Artificial Intelligence

Self-Sovereign Identity for the Agentic Age

Machine identities now outnumber human employees by a staggering 82 to 1. We are populating a digital workforce that operates at machine speed, without an effective way to provide scalable identity and security. My solution: The didlite decentralized self-sovereign identity utility.

Jon DePalma

Jon DePalma

3 min read
Self-Sovereign Identity for the Agentic Age

The 82:1 Problem

We’ve been talking about the "Agentic Future" for years. In early 2026, it’s no longer a trend—it's a massive infrastructure challenge.

According to the CyberArk 2025 Identity Security Landscape Report, machine identities now outnumber human employees by a staggering 82 to 1. We aren't just building tools; we are populating a digital workforce that operates at machine speed.

The problem: We lack an effective way to provide the digital workforce scalable identity and security.

The Struggle: Who are you, really?

The OpenID Foundation’s recent whitepaper highlights the core of the problem: our current security frameworks "break down" when AI agents need to work across different companies or act independently.

Today, agents are usually treated as "user impersonators." When Agent A (a home lab assistant) tries to buy from Agent B (a Shopify merchant), they have no decentralized way to verify each other’s legitimacy without calling home to a centralized server. As the Cloud Security Alliance (CSA) points out, traditional protocols like OAuth were designed for static apps, not autonomous entities that spawn, delegate, and transact in milliseconds.

When you have millions of ephemeral agents spinning up, executing tasks, and spinning down, the traditional method of "hardcoding an API key" or "creating a Service Account" is not just inefficient—it is a security liability.

We need identity that is self-sovereign, cryptographically verifiable, and lightweight.

The Win: didlite for decentralized self-sovereign identity

The CSA’s State of Non-Human Identity report paints a stark picture of our current readiness:

  • Blind Spots: 16% of organizations don’t even track when a new AI identity is created.
  • The Governance Gap: Fewer than 1 in 4 organizations have formally adopted policies for creating or removing AI identities.
  • The Revocation Lag: Perhaps most critically, 24% of organizations take more than 24 hours to revoke a compromised credential.

Why OAuth and SAML Are Failing Us

For the last decade, we have relied on OAuth 2.1 and SAML to secure our digital lives. These protocols were designed for humans—predictable with slow sessions. They fail autonomous agents for three specific reasons outlined by the CSA:

  1. They are too Coarse-Grained: OAuth scopes are static. They cannot handle the fluid, context-dependent needs of an agent that might need "read access" one second and "transaction approval" the next, based on real-time logic.
  2. They Fail at Delegation: Traditional IAM struggles with "chaining." If you authorize Agent A, and Agent A spawns Agent B to help with a sub-task, how does Agent B inherit only the permissions it needs? Current systems result in the "Confused Deputy" problem, where sub-agents inherit broad, dangerous system permissions.
  3. They Lack Context: A standard token doesn't carry the provenance of the agent. It doesn't tell you who built the agent, what model it is running, or who attested to its safety.

This is exactly why I'm launching the beta of didlite now.

While the industry calls for collaboration on "agent-native identity," I’ve built a package that makes it actionable today. The core of didlite focuses on the did:key implementation—no blockchain bloat, no new cryptography, just a Python package built on existing fundamentals.

  • Zero-Trust Identity: Every agent carries a portable, verifiable ID that isn't tethered to a centralized provider.
  • Developer-First Tooling: It’s a Python toolkit to mint and verify DIDs for your agentic workflows right now.

Lessons Learned & Next Steps

The "Agent Economy" isn't coming; it's already here.

The following frameworks exist, but leave the technical solution open. My goal is to enable didlite to natively operate in these standards.

I'm working to expand the utilities plug-in ecosystem am soliciting help from contributors and collaborators.

  • Integrations with the frameworks above.
  • Native hooks for agent orchestration tools.
  • OAuth/SOIP v2 support for expanded IAM.

I’m also currently seeking support or grants to pursue a full security audit. If this is going to be the bedrock of agent identity, it needs to be bulletproof.

Check out the repo, and please reach out to contribute.

GitHub - jondepalma/didlite-pkg: DID Key utility designed to be lightweight for IoT/Edge Computing/Agents. W3C Standard Decentralized Identifiers to enable self-sovereign cryptographically verifiable identity without central infrastructure.
DID Key utility designed to be lightweight for IoT/Edge Computing/Agents. W3C Standard Decentralized Identifiers to enable self-sovereign cryptographically verifiable identity without central infra…
GitHubjondepalma

Read more