OpenAI’s ChatGPT has caused a big splash around the world and the technology is advancing rapidly. The growing sophistication of AI tools is creating challenges for the digital world. And this is coming into focus for AI agents.
In a recent Dock Labs webinar Peter Horadan, CEO of Vouched, talked through the issue. A way to understand an AI Agent is that it’s like a personal assistant. Say you want to book a holiday, for example, then it can become a vacation planner.
With the latest version of ChatGPT the AI agent will actually take action for you: opening a browser window, asking you to fill in sign-in details on the website, and buying plane tickets for you. However, long-standing advice in cybersecurity is to never give your username and password to any third party. But if you type it into a third-party window then ChatGPT now has a valid session key with this airline.
People are using AI agents at work. The agent could prompt the user to log in to their company’s information system, so now it’s logged in as the user in their work systems. It could log in to the company’s finance and accounting system.
Even if ChatGPT does a great job, it’s “terrible training” because what we’re doing is training the world’s users of computers that it’s perfectly fine to just give your username and password to an AI agent. “This is a very, very bad practice,” Horadan said.
ChatGPT’s current approach to automating user interactions relies on screen scraping and browser automation that impersonates individuals and logs in on their behalf. While Anthropic’s Model Context Protocol (MCP), released earlier this year, provides a more controlled framework — allowing agents to retrieve information or perform actions under strict permissions — it lacks essential features for robust identity management.
First, any agent acting on a user’s behalf must be distinctly identified. In practice, this means clearly differentiating between the human and the software agent when an action is executed. Users may wish to delegate specific tasks—such as purchasing an airline ticket—without granting full authority for other activities. To facilitate this, we need mechanisms for distributed authentication and role-based delegation that track exactly which rights a human has conferred to a given agent. These capabilities are not currently addressed by the MCP specification but are vital for secure and transparent agent operations. Horadan argues.
Second, it is imperative to track the reputation of agents. Just as email systems struggled with phishing because they lacked native safeguards, the emerging ecosystem of autonomous agents will produce both good and bad agents. There’s going to be scam agents, fraudster agents, or hustler agents.
Horadan says we need a way to monitor an agent’s behavior and accumulate feedback, sort of like a Yelp but for AI agents. A comprehensive reputation framework would allow platforms to flag agents that consistently violate user expectations or demonstrate malicious intent.
Moreover, legal and contractual considerations must be rethought in an agentic environment. Standard checkboxes for terms and conditions or electronic acceptance of contracts assume a conscious human decision. If an agent automatically consents on behalf of its user, the validity of such agreements may be legally questionable. So there will have to be a way to ensure that agents either prompt for explicit human confirmation or operate under pre-negotiated legal frameworks that clearly delineate the scope of their authority.
To address these challenges, Vouched has proposed a Know Your Agent framework and an Identity Extension for MCP. Drawing on principles from OAuth 2.0, this specification would enable durable, scoped authorizations tied to a session key that the agent presents when requesting permitted actions; clear identification of the agent’s own credentials, separate from the user’s identity; a reporting mechanism through which service providers submit structured feedback to an impartial rating authority.
This is MCPI, the identity extensions to Anthropic’s MCP protocol, a new identity layer from Vouched. In the presentation, Horadan expands on how MCPI fits into existing IAM and CIAM systems, and what role mDLs, EUDI and verifiable credentials play.
The presentation also launched into a demo, showing how it all would work conceptually, in an easier-to-parse visual flow.
A paper offers a model designed to protect behavioral, biometric and personality-based digital likeness attributes to address the need as generative AI and its products become more widespread. The “Digital Identity Rights Framework” (DIRF) sets out a framework for digital identity protection and clone governance in agentic AI systems.
It was formulated by a team of researchers from academia and companies including Nokia, Deloitte and J.P. Morgan.
Available on arxiv, the paper defines 63 enforceable identity-centric controls across nine domains, with each control categorized as legal, technical or hybrid, which the authors say enables flexible adoption in real-world AI systems. Domains such as identity consent, model training governance, traceability, memory drift and monetization enforcement help to protect individuals against unauthorized use, modeling and monetization of their digital identity.
Interestingly, the framework not only aims to protect human identity but actually improves AI system performance. According to evaluation, results appear to show that the DIRF framework “substantially enhances” LLM performance across metrics. While the specifics are somewhat technical, the end result supposedly achieves greater prompt reliability and execution stability.
The authors outline an implementation roadmap and how it can be operationalized in AI systems, as DIRF is compatible with AI security layers such as NIST AI RMF and OWASP LLM Top 10 among others.
Originally published on Biometric Update. For more details, visit the source.