Almost every identity decision I see tries to solve the problem right in front of the buyer.
Someone needs to verify patients booking telehealth visits or customers opening bank accounts, so they buy a tool that solves exactly that. It works, for now. The catch is that the decision has to last several years, and identity is about to change more in the next few years than it has in a long time.
That gap is what I kept coming back to when Liminal's Filip Verley asked five quick questions of me for the Friday Five series. What follows is the longer version.
Agents acting as people
When buyers ask what they're underestimating about where identity is heading, my answer points to AI agents.
Today, when someone uses an agent, they mostly just hand over their credentials: a username and a password. That won’t hold up forever. An agent that acts on your behalf needs its own identity, separate from yours, so there's a clear record of what you do versus what your agent does for you. Without that separation, you lose accountability and the ability to set real limits on what the agent can do.
The scale of this is already significant. According to KPMG's early 2026 research, non-human identities outnumber human users by roughly 82-to-1 across large organizations. We are building a workforce of agents on top of an identity model designed for people. Most buyers aren't accounting for that when they evaluate vendors today.
The Verification Gap
The identity verification methods many businesses rely on were built around a simpler threat model: match a face to a document, verify that the document appears genuine, and move on. That approach was built for a world where the main concern was a printed photo or a poorly altered ID.
Today's synthetic identity attacks are layered. A fraudster running a scheme pairs a fake face with stolen personal data, a fabricated document, and a network footprint that looks consistent with the claimed identity. Each signal, examined alone, can look clean. The fraud only becomes visible when all signals are examined together.
Single-point verification creates a single point of failure.
The old rules don't fit the new reality
For years, the job in identity was to let humans in and keep bots out. That made sense when bots were exclusively a threat. It doesn't work in a world with good bots, bad bots, and agents your own people actively want to use.
What's needed now is a clear answer to a different set of questions:
- Who is this agent?
- What can it do?
- What has the person behind it actually authorized?
The scope of what an agent is permitted to do matters as much as knowing who it is.
This is a real problem, right now. I see how digital IDs are arriving, agents are taking on more workplace responsibilities, and the technology decisions organizations make today will shape how they manage this for years to come.
Treat agent identity as a core business decision
When Filip asked what small hill I'd die on, I said that within a few years, every business will run its own AI model locally. Once companies understand how central agents are to their operations, they won't accept outsourcing the systems that manage them.
The same thinking applies to identity. The closer agents get to the center of how a business runs, the less likely anyone is to treat their identities as something to sort out later. Things that matter to a business get managed deliberately.
At Vouched, we're already building for this. Our Know Your Agent product addresses the need to identify agents and set clear limits on what they can do, not just people. The companies that buy for where identity is heading, not only for what they need today, will be better prepared when that shift comes.
Watch the full Friday Five conversation with Liminal.