Featured Podcast
In this episode, Nick Lambert and Peter Horadan tackle the rising identity crisis in AI. With agents poised to outnumber humans online, how can we ensure they act safely and within our control? The discussion covers key risks, legal gaps, and solutions like MCPI that redefine how we trust digital agents.
Takeaways
The rise of AI agents is one of the most significant shifts unfolding across the internet today. From booking travel to managing work tasks, agents are quickly becoming powerful tools that act on behalf of users. In fact, by next year, there may be more non-human agents online than human users. The promise is clear: automate the drudge work and reclaim your time.
But as the excitement grows, a critical piece of the conversation is being overlooked—identity. How do we know which agent is acting? Who authorized it? What is it allowed to do? And how do we prevent misuse when these agents gain access to sensitive systems or personal data?
In our latest live session, Dock Labs CEO Nick Lambert sat down with Peter Horadan, CEO of Vouched, to explore these questions in depth. Peter not only shared his perspective on the growing risks but also gave a live demo of a new identity and delegation framework that makes it possible to verify and control what agents can do on our behalf.
Here are the main takeaways:
ChatGPT's Agent Mode opens security risks
Users log in via a browser controlled by ChatGPT.
It captures OAuth session keys and acts on behalf of users without restrictions.
Violates long-standing cybersecurity best practices
Users are trained not to share credentials with third parties.
This model undoes decades of training and introduces massive attack surfaces.
Vulnerable to mistakes, misuse, and legal issues
Agents may hallucinate or take unintended actions.
Agents cannot legally agree to terms on behalf of users (e.g., airline terms and conditions).
Agent Identity
Systems must recognize that an agent, not a human, is performing the action.
Each agent needs a unique, verifiable identifier (a DID, Decentralized Identifier).
Delegation
Humans must delegate specific authority to agents (e.g., book flights, but not spend points).
This delegation must be granular and revocable.
Reputation
Agents need reputations like Yelp reviews.
Some agents will act maliciously. Bad actors must be identifiable and blockable across services.
Human Identity
Humans must be identified once, securely and verifiably, then not needed again for each task.
Biometric-bound credentials solve this friction.
Legal Agreements
Agents can't click "I agree" checkboxes.
Systems must collect durable legal consent from humans before agent actions.
Scenario: Booking a flight via Atlas AI, a fictional travel assistant bot.
Step 1: Identity verification
Peter uses a mobile driver’s license verified via biometric match.
Integration with Truvera enables secure, privacy-preserving human ID verification.
Step 2: Delegation to Atlas AI
Atlas AI contacts "Awesome Airlines" via MCP.
The airline has no prior record of delegation, so it requests human authorization.
Step 3: Secure OAuth-style delegation
Human logs into airline website directly (not via agent).
The airline displays a dialog: “Allow Atlas AI (DID: xyz) to book flights?”
The user approves and checks a box to accept blanket legal terms.
Step 4: Durable authorization
Permissions are scoped, logged, revocable, and auditable.
Airlines can report agent behavior to a rating service (e.g., Yelp for agents).
Extension to Anthropic’s MCP
Adds identity, delegation, legal consent, and agent reputation.
Fully spec’d and available: modelcontextprotocol-identity.io
Open and standards-oriented
Vouched is contributing to OpenID Foundation and other standards bodies.
MCPI SDK and server implementation available as SaaS.
EUDI Wallets in the EU
By November 2026, all 27 EU countries must issue digital ID wallets.
EUDI will enable cryptographic signing and selective disclosure of attributes.
Interoperability and reuse
Truvera integrates digital and verifiable credentials.
IDs can prove age or residency without over-disclosing sensitive data.
Free tools:
MCPI spec and agent reputation system are free and open.
Inspired by models like Yelp or Let’s Encrypt.
Paid offering:
Vouched offers a SaaS security server for MCP sites.
Enables sites to plug into identity, delegation, and trust without building in-house.
Anyone can create an agent
DIDs are easy to generate (similar to key pairs).
Creation platforms already exist, and agents can be built independently.
Key infrastructure responsibilities:
MCP servers should audit, log, and enforce permissions.
Storage and revocation of delegations is left to implementation (e.g., blockchain, traditional DBs).
Agent spoofing & man-in-the-middle
DIDs use public-private key cryptography to sign requests and verify authenticity.
Preventing agent churn
Reputation systems penalize new or frequently changing DIDs (email spam-style warm-up period).
Sensitive use cases
Regulated industries (e.g., finance, healthcare) must tailor assurance levels and regulator compliance.
CTO advice:
Step 1: Immediately block ChatGPT and similar agents from accessing internal systems.
Step 2: Begin planning to support MCP servers for secure, controlled agent access.
The time to act is now
Digital IDs and agents are converging rapidly.
Every business must rethink identity workflows in the context of non-human actors.
Workflows will evolve
Password resets will shift from email codes to biometric digital ID checks.
ID sharing will become as easy and secure as a thumbprint.
Listen to the full conversation here: https://youtu.be/SL9slgOOSlI?si=OKLZkXZ62Yu7d0xT
Originally published on Dock Labs. For more details, visit the source.