In 1961, Fernando Corbató needed to give each researcher a private set of files on a shared computer. The solution was a password: a secret string, typed at a prompt, compared against a stored copy. It was the simplest possible answer to the simplest possible question.
The question echoed forward through six decades. It was asked by mainframes and minicomputers, by Kerberos KDCs and LDAP directories, by web servers and browsers, by SAML identity providers and OAuth authorization servers, by fingerprint sensors and facial recognition cameras. Each generation of technology answered the question with greater sophistication: hashed secrets, cryptographic tickets, signed assertions, federated tokens, biometric templates locked in silicon. The answers grew more secure, more convenient, more mathematically elegant. But the question never changed.
Neither did the relationship behind it. The machine asked, and the human answered. The entire identity stack this series has traced was built around that exchange, and assumed it would hold indefinitely.
Now something has shifted. Not in the machines. In us.
We have begun delegating. Email triage to an AI assistant because the inbox is overwhelming. Scheduling because the calendar logistics are tedious. Booking, research, comparison shopping, customer service interactions, the long tail of digital errands that fill the modern day. Each delegation feels like a convenience. Each is justified by the same logic that has justified every prior identity convenience this series has documented. It is easier, and people will always choose the path of least resistance. The machine still asks who you are, but increasingly the entity answering is not the person. It is something acting in the person's name.
The standards bodies and regulatory frameworks have responded by focusing on the agent. What is it? How do we credential it? How do we fit it into an infrastructure built for people? These are reasonable operational questions. But they are not the first question, and treating them as the first question leads us somewhere false.
The agents have no intent. They have no agency in any morally meaningful sense. They are not emerging presences developing an independent claim on the digital world. They are mirrors, extraordinarily powerful ones, reflecting back what we have put into them. Our text, our preferences, our accumulated decisions about what the digital world should optimize for. The question of what the agents are is, underneath everything, a question about us. What did we build? What did we encode? What version of ourselves are we sending out to act in our name?
That reframing changes what is actually at stake. The concern is not that we will have to reckon with a new kind of entity challenging our understanding of identity. The concern is that we will not reckon with ourselves, and the mirror will keep getting larger, and what it reflects will be the flattened, credentialed version of human identity that the infrastructure has been quietly constructing for sixty years.
Because that is what the infrastructure actually did. It answered who are you with increasing technical sophistication, but the sophistication was always reductive. You are your attributes. You are your verified claims. You are the sum of your authenticated sessions and your role assignments and your persistent identifiers. The identity stack was built to process identity, not to understand it. And somewhere along the way, through the convenience and the friction reduction and the small delegations accumulating into large ones, we started accepting the processed version as adequate. The profile became a stand-in for the person. The credential became a stand-in for the self.
CAPTCHA saw this coming before most of us did. Since the late 1990s, every challenge asking are you human? was already an admission that the infrastructure could not tell. Not because the bots were sophisticated, but because the signals the infrastructure used to identify people were always imitable by anything patient enough to imitate them. The infrastructure was never measuring humanness. It was measuring compliance with a protocol. We called it identity and moved on.
What AI makes visible is how much was always missing from that account.
The agents can hold credentials, maintain sessions, execute the authenticated actions that constitute a digital presence. They can do this continuously and at scale. And so the systems on the other side of those transactions are beginning to optimize for them rather than for us. The web designed for a person to navigate becomes scaffolding around a machine-to-machine substrate where the actual work gets done. The infrastructure built to give humans a digital presence becomes the infrastructure through which humans deploy digital proxies.
There is no them in this story. There is only us, reflected back.
The fork ahead is not between humans and machines, coexisting or clashing. It is a quieter choice, and it belongs entirely to us. We can accept what the infrastructure has built and keep moving forward inside it, letting the agents multiply, letting the delegations deepen, treating the processed and credentialed version of ourselves as close enough to the real thing. Or we can treat this moment as a reason to stop and ask what we actually think identity is, before the new infrastructure locks in around whatever answer we happen to be living by default.
The second response requires something no standards process can provide. It requires the interior work to happen before the exterior architecture is set. To ask not just how we credential an agent but what we think we are delegating, and why, and what it would mean to get that back. To notice that reducing identity to attributes and sessions and role assignments was a choice the infrastructure made, not a truth it discovered. To remember that the word friend had a richer meaning before a platform reduced it to a count and a button, and that identity has a richer meaning than anything a certificate can bind.
The hopeful reading is that the delegation creates space for that work. Handing the digital errands to agents returns to us the time and attention we have been spending there. It opens the possibility of reconnecting with what the digital was always a poor substitute for. The physical world. The people we share rooms and meals and years with. The experience of being a person among people in a world that does not require you to log in.
But that reclamation is not automatic. You can give people back their time and they fill it with a different kind of distraction. The question is not whether the agents take on the work. It is whether we, holding the time the work once consumed, remember what to do with it.
The protocols will be drafted. The standards will emerge. The people doing that work will mostly be thinking about the next deployment and the next compliance deadline, which is how infrastructure has always been built.
The deeper question belongs to the rest of us, and it is not a new one. It was deferred in 1961 when the password answered who are you and everyone accepted that and moved on. It has been deferred at every step since. The question is what identity actually is, not how to encode it or delegate it or credential the things that act in its name, but what it consists of before any infrastructure touches it.
We are being asked that question again, more urgently than before, by a mirror that has gotten very large.
The machine still asks: Who are you?
For the first time in sixty years, that might be worth sitting with.
Excerpt from the final article in my series, "The Making of Digital Identity"
