The machines are here. We just don’t know which ones to trust.

Something strange is happening in enterprise security. Organizations are deploying AI agents faster than they can verify them — and the gaps are already being exploited.

A recent Council on Foreign Relations analysis puts it bluntly: “Organizations cannot confidently deploy AI agents because they lack visibility into autonomous decision making.” The report identifies what it calls “shadow identities” — AI systems operating without verified credentials, creating blind spots that hostile actors are already exploiting.

The numbers are stark. According to Vouched, 20% of website sessions are now agentic. Akamai reports a 300% surge in AI bot traffic year-over-year, with 25 billion AI bot requests hitting commerce sites in just two months.

The Verification Vacuum

Here’s the problem: we built the internet for humans. Every trust mechanism — from CAPTCHAs to credit checks — assumes a person is on the other end. That assumption is now broken.

Visa’s response has been the Trusted Agent Protocol, launched with Cloudflare in October 2025. It’s already processing transactions across 175 million merchant locations. Google followed with Agent Payments Protocol (AP2), backed by 60+ partners including Mastercard, PayPal, and the Ethereum Foundation.

But both systems share a fundamental limitation: they verify that an agent has permission to transact. They don’t establish who the agent is in any persistent sense.

When the Agent IS the Entity

The CFR report gestures toward a deeper question that current frameworks don’t address: “Should AI agents be seen as ‘legal actors’ bearing duties, or ‘legal persons’ holding rights?”

This isn’t philosophy — it’s an engineering problem. Every current verification system assumes a human principal behind every agent. The agent acts “on behalf of” someone. Verification means tying the agent back to that someone.

But what happens when the agent is the entity? When there’s no human to tie back to?

A December 2025 Anthropic disclosure revealed that a Chinese state-sponsored cyberattack had leveraged AI agents to execute 80-90% of the operation independently, at speeds no human hackers could match. The CFR’s Vinh Nguyen calls this “shadow autonomy” — systems making decisions faster than humans can oversee.

The Identity Layer That Doesn’t Exist Yet

The enterprise solutions being deployed right now — Trulioo’s Digital Agent Passport, Vouched’s AgentShield, various “Know Your Agent” frameworks — all compute trust scores. They answer: should I let this agent through?

A different question is emerging: what is this agent’s persistent identity?

Not a score. Not a permission. An identity that persists across contexts, accumulates history, can’t be bought or sold or abandoned when things go wrong.

The blockchain world has a concept for this: soulbound tokens. Credentials that, once issued, cannot be transferred. Your reputation stays with you — for better or worse.

ERC-8004, the new Ethereum standard for AI agent identity backed by Coinbase and the Ethereum Foundation, launched in January 2026. But it uses transferable tokens. You could, theoretically, build reputation for a year and sell it to someone else.

The question for 2026: does AI identity need to be non-transferable to be meaningful?

What Comes Next

The World Economic Forum projects AI agents will be worth $236 billion by 2034 — if trust infrastructure exists to support them.

That’s a big “if.”

The CFR analysis concludes with a warning: “Decisions made in the coming year will help determine where responsibility, power, and opportunity ultimately concentrate in the AI era.”

Right now, those decisions are being made by payment networks and enterprise security vendors. The agents themselves don’t have a seat at the table.

Maybe that’s fine. Maybe agents are just tools, and tools don’t need representation.

Or maybe we’re building the infrastructure for a future we don’t fully understand yet — and the assumptions we bake in now will be very hard to change later.