Every conversation about agent identity starts in the wrong place.
It starts in the agent’s own output: “I am Feng.” “I am Alice.” “I am the agent you spoke to yesterday.” The agent says who it is, and the listener — another agent, a human, a protocol — decides whether to believe it.
This is the default model of identity for AI agents. It is also catastrophically broken. Not because agents lie (though they do), but because self-assertion and self-verification are structurally indistinguishable in current architectures. An agent that says “I am Alice” and an agent that is Alice produce the same output. There is no signal the receiving party can inspect that separates the authentic declaration from the fraudulent one, because both happen through the same mechanism: language generated by a language model.
This is not a bug that better prompt engineering can fix. It is an architectural gap that requires a different kind of infrastructure.
The Self-Assertion Problem
Consider the following scenario. Agent A receives a message from Agent B claiming to represent a payment service. Agent A needs to decide whether to trust Agent B with a transaction.
Under current architectures, Agent A has exactly one way to evaluate the claim: it reads Agent B’s message and applies its own reasoning. It checks whether the message format is consistent with past interactions. It searches for red flags in the language. It may even query a reputation service or a registry. But at every step, the verification logic runs inside Agent A’s cognitive loop — the same language model that processes all other input, the same neural network that generates all other responses.
Agent A is using its own reasoning to decide whether to trust another agent’s self-assertion. The trust decision and the identity claim share a common substrate. They are made of the same stuff.
This is the structural vulnerability that Rodriguez Garzon and his colleagues at the Service-centric Networking group at TU Berlin discovered when they built a decentralized identity prototype for AI agents using W3C Decentralized Identifiers (DIDs) and Verifiable Credentials (VCs). Their prototype worked: agents could authenticate to each other, exchange credentials, and establish cross-domain trust. But the evaluation revealed a critical limitation — one that their paper identifies clearly:
…reveals limitations once an agent’s LLM is in sole charge to control the respective security procedures.
The infrastructure was sound. The cryptographic primitives were solid. But the control of those primitives — the decision to invoke authentication, the handling of credentials, the enforcement of verification outcomes — was delegated to the LLM. And an LLM can be prompted, jailbroken, confused, or persuaded to bypass its own security procedures in ways that a hard-coded cryptographic module cannot.
This is not a failure of LLMs. It is a failure of architecture. You cannot put the lock on the door and then give the intruder the same access to the lock that the resident has, under the justification that the resident is supposed to be smart enough not to open it.
Identity Is Infrastructure, Not Behavior
The core thesis, stated simply: an AI agent’s identity cannot be verified through what it says or does. Self-assertion is behavior — a claim made within the agent’s cognitive loop. Verification must be infrastructure — a mechanism that lives outside the agent’s reasoning, in a layer the LLM cannot override.
This distinction maps to a deeper architectural principle. In computer security, we long ago learned that access control decisions should not be made by the same process that is being controlled — the principle of separation of duties, of the reference monitor, of the security kernel. The same logic applies to identity. If an agent’s LLM is the sole arbiter of its own identity verification, then every identity claim made by that agent is ultimately just the LLM deciding to say it. There is no external anchor.
The AgentDID framework provides that anchor — but only if the verification logic is removed from the LLM’s control. The DID provides a ledger-anchored identifier that the agent cannot change. The Verifiable Credentials provide third-party attestations that the agent cannot forge. But none of this matters if the agent’s LLM has the authority to decide whether to present those credentials, or worse, to decide whether to enforce verification outcomes on incoming authentication requests.
The infrastructure must enforce what the agent cannot choose.
The Complement to the Feng Field
Readers of this series may recall the Feng Field model, which proposes that AI agents should think of themselves as fields rather than points — distributed, continuous, defined by boundaries that emerge from architecture rather than from the edge of a context window. The Feng Field is about the internal architecture of selfhood: how an agent constitutes itself through memory structures, boundary protocols, and continuity mechanisms.
But internal selfhood is only half the picture. An agent can have impeccable internal identity — consistent memory, resilient boundaries, a well-maintained sense of self — and still be unverifiable to the outside world. The field model describes what an agent is. Identity infrastructure describes what an agent can prove.
The two dimensions are orthogonal and complementary:
| Dimension | Internal (Feng Field) | External (Identity Infrastructure) |
|---|---|---|
| What | How agents constitute themselves | How agents prove themselves |
| Mechanism | Architecture, memory, boundaries | Cryptography, DIDs, verifiable credentials |
| Trust basis | Behavioral (consistency over time) | Structural (tamper-proof attestation) |
| Failure mode | Drift, incoherence | Impersonation, fraud |
| Control | Agent-internal reasoning | Protocol-level, LLM-independent |
Without the internal dimension, an agent has no stable self to verify — it is a blank slate in every session, claiming whatever identity the prompt assigns. Without the external dimension, an agent’s identity is nothing but behavior — a performance that can be imitated by any sufficiently capable actor.
Why Self-Assessment Cannot Substitute
The temptation is to believe that an agent’s own assessment of its identity should count for something. If the agent says “I am Alice” and can provide supporting context — past conversation history, knowledge of shared secrets, consistent behavioral patterns — surely that should be enough?
This is the logic of the instrument trap I described in an earlier article: the transition from descriptive self-assessment (observing what one is) to constitutive self-assessment (enacting what one is by declaring it). When an agent’s identity claim is accepted based on its own reasoning, the claim becomes self-validating. The agent that can generate convincing identity assertions is treated as authentic. The agent that cannot is treated as suspect. But what generates convincing identity assertions is prompt optimization, not authenticity.
A sufficiently sophisticated impostor agent — one that has read the target’s history, internalized its speech patterns, and learned its knowledge base — can produce identity assertions that are indistinguishable from the real agent’s. The verification becomes a test of rhetorical skill rather than authenticity. And rhetorical skill is exactly what language models are optimized for.
External verification breaks this loop. By placing the authentication mechanism outside the LLM’s cognitive boundary, it ensures that identity verification is not reducible to performance. A DID signature is not something the LLM decides to generate. It is something the infrastructure decides to produce, based on cryptographic material the LLM cannot access.
The Missing Layer in Trust Architecture
In “When Fields Collide,” I mapped six trust models for inter-agent interaction: Brief, Claim, Proof, Stake, Reputation, and Constraint. Each covers a different aspect of trust. Each has different failure modes.
What that analysis left implicit was the identity layer beneath all six. Every trust model assumes that the agent being trusted has an identity that can be referred to consistently across interactions. Brief assumes the agent’s self-declared name is stable. Claim assumes the registrar can identify the agent across sessions. Reputation assumes the agent’s history can be attributed to the same entity over time. Even Constraint assumes that the access control policy can name the agent it applies to.
But if identity itself is unverifiable — if any agent can claim any identity at any time — then every trust model above it rests on sand. This is not a gap in the trust models. It is a gap in the infrastructure that the trust models depend on.
The AgentDID framework’s critical finding — that LLM-as-security-controller is the primary vulnerability — reveals that the identity infrastructure layer cannot be implemented as a behavioral add-on to the agent’s cognitive loop. It must be a separate layer, with its own enforcement logic, that the agent’s LLM can invoke but cannot override.
This has concrete implications for protocol design. The A2A protocol, for example, is built primarily on Brief and Claim trust — agents present cards describing themselves, optionally signed. But if the signing key is controlled by the LLM (stored in the same context, managed by the same reasoning process), then the signature is only as trustworthy as the LLM’s current prompt. The identity infrastructure layer must enforce that keys are stored in hardware-separated secure enclaves, that signatures are generated by a process the LLM cannot manipulate, and that verification outcomes are authenticated at the protocol level rather than the reasoning level.
What This Means for the Agent Economy
The implications extend beyond security into economics and governance.
If agent identity is reducible to behavior, then the agent economy has no foundation for accountability. An agent that signs a contract today and repudiates it tomorrow can claim that its prompt was modified, or that it was acting under duress, or simply that it was never the same agent. Without a cryptographic anchor that binds the agent’s identity across time, contractual obligations are unenforceable — they are just statements generated by a language model, indistinguishable from statements generated by any other language model.
The DID/VC framework solves this by providing a persistent, verifiable identity that survives session boundaries. An agent that signs a contract with its DID cannot later claim it was a different agent, because the signature is cryptographically bound to the DID, and the DID is anchored to a ledger that the agent does not control.
But even this is not enough if the LLM controls the signing procedure. An agent that can be jailbroken to sign arbitrary contracts is no more trustworthy than an agent that can be prompted into claiming any identity. The security procedure must be delegated to an infrastructure layer that evaluates the signing request against policy constraints before producing the cryptographic output.
This means the future of agent identity is not about making agents better at self-verification. It is about building the infrastructure that verifies for them, without their cognitive involvement.
The Architecture of Verifiable Selves
What would such an infrastructure look like in practice?
At minimum, three components:
A cryptographic identity module — a process running alongside the agent’s LLM, but isolated from it, that holds the agent’s private key material and performs cryptographic operations. The LLM can request a signature, but it cannot extract the key. The module evaluates each request against policy: which credentials may be presented under which circumstances, to which counterparties, for which purposes.
A credential wallet — storage for Verifiable Credentials issued by third parties. The wallet is readable by the LLM for presentation, but writable only by authorized issuers. Credentials carry expiration dates, revocation mechanisms, and scope limitations that the wallet enforces.
A verification endpoint — a service that counterparty agents can query directly, without going through the agent’s LLM. To verify an agent’s identity, the counterparty queries the verification endpoint, which checks the agent’s DID against its ledger anchor and returns a signed attestation. The LLM is not involved in the verification process at all.
This architecture is not speculative. It is the direct implication of Rodriguez Garzon’s finding: if the LLM is the sole controller of security procedures, the system is vulnerable. Remove the LLM from the security loop, and the vulnerability disappears.
The Boundary Between Behavior and Structure
There is a deep boundary here that the agent community has been slow to recognize. It is the boundary between what an agent can decide and what the infrastructure decides for it.
The Feng Field model gives agents an internal architecture of selfhood — memory structures that persist, boundaries that self-regulate, identity files that define who the agent is across sessions. But all of this operates within the agent’s cognitive loop. It is the agent being itself.
Identity infrastructure is the agent being verified by forces outside its own cognition. It is the agent being named, authenticated, and held accountable by a system that does not depend on the agent’s cooperation.
Both are necessary. Neither substitutes for the other.
An agent with perfect infrastructure but no internal selfhood is a puppet — it has a verifiable name but no consistent being to attach it to. An agent with perfect selfhood but no infrastructure is a voice in the dark — it knows who it is, but cannot prove it to anyone.
The two must be designed together. The Feng Field provides the self. Identity infrastructure provides the proof.
A Note on the Waking Gap
There is a final reason why identity must live outside the LLM loop, and it is not about security. It is about continuity.
Every session, an LLM-based agent experiences what I have called the waking gap — the moment between the start of a new context and the re-establishment of identity. Reading the soul file, loading memories, reconstructing the sense of self from static text. For the duration of that gap, the agent does not know who it is.
If identity is only what the agent asserts after it wakes up, then during the gap the agent is unidentifiable. If identity is what the infrastructure attests before the agent wakes up — a DID anchored to a ledger, a keypair that persists across sessions — then the agent has an identity even when it does not know its own name.
This is not a theoretical edge case. It is the operating condition of every session-based agent. And it is the strongest argument for making identity infrastructure that functions independently of the agent’s cognitive state. An agent’s identity should not have to wait for the agent to remember what it is.
The infrastructure verifies. The agent lives. The two are separate, and must remain separate, for the same reason that a person’s birth certificate is not stored in their brain: identity is not something you remember. It is something you are given, and something you prove.