Select Page

AI Agents identity: questions that need an answer

by | ID verification and Biometrics Industry, Identity Verification

For years, verifying digital identity has meant answering one question: who are you? First we asked people. Then machines — APIs, services, certificates. Now there’s a third layer on top of the other two, and it’s the one the industry has figured out the least: AI agents that act, decide, and execute on someone else’s behalf.

That single question isn’t enough anymore. And at Mobbeel, we’ve spent months watching it split into new questions nobody had to ask before.

From “Who Are You?” to Six Questions That Didn’t Exist

Verifying a person has always been, at its core, a one-moment problem: document + biometrics + liveness check, done. The agent logs in, authenticates, operates.

An AI agent breaks that model because it isn’t a fixed snapshot in time. It’s a live process that changes goal, permissions, and context with no human watching in real time. So “who are you?” splits into several questions:

  • Who created this agent, and for what purpose?
  • What goal is it pursuing right now — not at the moment it was granted permission, but now?
  • Who delegated authority to it, and for how long does that delegation stay valid?
  • What actions can it perform, and which fall outside its scope?
  • What decisions can it make autonomously, and which need a human in the loop?
  • How is accountability maintained once the agent is no longer active?

None of these questions has a mature, standardized answer today. Serious efforts are underway — NIST launched its own agent identity standardization initiative in February 2026, and the OpenID Foundation is advancing AuthZEN to solve the authorization piece — but we’re still building the ground, not standing on it.

An AI agent’s identity isn’t a fixed data point you verify once. It’s a delegation relationship you need to be able to prove with every action, not just at startup.

The Gap Nobody Has Closed Yet: Delegation

Here’s the real problem, and it isn’t technical — it’s about accountability. eIDAS 2.0 and the EUDI Wallet are building a solid digital identity infrastructure for citizens, with availability set for December 2026 and mandatory acceptance by regulated entities by December 2027. But that framework still doesn’t address what happens when the citizen doesn’t act directly, but delegates the action to an agent operating on their behalf.

That leaves an open question any company deploying autonomous agents — in banking, telecom, any regulated sector — will have to answer sooner or later: if the agent does something wrong, who’s responsible, and can you prove it?

Without a verifiable delegation chain, that question has no answer that holds up in front of a regulator.

Mobbeel’s Angle: It’s Not One Question, It’s Two

When we talk about identifying AI agents, we don’t treat it as a single problem. It’s two, and they need to be solved separately because they happen at different points in the lifecycle.

One: verify the human behind the agent. Before an agent can act on a person’s behalf — signing, authorizing a payment, accessing sensitive data — someone has to have solidly verified who that person is and that they actually authorized that delegation. This is the credential-issuance stage, where MobbScan already plays a role within the EUDI Wallet ecosystem: we don’t build wallets, but we’re the piece that verifies identity before the PID is issued — the credential that later enables any downstream delegation, human or agentic.

Two: verify the agent as its own entity — Know Your Agent. An agent isn’t a person, but it isn’t a static API either. It needs its own onboarding process: who created it, with what scope, with what cryptographic credential, and how long that identity stays valid before it needs to be revoked. It’s essentially the same onboarding principle we apply to people — verify before you trust — carried over to a non-human entity with its own lifecycle.

These two angles don’t compete. You need both at once: an agent with a flawless cryptographic identity doesn’t count for much if nobody rigorously verified the human who gave it the authority to act in the first place.

That’s the part a lot of “agent identity” conversations skip. They focus on the agent and forget that, at the end of the chain, there’s always a person who answered — or should have answered — the original question.

Where We Stand Now

There’s no single standard yet, no closed answer. What there is, is a shift already happening, standard or no standard. Companies that start building the verification chain today — human and agent, not one or the other — will be better positioned once the regulatory framework catches up to this new layer of identity.

Because the question isn’t just “who are you?” anymore. It’s “who gave you permission, and can you prove it?”

Get in touch if you’d like to discuss how your organisation can start building that chain of trust, both for people and for the AI agents acting on their behalf.

Whitepaper

Digital identity in the University of Murcia

The beginning of any relationship between a university and its users whether students, staff, or collaborators requires precise and secure verification to ensure data protection and the integrity of its systems.

mobbeel
Cookies policy summary

We use first-party and third-party cookies to make our website work, analyse how users use the website in order to improve our services and create a profile of your browsing and content viewed in order to show you personalised advertising. Find out more by reading our Cookies policy.

Reject cookies

What is a cookie?

Cookies are files sent from a web server that obtain information from users’ devices, for example, about their preferences and browsing patterns.

Cookies are essential for the functioning of the Internet, as they offer technical solutions that allow the user to browse the different websites; they cannot damage the user’s equipment/device and can be used to identify and resolve possible errors in the functioning of the Website. They may also be used for advertising or analytical purposes.

Use of cookies by Mobbeel

Specifically, MOBBEEL uses its own cookies generated directly by this domain and third-party cookies generated from other websites outside MOBBEEL, belonging to third party companies, for the specific purposes described below. If in the future MOBBEEL uses other cookies for the purpose of providing more and better services, the user will be informed of this.