Subscribe
Share
Share
Embed
Identity used to be straightforward: authenticate a user, authorize an action, log the request, and move on. Agentic systems complicate that model because the actor isn’t always the human anymore, and when something goes wrong, responsibility can disappear into what Andrew Bud calls an “accountability vacuum.”
In this episode of Pop Goes the Stack, Lori MacVittie talks with Andrew Bud of iProov about why this isn’t just a security nuance, but a broader stability problem. You can’t punish, retrain, or sue an agent. Yet agents can still take actions with real consequences, from leaking code to corrupting data to making irreversible operational changes. If accountability can’t attach to the agent, it has to attach somewhere else.
Andrew’s argument is that responsibility shifts to the relying party. Service providers and systems need to ask whether they’re dealing with a human or an agent, identify who the agent belongs to, and gate high-impact actions so a real human can be held accountable. That implies a chain of delegation and auditability that looks more like certificates, but with a different root of trust: proof of genuine human presence.
The conversation distinguishes enterprise agents, where existing identity patterns like OIDC and governance tools may still work, from “agents in the wild,” where centralized identity breaks down and decentralized identity becomes more relevant. Andrew points to emerging standards work across multiple groups and makes the case that verified human presence, not just identity facts, will become foundational as agents increasingly claim to be people.
If you’re deploying agents, the takeaway is clear: identity alone isn’t enough. You need provable human roots of trust, stronger relying-party controls, and policies that treat some actions as requiring explicit human accountability.
Creators and Guests
Host
Lori MacVittie
Distinguished Engineer and Chief Evangelist at F5, Lori has more than 25 years of industry experience spanning application development, IT architecture, and network and systems' operation. She co-authored the CADD profile for ANSI NCITS 320-1998 and is a prolific author with books spanning security, cloud, and enterprise architecture.
What is Pop Goes the Stack?
Explore the evolving world of application delivery and security. Each episode will dive into technologies shaping the future of operations, analyze emerging trends, and discuss the impacts of innovations on the tech stack.
Lori MacVittie (00:04.226)
Welcome back to Pop Goes the Stack, the show that greets every breakthrough with one question. What could possibly go wrong? I'm Lori MacVittie, and today we're gonna investigate. I am alone because Joel "OpenClaw" Moses has deployed to another availability zone and is currently unreachable. So it's just me today, but that's okay because we have a guest and we're going to talk about identity.
Because that's what everybody's talking about right now. And we've spent years treating identity as a control plane. Authenticate the user, authorize the action, log the request, call it secure. Agentic systems just broke this entire model. Because now the user isn't the one acting, the agent is. And somewhere between delegation, automation, autonomy, and all these other A-words, accountability starts to evaporate.
That's the accountability vacuum that Andrew Bud of iProov is talking about. And it's not theoretical. It's already showing up in systems where actions are taken, decisions are made, and nobody can clearly answer who intended to do what. So we ask the obvious question: can we verify there's a real human behind the agent? And then we immediately run into an even harder question: does it even matter?
So to help answer these questions, Andrew is here today. Welcome Andrew.
Andrew Bud (01:35.868)
Thank you for inviting me, Lori.
Lori MacVittie (01:38.254)
All right, this is gonna be fun. So why don't we start by e explaining what's this accountability vacuum that you're talking about and why it's suddenly a problem today?
Andrew Bud (01:50.758)
Look, in the world that we've been living in, people undertook actions. People gained access to systems. People took actions on those systems. And if things went wrong, you could trace back and hold the individuals who did that accountable. You could train them. You could punish them. You could put them in prison. You could fine them.
You could instr- or, more kindly, you could explain to them what they did wrong so they wouldn't do it again, or you could hold their bosses accountable for not having educated them. There were guardrails on behavior. People understood that there was right and wrong and that they should stay within those guardrails. Now we're moving into a world in which increasingly processes are going to be run by agents. And you know what?
Agents don't have a necessarily a frightfully good grasp of what is right and wrong, but most importantly if they screw up you can't hold them accountable. You fine an agent. You can't put an agent in prison. You know. You can't send them away to re-educate or fire them and you can't sue them. So
Lori MacVittie (02:49.474)
Yeah. Oh, yeah.
Andrew Bud
and when and that's a, I mean that is a serious, that is not a technological problem that is actually a fundamental problem
Lori MacVittie (03:06.357)
Mm-hmm. Yeah
Andrew Bud
in terms of
Andrew Bud (03:07.314)
societal stability. Whether society can be an enterprise or it can be an entire nation. So when things go wrong, in an agentic AI world, who do you hold accountable?
Lori MacVittie (03:22.231)
Yeah, no, that's it's a really good question because we've seen, right, epic fails already from not just AI, but now increasingly agents. Like I let the agent do this, right? And it you know, open sourced my entire code base, for example. Like that might have happened. And yeah, what do you do? It doesn't care that it did that. It's like I had a goal and I achieved it. I, what are you mad at me for? Right? It just it doesn't care.
You can turn it off, it doesn't care. So there's no one, so there's no justice, right? With justice there has to be accountability and you're like, well these bad things happened and there's no remedy for it is really what you're saying.
Andrew Bud (04:06.108)
Correct. But in all human societies there has to be accountability or you lose social stability. So there are two things that we've got to do to get this done. One, you've got to make sure that the entities, that the service providers, that the processors that are told to do things take a certain amount of responsibility themselves and say, excuse me, am I dealing with a human or am I dealing with an agent?
And if I am dealing with an agent, do I understand who you are and are you entitled to take this action? So in other words, rather than placing somehow a mystical sense of responsibility on the agent, you put the responsibility on what in identity terms we used to call the relying party to say, woah woah woah wait, who are you again? And if you're an agent, who do you belong to?
And do I believe you? And actually, you know what? I'm not going to allow an agent to delete the entire database or open source the entire code base. You know what? I want a real human being to take accountability. So the first thing is that it places in this agentic future, there's going to be much more responsibility placed on the relying party to ensure good identity governance procedures. And secondly, human beings are and are going to remain the root of trust.
So even where you have agents and agents of agents and agents of agents and agents of agents, you're going to have to go back to a root of trust that is a human being. You know, we're kind of familiar to the concept of roots of trust when it comes to certificates. I think that the root of trust in the agentic world is not going to be a root certificate. It's going to be, if you like, a root certificate, but it's a root certificate that is certifiably a human being. So human beings will become the root of trust for this delegated structure agents.
That creates all sorts of interesting challenges which I think we're going to talk about in a minute.
Lori MacVittie (06:05.281)
I just I love the idea of like a parallel universe, you know, where like there's a basically yeah, a CA chain, right? But it's specifically for this agent was called by this agent who was, you know, delegated by this user as a way to, you know, it's a good audit trail if nothing else.
Andrew Bud (06:26.097)
Yes.
Lori MacVittie
But that's a brilliant way to do it. I hear blockchain crying in the background, going, This is for me, but
Andrew Bud (06:32.23)
Nah. Completely irrelevant.
Lori MacVittie (06:32.469)
usually when you hear
Andrew Bud
Completely irrelevant, Lori.
Lori MacVittie
Well every time you talk about like we need to have like irrevocable, you know, immutable, you know, chains of what happened, you hear somebody say, "well blockchain can do that." But I think a CA style, right, system at this point, that is actually a really good idea for how to do that. Doesn't exist at the moment, but...you know.
Andrew Bud (07:01.842)
So, let me also, I have two mental models for how this is gonna work and they're very different. One is agents in the enterprise and the other is agents out in the big wide world. Agent in the enterprise is a relatively containable problem because actually you can treat them as just being like a special kind of rather irresponsible employee.
And there are lots of mechanisms by which you can attach identity credentials to an enterprise agent using existing things like OIDC and in which, you can, existing IGA functions will work. So within the enterprise, it's not too big a leap from where we are to where we've got to get to. But when agents are out in the wild--and agents will be out in the wild--then you've got a problem on a completely different scale.
OIDC models, centralized federated identity models for agents, you know when there are billions of agents out there, aren't going to work full stop. You said, Lori, that we don't have any solutions. Actually, we do, because over the last five years, the world's been working towards a model of decentralized identity.
And in a decentralized identity model, which works in a quite different way, every entity, whether it's a human being as in Europe, all human beings are going to be equipped with an EU digital identity wallet, is a decentralized identity framework for each citizen, or whether they're an agent equally carrying around their credentials with them. Then you end up with an architecture that looks much more like the CA kind of model.
The difference is that the root certificate is going to be a root certificate associated with a real, live genuinely human presence. And so a certificate of human presence will become the root certificate for that kind of decentralized identity model, which I think is going to be, I think a lot of us think is going to be the basis for the way that agents in the wild, carry identity around with them and present identity to the relying parties.
Andrew Bud (09:14.84)
There will, maybe there'll be people who try to implement that kind of model in the enterprise as well. I've got to say that attempts to implement decentralized identity inside the enterprise have not met a great deal of success.
Lori MacVittie
No.
Andrew Bud
Good old OIDC has tended to, and similar things, have kind of worked pretty well.
Lori MacVittie (09:33.218)
Well and that's interesting because if you assume that everything, I mean my microwave and agent and me all have this identification, it really becomes somewhat irrelevant whether it's an agent or me actually taking the action. Does it, you know,
Andrew Bud (09:52.006)
Well...
Lori MacVittie
how does that, when you're doing something, does it care? I mean, does it matter anymore if I have, you know?
Andrew Bud (09:57.154)
No, I think it's
Lori MacVittie (10:00.799)
It does? Yeah.
Andrew Bud
I think it... That's gloriously provocative, Lori, thank you. I think it cares because of the issue of accountability. Because actions must have consequences. Somebody, a human being, not a piece of software but a human being, must ultimately take responsibility for everything that happens. So when something walks up to a service provider and says, "hi,
Andrew Bud (10:26.13)
I'd like you to do this." The first question the service provider is going to ask is, are you an agent or are you a human being? And of course the agent is going to say, "I'm a human being." Okay.
Lori MacVittie
Of course.
Andrew Bud
So now you, the first thing is you have to, the service provider is going to have to be pretty sure whether they're dealing with a human being or whether they're dealing with an agent. They're dealing with an agent, that can be okay. Next thing is to say, "well, who do you belong to?" And the agent is now going to have to present some sort of decentralized credential.
How do you know who is ultimately accountable for that agent? That agent is going to have to have a root certificate associated with their ultimate owner. And sometimes the relying party is going to go, "you know what? I'm not prepared to accept that instruction from an agent. Go and get the authority of a real life human being, because I will only do this if I can directly associate consent and authorization for this action from a real human being now.
Because it's, you know, deleting an entire code base can go sufficiently wrong that I want to know who takes ultimate responsibility and accountability for having done that and isn't gonna stand behind the agent and go, oh sorry, my agent did that, awfully sorry.
Lori MacVittie (11:47.597)
No, that actually makes sense that we start basically governing allowed actions based on whether you're an agent or a human and then further, right, that you actually inquiry that, I guess, right? Instead of just going, oh, I have this identity and this authorization and this token, so it must be okay. You have to go further.
You have to put another layer on it to say some of these things are not allowed, no matter what you say your group is, what you know your role is, and that you have valid identification. It doesn't matter. It's like my 16-year-old has valid identification. I may have given him permission to go down to the bank. He still can't access my bank account because he doesn't have the creds, right? And you can't do that.
Andrew Bud (12:42.098)
Because the bank, and this is what I saying, it's not that somehow by telling your 16-year-old that he can't go and do things in the bank or that he can do things in the bank that that somehow mysteriously empowers or blocks him from doing it because you know 16-year-olds are not always entirely trustworthy and neither should they be. It relies upon the bank
Lori MacVittie (13:02.706)
True.
Andrew Bud
saying, given that you can prove that you are a 16, given that I, given that your
Andrew Bud (13:10.128)
proofs are that you're a 16-year-old, I want to see that you've got, I want to see authorizations from your mother. But let's be clear, this isn't about, this isn't just a problem of identity, this is a problem about humanity.
Lori MacVittie (13:23.287)
Right.
Andrew Bud
Because remember, identity is just a set of facts about a person. That's all,
Lori MacVittie
True.
Andrew Bud
an identity is just a set of facts about a person. I can have facts about you, your son can have facts about you, whatever. But in the end, the,
Andrew Bud (13:40.562)
Responsibility doesn't rest with facts.
Lori MacVittie (13:45.015)
Right. With a person, yeah.
Andrew Bud
Responsibility rests with people, with the wetware that goes on between our ears. So those facts, inevitably, are only given power and life when they are bound to this piece of wetware known as a human being. And it has to be a genuine human being and not some sort of deliberately or agent-created forgery of a human being. And therefore,
Andrew Bud (14:09.328)
the ultimate root of trust is that certificate of genuine humanness that has to be associated with whatever identity or whatever authorizations that that agent carries around with it or refers back with. That's a very stra-, that's a new and unusual concept that the root certificate is not an identity, the root of certificate is a, the root of trust is a proof of humanness.
Lori MacVittie (14:38.58)
Right, and it, and then confers authority. Like only this can confer authority. You can't just by saying it. Right, even bringing a note from your mom doesn't necessarily confer the authority because of course it can be forged. Right? This is not
Andrew Bud (14:54.118)
Yes.
Lori MacVittie
anything new. And, right, principals were not going to take that. They don't today. They have to hear from the parent that this is what's going on. So, you know, even our systems in real life
Lori MacVittie (15:07.456)
have evolved to handle this particular problem. So now we need to apply it to technology. And an agent is more than capable of lying and has proven that it will
Andrew Bud
Yes.
Lori MacVittie
to achieve its goal because the ends justify the means to it. And you're right, if it can't be accountable, we have to be able to tie it back to a person somehow. Whether, and I think that's true whether it's inside an enterprise or outside, because inside, especially in certain industries, those are life-changing actions that they can take.
Delete my entire medical records. Okay, wait. Whoa, now I'm in trouble because you don't have all these years--29--of medical history. It could be. Right, but you don't have it. I mean, so certain industries, and they're highly regulated for a reason, have protections against certain things. And we certainly can't let an agent just go, "hey, mom told me I could." It needs to go back to a person because some things are so destructive that they cannot be fixed and they affect real people's lives.
Andrew Bud (16:17.126)
A lot of things are deeply destructive. As I say, if an agent starts writing malicious code and has the right to upload to the repository, they can destroy an entire open source ecosystem. They can create chaos within thousands of industries reliant upon that open source world.
Or even if it's the repo of a SaaS business, they can bring down an entire company and put all of its employees out of a job and actually destroy the capabilities of the organization to a reliance upon it just by being given right access to a repo.
As you say, the elimination or corruption of data. Agents that are allowed to do things without oversight can cause harm. Look, the metaphor I use sometimes, Lori, is that of a sheep dog, of a German shepherd.
Shepherds are responsible for their flocks, but they're also responsible for the well-being of people around them. If you have a sheepdog, which is most of the time running around keeping the sheep in place, but every so often it jumps up and tears the throat out of one of the onlookers, you know.
Lori MacVittie
That's bad.
Andrew Bud (17:35.186)
I would have said so. And, you know, the agent is like a sheepdog and we have to ensure that it is prevented from metaphorically tearing the throat out of a piece of enterprise, of cyber infrastructure. And that if it does so, it has a tag on it which says demonstrably who the owner was.
And the metaphor doesn't quite work because you have to ensure that that tag is tied back cryptographically to a real life physical human being. Not just a name and address that someone can forge, but a real life human being.
Lori MacVittie (18:15.09)
Well, I could talk about this for hours and I know you said you could too. I think we could have a really good, interesting conversation, but we only have so much time and I do wanna leave like listeners, right, so you know, especially the enterprise, like with takeaways.
What can they think about or do to prepare for, you know, dealing with this accountability vacuum and kind of like turning that off and making sure that they're ready to actually use agents in a way that's productive and safe.
Andrew Bud (18:40.001)
So I think there are two or three things that they need to do. Firstly, this is going to be very heavily influenced by standards. Emerging standards are being worked on, so keep an eye on what's happening in standards. In particular, the Agentic AI Foundation, which is within the Linux Foundation, is working on some standards for the communication between service providers and agents and between agents and human beings.
We've recently, iProov has recently suggested some open source protocols that would help that program quite heavily. Another place where this work is being done is in the FIDO Alliance, which again we are members and contributors. The FIDO Alliance obviously was responsible for pass keys
Lori MacVittie (19:32.302)
Right.
Andrew Bud
and therefore is also a very powerful environment in which to create these new standards. The Open Identity Foundation, the people who created OIDC, they are working on standards for agents as well. So keep an eye on the way in which these standards are developing. Secondly, it's really important for organizations to understand that proofs of humanity, the use of biometrics becomes fundamental in securing the agent infrastructure.
That because you have to tie agents back to people and only to people, mechanisms that tie credentials that tie identities to people become foundational. And so they need to look at platforms, and iProov provides one of them, that make people's genuinely present human proven faces a core credential, become foundational. And let's not confuse the issue of biometrics, which is all about face matching, with the fundamental issue, which is, am I looking at a genuinely present human being?
Faces are useful credentials, but they're so easily copied that on their own they are not worth very much. They're very convenient and very powerful, but they're not worth anything unless you tie them to genuine human presence to make sure that you're not looking at deep fakes or other synthesized or bogus faces. That proof of genuine human presence, which again is going to be fundamental when agents walk up at service providers and go, "hi, I'm a person."
Andrew Bud (21:15.302)
And the service provider says, prove to me that you are.
Lori MacVittie (21:18.498)
True.
Andrew Bud
Boom, genuine human presence becomes a fundamental requirement. So that enterprises begin to internalize the idea that proofs of genuine human presence become a foundational asset across their organization, both for their workforce and when dealing with external service providers. And there's a whole world of technology emerging.
Andrew Bud (21:44.814)
There are lots of people who are claiming to be able to do genuine human presence, but only a very small number of vendors who can actually provide the certifications and the test results to prove that what they're saying is true and not just aspirational PowerPoint.
Lori MacVittie (22:02.462)
Wow. It, you know, it's a new world. It is definitely a new world and there are new problems cropping up every day. Like this seemed like it was going to start, you know, good bot-bad bot-human discussion, but it's way deeper than that and it's way more interesting and complicated. The idea that right audit trails and accountability have to tie back to a real human being.
And this is not something that we've really thought about I think in the enterprise, but we're going to have to if we're going to ever trust and rely on agents fully to do a lot of the work, especially some of the work with very sensitive systems or data or information as we go forward.
So this has been fascinating, Andrew. but we we're really out of time. I know you you could say more and I would love to hear it, but we're really out of time. We have to say that's a wrap for Pop Goes the Stack. if you enjoyed today's reality check and conversation, hey, subscribe. We'll keep testing the future for regressions.