifier that survives a provider switch, not a session handle. It needs a reference to the principal the agent acts for, expressed so that both a DID resolver and an EUDI verifier can check it. It needs a capability grant: a signed, scoped statement of what the agent may do, with limits and an expiry, separate from any single transaction mandate. It needs a revocation pointer, a place a verifier checks in real time to learn whether this credential is still good, with a freshness guarantee measured in minutes. And it needs a portable reputation reference, even if the reputation system behind it is immature, so the field exists before the data does.

None of that is exotic. Every field has a precedent in an existing spec. The work is not invention. The work is agreement, and a reference implementation that proves the agreement holds.

Why we publish about identity now and ship into it last

Major Labs Identity is on the roadmap for Q1 2027. That is deliberate, and it is later than every other product we are building.

The reason is order. The cross-walk between DID, FIDO, and EUDI is a 2027 problem and a 2028 product. Ship the bridge before the standards settle and you build on sand. Ship it after they settle and you are one of many. The window is narrow and it is not open yet.

There is a brand reason too. Identity is the layer where an operator has to trust you to broker the thing that authorizes spending on their behalf. You do not earn that trust cold. You earn it by being right about discovery, by being useful on commerce, by being the independent measurement people already rely on. Then, when the cross-walk is ready, brokering identity is the obvious next step rather than a leap. Ship the registry into nothing and it lands as nothing. Ship it at the moment the standards converge and it becomes the default reference.

So we are publishing about identity in 2026 to mark the territory and to be honest about the timeline. We are building Sentinel, the scanner, against the layers that close first. Identity comes last because the research compounds in that order, and because the buyers do.

That is the whole map now. Discovery, commerce, observability, provenance, identity. Five layers, five essays. The first two close inside twelve months. The next two inside eighteen. Identity closes last, deepest, and over the longest horizon, and it is the one that, once it closes, holds the rest of the stack together.

If you only read one of these essays, read the thesis. If you read all six, you now have the same map we are building against.