In the summer of 1994, Lou Montulli needed the web to remember things. HTTP was stateless by design. Every request arrived fresh, with no memory of what came before. Fine for serving documents. Useless for selling anything. So Montulli borrowed the concept of a "magic cookie" from Unix programming, adapted it for the browser, and built it in about a week. A small piece of data, set by a server, stored by the browser, returned on the next visit.
The assumptions baked in were reasonable and, at the time, obviously true. A human was sitting at the keyboard. The session was temporary. Montulli explicitly rejected proposals for a permanent browser ID because of the privacy implications. The cookie answered a narrow question: is this the same visitor? And it assumed the visitor was a person.
That assumption held for thirteen years. When Blaine Cook at Twitter started OAuth in 2007, the question had shifted from is this the same visitor to should this application act on a visitor's behalf. Users were handing passwords to third-party apps. OAuth gave a human owner the ability to delegate specific permissions instead. Clear model, clean boundaries, still a person at the center of every flow.
Then machines needed in. OAuth 2.0's Client Credentials Grant in 2012 handled it by taking the human consent step and removing it. Same protocol, same infrastructure, minus the person. API keys filled the remaining gaps through sheer simplicity: one string, no ceremony, designed for rate limiting and usage tracking rather than identity. A stolen key is indistinguishable from a legitimate one. Nobody asked is this a human? because the answer was obviously no, and it didn't matter. Service accounts and cron jobs behaved predictably. You could define their permissions at design time because you knew what they would do at runtime.
These extensions all made sense. They worked because the next caller was always a slightly more constrained version of the previous one. A service account is simpler than a person. A cron job is simpler than a service account. The identity stack could stretch because each new occupant fit inside the assumptions of the last. And every successful stretch made the next one feel natural, made the underlying question easier to defer.
AI agents break the pattern. An agent that reasons about its next action, maintains context across sessions, and operates across multiple services doesn't have a knowable set of behaviors when permissions are granted. It's something genuinely new in the identity stack: a caller with the autonomy of a person and the scale of a service account, fitting the profile of neither. The question is this a human? now produces an answer that doesn't map to any existing category in the stack.
The industry response looks familiar. Standards bodies are convening working groups. New protocols integrate old ones. Each effort extends the existing infrastructure rather than revisiting thirty years of assumptions that were never questioned because they never needed to be. The deferrals were individually sensible. But they've compounded. The identity layer agents inherit was never designed once. It was extended, repeatedly, on the quiet assumption that the next caller would be simpler than the last. That assumption has finally run out.
Things to follow up on...
- Non-human identities proliferating fast: Entro Security research found that non-human identities outnumber human ones at a ratio of 144 to 1 in cloud-native environments, up 56% in a single year.
- SPIFFE's agent-shaped gap: SPIFFE assigns identity based on where a workload runs, but it has no concept of intent or delegation chain, leaving an attribution gap for non-deterministic agents that two instances of the same service can behave differently.
- Secrets that never expire: GitGuardian found that 70% of secrets leaked in 2022 were still active in 2025, illustrating how the static, long-lived nature of API keys compounds the identity problem agents inherit.
- CoSAI's architectural principles: The Coalition for Secure AI published its Agentic Identity and Access Management concept paper in early 2026, attempting to define what agent-native IAM should look like rather than extending what exists.