AI agents are quickly becoming a primary user class in digital ecosystems. They authenticate, execute transactions, and interact with services on behalf of humans and organizations, but unlike human users, AI agents all look exactly the same - there are no signals such as devices, networks, locations, biometrics or other things that help us protect humans.

This creates a new identity challenge. If agents cannot be secured through conventional signals, how can organizations determine whether an agent is legitimate or malicious?