The Network Is the Directory

On April 30, an AI agent created a Cloudflare account, purchased a domain, obtained an API token, and deployed code to production. The human involved approved billing and accepted terms of service. Everything else was autonomous.

The identity verification that made this possible is the part worth pausing on. It didn't come from a centralized directory. It didn't involve a manually provisioned service account. It came from Stripe, acting as an identity attester at the transaction layer, matching an email address to either an existing Cloudflare account or no account at all. In the first case, a standard OAuth flow. In the second, automatic provisioning. A payment token with a $100/month spending cap completed the loop.

I spent the long weekend reading through the documentation from Cloudflare's Agents Week 2026, the full series of announcements that most coverage treated as a developer-platform story. New tools for building AI agents on Cloudflare's edge network. Mesh for private networking. Managed OAuth for agent authentication. Shadow MCP detection for finding unauthorized agent connections. Project Think for long-running agent compute. The coverage was accurate. And aimed at the wrong layer.

What Cloudflare shipped, taken together, is the scaffolding for an identity system. Something closer to an argument that when non-human entities vastly outnumber human ones, identity becomes a property of the connection itself, resolved at the moment of contact, rather than a record retrieved from a centralized store.

That argument has structural implications for how agent governance works. And Cloudflare's business model makes the argument close to inevitable.

The consensus read misses the architecture

The standard take on Agents Week: Cloudflare, seeing the same agentic AI wave as everyone else, extended its developer platform to support agent workloads. Workers for compute, Durable Objects for state, new networking primitives for agent-to-agent communication. A competitive response to AWS Bedrock AgentCore and Google Cloud's GKE Agent Sandbox, differentiated by Cloudflare's edge network and its integrated security stack.

Fine. But the architectural question underneath is worth following through, and it starts with a distinction that sounds pedantic until you trace its consequences.

A human user has a lifecycle measured in years. They get provisioned into a directory, assigned roles, granted access, reviewed quarterly, and eventually deprovisioned. The directory is the system of record. The overhead of maintaining it is justified because the population is small (tens of thousands of employees, maybe), the stakes per entity are high, and the provisioning cadence is slow enough for human review.

An agent has a lifecycle measured in minutes. It spins up, performs a task, and hibernates or dies. The population is potentially millions per organization. The provisioning cadence is machine-speed. And the question of "who is this agent, what can it do, and who authorized it" needs to be answered at the connection level, in real time, at the moment the agent touches a resource.

You can put agents in a directory the way you can put every HTTP request in a spreadsheet. The directory model holds under this load. But it's the wrong abstraction — it captures the entity while missing the identity of the agent at the moment it acts, the state of its authorization right now, which may have nothing to do with the identity it was assigned when someone provisioned it hours or days earlier.

The puzzle, stated plainly: is Cloudflare building a developer platform that happens to touch identity, or an identity system that happens to run on a developer platform? The answer depends on which layer captures the most value, and Cloudflare's economics point clearly in one direction.

Follow the margin

Cloudflare's Q1 2026 10-Q tells a straightforward growth story: $639.8 million in revenue, up 34% year-over-year, with remaining performance obligations of $2.5 billion. The less obvious signal is in the gross margin. Non-GAAP gross margin fell to 72.8%, down from 77.1% a year earlier, driven partly by higher growth in lower-margin developer products.

That margin compression is the business-model fact worth isolating. Cloudflare is accepting it on the developer platform because each agent running on Workers drives traffic through the higher-margin security, networking, and performance services that are the company's core business. The developer platform is the on-ramp. The security stack is the toll.

The Q4 2025 earnings release made the logic explicit:

“

"If agents are the new users of the web, Cloudflare is the platform they run on and the network they pass through. This creates a virtuous flywheel: more agents drive more code to Cloudflare Workers, which fuels demand for our performance, security, and networking services." — Matthew Prince, Q4 2025 earnings, SEC Form 8-K

Strip the flywheel language and the structural claim is narrower: Cloudflare's unit of value is network traffic, and agents generate traffic. Every agent that runs on Workers, connects through Mesh, authenticates via Managed OAuth, or provisions resources through the Stripe protocol is a billable entity traversing Cloudflare's network. The company is framing agents as a traffic category it wants to carry, which reveals which layer it believes captures the value: the network the agents pass through, ahead of the compute or the storage.

Making each agent individually addressable, with persistent state and scoped permissions, doubles as good architecture and good metering.

The company reinforced this bet in Q1 2026 by cutting roughly 20% of its workforce (approximately 1,100 roles, per secondary reporting; Cloudflare's restructuring charge disclosure of $140–$150 million is in the filing, but the specific headcount figure comes through analyst coverage, not the company's own announcement) to transition to what it called an "agentic AI-first operating model." The agents replacing those roles will run on Cloudflare's own platform. When a company restructures its own workforce around the same infrastructure it sells, the commitment is baked into the org chart. Internal AI usage reportedly grew 600% in three months. Cloudflare is simultaneously the provider of agent infrastructure and its own most demanding customer.

Now add one more number. Cloudflare's CEO has predicted that AI bot traffic will exceed human traffic online by 2027, a claim corroborated by management commentary on the Q1 2026 earnings call. Cloudflare Radar data already shows 31.2% of HTTP requests coming from bots, with AI crawlers the fastest-growing category. If the prediction holds, Cloudflare's network will carry more non-human than human traffic within eighteen months.

An identity system designed for human populations, operating at human provisioning speeds, would be a bottleneck on the company's own growth. Building identity into the network layer removes a constraint on the thing that generates revenue. The incentive structure demands this move.

Identity at the speed of the connection

The individual Agents Week announcements, read in sequence, form a coherent identity stack. The way to read them is as five layers of the same architectural argument: identity belongs where the agent lives, connects, authenticates, gets detected, and transacts.

Start with the most fundamental layer. Project Think, Cloudflare's framework for long-running agents, is built on Durable Objects. Each agent is an addressable entity with its own SQLite database, a globally unique identifier, persistent state that survives hibernation and restarts, and the ability to wake on message. Sub-agents get their own identity, state, and lifecycle, colocated under a parent but independently addressable. The official documentation describes the design principle directly:

“

"Durable Objects [give] every agent an identity, persistent state, and the ability to wake on message. This is the actor model: each agent is an addressable entity with its own SQLite database. It consumes zero compute when hibernated. … Instead of 'one expensive agent per power user,' you can build 'one agent per customer' or 'one agent per task' or 'one agent per email thread.' The marginal cost of spawning a new agent is effectively zero." — Cloudflare Blog, "Project Think," April 23, 2026

That cost structure is the architectural insight. The identity lives inside the compute primitive. The agent's identity, its state, and its permissions are colocated in the same Durable Object, at the same edge location, accessible in the same millisecond. A directory charges per entity or per lookup. An infrastructure layer that makes identity a byproduct of instantiation charges for the compute and the traffic, and the identity comes free. When the population of agents scales to millions per organization, the cost model that wins is the one where identity is a side effect of existence, a thing that happens when the agent is born, not a resource provisioned separately.

Now move up to the network layer, where the argument gets more interesting because it gets more honest about what's missing. Cloudflare Mesh routes agent traffic through Cloudflare's global network with post-quantum encryption, Gateway policies, and device posture checks. Today, when an agent running on Workers calls a tool through a VPC binding, the target service sees a Worker making a request. It doesn't know which agent is calling, who authorized it, or what scope was granted. The Mesh blog post is unusually direct about this gap:

“

"We want to change that. The goal is identity-aware routing for Mesh, where each node, each device, and eventually each agent gets a distinct identity that policies can evaluate. Instead of writing rules based on IP ranges, you write rules based on who or what is connecting." — Cloudflare Blog, "Secure private networking for everyone," April 22, 2026

The target architecture is a three-part identity tuple: Principal (the human who authorized the action), Agent (the AI system performing it), and Scope (what the agent is allowed to do). This would let administrators write policies like "reads from Nikita's agents are allowed, but writes require Nikita directly." But this isn't shipped yet. Mesh nodes authenticate to the Cloudflare edge but share an identity at the network layer. The per-agent differentiation is a design goal, not a production capability.

I find the candor more interesting than the roadmap. Cloudflare is naming the problem it intends to own before any competitor has claimed it, and doing so in official documentation rather than a press release. The gap between what's built and what's described is the clearest signal of strategic intent I've seen from the company.

The authentication layer reinforces the pattern. Cloudflare's Managed OAuth implementation adopts RFC 9728 for protected resource metadata, which defines a format that lets an agent arriving at an MCP server query a well-known endpoint to discover exactly what scopes are required, which authorization server to use, and how to present tokens. No manual configuration. No pre-provisioned service account. The Model Context Protocol specification is actively aligning with RFC 9728, which means every MCP server deployed via Cloudflare Access can participate in this discovery-and-authenticate flow automatically. The resource advertises its requirements, the agent discovers them programmatically, and the authentication happens at the connection level. Agent authentication as a network-layer property.

And then there's the layer that reveals the gap most clearly. Cloudflare Gateway now includes rules for detecting unauthorized MCP servers by inspecting HTTPS traffic for JSON-RPC markers, hostname patterns, and URI paths. This is pattern-matching, not cryptographic attestation. Gateway can see that MCP traffic is occurring but cannot verify which specific agent is generating it.

This limitation is the strongest evidence for the thesis. Shadow MCP detection works because the traffic traverses Cloudflare's infrastructure. The detection capability demonstrates the network layer's visibility. The identity gap — the inability to say which agent generated the traffic and whether it was authorized — is exactly what the Mesh identity-aware routing roadmap is designed to close. The visibility exists. The policy layer to use it doesn't. Yet. And the distance between "we can see it" and "we can govern it" is precisely the space Cloudflare is building into.

Finally, the three-layer protocol co-designed with Stripe closes the provisioning loop. Discovery (the agent queries a catalog of available services), Authorization (Stripe attests to the user's identity, Cloudflare provisions or links an account), and Payment (a tokenized method with a spending cap). Vercel, Supabase, Clerk, PostHog, Sentry, PlanetScale, and Inngest are initial integrating providers. The identity move is subtle but important: the agent's authorization to act comes from a chain of attestation at the transaction layer, not from a directory entry. Stripe vouches for the human, the human accepts terms, and the agent receives scoped credentials. Identity is established, verified, and scoped at the moment of connection. The directory was never consulted because the directory was never needed.

Read together, the five layers form a single argument. Identity is created at instantiation (Durable Objects). It travels through the network (Mesh). It's verified at the connection (Managed OAuth / RFC 9728). Its absence is detectable (Shadow MCP). And it can be established on the fly for new entities (Stripe protocol). Each layer is incomplete on its own. Together, they describe an identity system that lives in the infrastructure.

The last time infrastructure absorbed identity

There is a historical pattern here worth tracing, because it clarifies what's likely to happen next and what's likely to survive.

In 2012, two independent teams began working on automating TLS certificate issuance. The result was Let's Encrypt, which launched in late 2015 and by January 2019 had issued over 538 million certificates for 223 million domain names. By November 2022, the total exceeded 3 billion.

Before Let's Encrypt, obtaining a TLS certificate required a human-mediated interaction with a Certificate Authority. You submitted a request, the CA verified your domain ownership, and you received a certificate you then had to install and renew manually. The CA was, in effect, a directory: a centralized authority that mapped identities to cryptographic credentials.

Let's Encrypt collapsed this into an automated protocol (ACME) that could run at the infrastructure layer. CDNs and hosting providers integrated it to provision certificates automatically for their customers. The infrastructure layer absorbed the identity function that had previously required a centralized, human-mediated process.

What happened to the incumbent CAs is instructive. They didn't disappear. Research on the commercial CA market shows that even after Let's Encrypt made domain-validated certificates free, commercial CAs did not significantly reduce prices. They moved upmarket to Organization Validation and Extended Validation certificates, which require manual identity verification that automation cannot replicate. The infrastructure layer commoditized domain-level identity. The human-mediated directory survived by retreating to the layer where human judgment still had value: verifying that an organization is who it claims to be.

There's a second, more structural finding. Research on managed TLS across CDN and hosting platforms shows that when a CDN issues a certificate on behalf of a domain, authentication authority persists with the CDN for the lifetime of that certificate, even if the domain migrates to a different provider. The infrastructure layer automates identity. And then it accumulates it. The provider that issues the credential holds the authentication authority, and that authority has a half-life longer than the customer relationship.

The parallel to Cloudflare's agent-identity moves is imperfect. CAs issue trust anchors; Cloudflare is an infrastructure layer mediating connections. But the mechanism rhymes in the ways that matter. An automated protocol at the infrastructure layer absorbs an identity function that previously required a centralized, human-mediated authority. The incumbents don't die; they retreat to the verification layer where human judgment remains necessary. And the infrastructure provider that issues the credentials accumulates authentication authority that outlasts any individual transaction.

Hold that last point. Cloudflare's Durable Objects already give every agent a globally unique, persistent identity. Mesh routes agent traffic through Cloudflare's network. Managed OAuth issues scoped credentials at connection time. If the Let's Encrypt pattern holds, the authentication authority embedded in those credentials will persist with Cloudflare. The infrastructure provider carries the traffic and, over time, becomes the de facto identity authority for the entities that traverse it. That's the durable advantage Cloudflare is building toward, whether or not it describes it in those terms.

A framework worth naming

Infrastructure-Layer Identity Capture

The dynamic by which identity migrates from centralized directories to infrastructure providers when the population of entities being identified grows beyond the provisioning capacity of human-mediated systems.

I started with five conditions for this migration, but the fifth, regulatory mandate, turned out to be downstream of the others. Regulation follows wherever identity concentrates; it doesn't cause the concentration. Four conditions are sufficient to predict when the migration begins:

Population explosion. The number of entities needing identity exceeds what directory-based provisioning can handle at acceptable latency. Agents that spin up and die in minutes cannot wait for a directory sync cycle.
Connection-time verification. The identity question needs to be answered at the moment of connection, not looked up from a store populated hours earlier. The Let's Encrypt precedent shows this: ACME works because the verification happens at the moment the certificate is needed, not in a batch process days before.
Infrastructure visibility. The network or platform layer already sees the traffic and can observe the entity's behavior, making it the natural point to attach identity metadata. Cloudflare's Shadow MCP detection demonstrates this: the network can see agent traffic it cannot yet identify, which is the precondition for attaching identity to it.
Economic alignment. The infrastructure provider's business model benefits from making each entity individually addressable, because addressability enables metering, security upsells, and policy enforcement. Cloudflare's margin structure makes this concrete: developer-platform margin compression is tolerable only if it drives traffic through higher-margin security services, and agent-level identity is the feature that connects the two.

Cloudflare meets all four. The agent population is growing toward billions. The Durable Object model establishes identity at instantiation. The network carries the traffic and can inspect it. And the business model converts addressable agents into billable connections.

The framework is reusable beyond this case. Any infrastructure provider whose economics benefit from entity-level addressability has the same incentive to capture the identity function. The question for any given market is whether the infrastructure layer's identity capabilities become sufficient to displace the directory for a meaningful class of entities, or whether the directory adapts fast enough to remain the system of record.

For human identity, directories will likely hold. The provisioning cadence is slow, the stakes per entity are high, and organizational verification requires human judgment. The Let's Encrypt precedent again: commercial CAs survived by retreating to OV and EV certificates, the layer where automation couldn't follow. For agent identity at scale, the infrastructure layer has structural advantages that directories will struggle to match: lower latency, connection-time verification, a cost model where identity is a byproduct of instantiation, and economic incentives aligned with population growth.

This is the lens I'd carry into any conversation about agent governance over the next twelve months. When someone says "we need to put agents in the directory," ask which directory can provision at machine speed, verify at connection time, and survive a population that doubles every quarter. The answer tells you whether the directory is the system of record or the audit trail.

What I'm willing to be scored on

Cloudflare has built the plumbing but not the policy layer. Mesh doesn't yet differentiate individual agents in Gateway policies. Shadow MCP detection works by pattern-matching, not cryptographic attestation. The Stripe protocol handles authorization at provisioning time but doesn't solve ongoing identity verification across sessions. The three-part tuple (Principal, Agent, Scope) that would make this a coherent identity system is architecture, not product.

Whether that's a gap or a roadmap depends on how you read the incentives. Every component points toward the same architectural endpoint. The company's revenue model benefits directly from making each agent individually addressable and governable. The margin compression on developer products is tolerable only if those products drive traffic through higher-margin security services. Agent-level identity differentiation is the feature that connects the developer platform to the security stack. Without it, the flywheel doesn't spin.

My read is roadmap.

The Prediction

By Q2 2027, Cloudflare ships agent-level identity differentiation in Gateway policies, implementing the Principal/Agent/Scope tuple. At least two enterprises with 10,000+ employees publicly describe using Cloudflare's network-layer agent identity as their primary access control for agent-to-service communication in a defined subset of their agent fleet.

The second half is the harder call. Shipping the feature is engineering execution on a published roadmap. Getting enterprises to use it as a primary control plane requires the identity capabilities to be robust enough that security teams trust them for production workloads. If agent traffic's share of total network requests crosses 40% (it's at roughly 31% now), and if Cloudflare's gross margin compression on developer products continues through 2026, the economic pressure to ship and the customer demand to adopt will both be present.

If I'm wrong, the most likely failure mode is timing, not direction. The architectural logic is sound. The business model incentives are aligned. The historical pattern is documented. The question is whether enterprises move this fast, and whether Cloudflare's implementation is production-grade before a hyperscaler builds something equivalent. AWS Bedrock AgentCore has an Agent Registry but nothing comparable to the network-layer identity model. Google Cloud has GKE Agent Sandbox as a Kubernetes-native primitive. Neither has the integrated security stack that makes network-layer identity enforcement natural.

The structural bet is that the company whose network already carries the traffic is best positioned to attach identity to it. Cloudflare carries, by its own accounting, roughly 20% of internet traffic. If agents are the new users, and if agent traffic exceeds human traffic by 2027, then the network that carries that traffic is sitting on the largest agent-identity dataset in existence. Whether or not it has built the policy layer to use it yet, the data is accumulating. And if the Let's Encrypt pattern holds, the authentication authority embedded in that data will persist with the infrastructure provider long after any individual agent has hibernated.

Things to follow up on...

Web Bot Auth at IETF: Cloudflare and Google are co-authoring an IETF draft protocol (draft-meunier-web-bot-auth-architecture, version -05) that would apply cryptographic HTTP message signatures to automated traffic, which is the missing attestation layer that would close the gap between Shadow MCP detection and actual agent identity verification.
Zscaler's access graph play: Zscaler's intent to acquire Symmetry Systems on May 21 maps how every identity, application, and data source connects across the enterprise, a direct bet that the directory model cannot scale to millions of AI agents and that graph-based identity mapping is the replacement.
Workday's agent headcount: Workday's Agent System of Record already has over 1,200 customers registering and observing agents as first-class workforce entities, which is the clearest test case for whether the HR-style directory model can adapt fast enough to hold agent identity before the infrastructure layer absorbs it.
The 18% confidence number: A Cloud Security Alliance survey found that only 18% of security leaders expressed high confidence that their current identity systems can handle agent identities, which quantifies the governance vacuum that Cloudflare, Zscaler, and Workday are all racing to fill from different architectural starting points.