The Identity Track — From Proof of Personhood to AI Agent Delegation
Two Layers of the Same Track
AI bots now generate more than half of internet traffic. AI agents have started paying on behalf of people. The two flows look separate but converge on the same infrastructure problem. “Who is this actor, and within whose delegation is this action?”
This question splits the authentication market into two layers. Layer 1 is Proof of Personhood — is this user really a person, a unique human distinct from others? Layer 2 is delegated identity — when an AI agent acts, within which person’s delegation is it moving? They appear to grow separately but ultimately combine on the same infrastructure.
This piece treats both layers as one flow. In Layer 1: World ID’s 18M verifications, Apple/Google/Microsoft Passkey’s 3B+ potential pool, EU EUDI Wallet’s government infrastructure. In Layer 2: NHI (Non-Human Identity) and the 144:1 machine-to-human era, capital flows around Defakto, t54 Labs, and Indicio, and payment network entries from Visa and Mastercard. Layers 2 and 3 of the series Pillar’s three-layer structure, in one piece.
Why “Proof of Human” Now
The internet ran for nearly 30 years without deeply asking “is this account really a person?” Email verification, phone verification, and CAPTCHA-style lightweight checks were enough. Once AI models started generating natural language faster than people, that assumption began to crack.
Per Imperva’s 2026 Bad Bot Report, automated bot traffic crossed half of all internet traffic (about 51%). A growing share of that is sophisticated bots posting LLM (Large Language Model)-generated content as if human. Unlike simple scraping bots, they make distinguishing authentic actors hard on social networks, comment threads, review sites, Q&A platforms, and political campaign comments. Academic reports have shown CAPTCHA bypass rates above 90% against GPT-4-class models.
Two infrastructure tracks started rising in parallel here. One is biometric authentication built into OS standards — Apple Face ID, Touch ID, Passkey, plus Google and Microsoft Passkey. The other is decentralized identity and zero-knowledge proof — World ID, Privado, Indicio, plus government-led infrastructure like the EU EUDI Wallet. Both start from the same assumption — the account no longer means a person.
World ID — Sam Altman’s Iris-Based Identity Network
World (launched in 2021, formerly Worldcoin) is a project Sam Altman co-founded while serving as OpenAI’s CEO. His framing, in one line: “a tool I saw as necessary so humans stay special and central in a world full of AI-driven content.”
How It Works and the Adoption Curve
| Step | Mechanism |
|---|---|
| 1. Verification | Hardware iris scanner called the Orb scans iris pattern and confirms unique humanity |
| 2. Token issuance | World ID issued on World Chain (its own blockchain) |
| 3. Privacy | Protected by ZKP (Zero-Knowledge Proof) — proves a fact without revealing the underlying data |
| 4. Tracking blocked | Designed so third parties cannot know the user’s World ID public key or track behavior across apps |
Adoption curve:
| Date | Cumulative Verified | Supported Countries | Major Event |
|---|---|---|---|
| 2021 | 0 | 0 | Private beta |
| 2023.07 | approximately 2M | 35+ | Worldcoin official launch, $WLD token issued |
| Late 2024 | approximately 9M | 100+ | Orb operating countries expanded, OpenAI collaboration reported |
| Late 2025 | approximately 15M | 140+ | World ID 2.0 announcement |
| 2026.05 | 18M+ | 160+ | World ID Full-Stack Proof of Human announcement |
The adoption curve started steepening in 2024 — overlapping with the period when AI bot traffic began rising in earnest post-ChatGPT, and market recognition formed around the “unique human verification” category itself.
Full-Stack Proof of Human — Extension into Layer 2
The 2026 Full-Stack Proof of Human extends beyond one-time verification into a protocol that attests “a human X authorized this” for each AI-agent action. This is the core point of this piece. World ID builds Layer 1 (person verification) and stacks Layer 2 (agent delegation verification) on top of it. The core changes:
- A person verifies their identity once with World ID
- They delegate a subset of their identity’s authority to AI agents
- Each time an agent acts, an attestation is automatically attached: “this action is being executed within authority delegated by human X”
Payments, API calls, social posts — all such actions get bound inside the human → agent delegation chain. World sits in the same category as Defakto and t54 Labs covered in the next section.
Per Forbes reporting (2026.04), OpenAI is building a new social network to confront the bot problem head-on, and is evaluating World ID and Apple Face ID as integrated authentication candidates. There’s also work with Coinbase’s open protocol to verify “the human behind the AI agent.”
Apple · Google · Microsoft Passkey — OS-level Default
On a separate axis from novel infrastructure like iris scans and blockchain, OS-level authentication moves in the same direction. Passkey is a password-replacement standard built on FIDO Alliance + W3C WebAuthn.
| Operator | Potential Pool | Enrolled Accounts (late 2025) | Adoption Channels |
|---|---|---|---|
| Apple | iCloud users approximately 1.1B | Undisclosed; active users estimated in hundreds of millions | iOS · macOS default (16.x onwards) |
| Google Account users approximately 3B | 800M+ (per late 2025 announcement) | Chrome · Android · Workspace | |
| Microsoft | Entra ID + Microsoft 365 entire user base | Undisclosed; enterprise-led adoption | Windows Hello, Outlook, OneDrive |
| FIDO Alliance | 250+ member enterprises | Cumulative 5B+ Passkeys registered globally | Member-operated services |
The adoption curve steepened after 2023. Once Apple built Passkey into iOS 16 by default (2022.09), Google and Microsoft followed within a year, and Passkey became the default across the OS, browser, and search camps. In Korea, KakaoTalk, NAVER, Toss, and KakaoBank are gradually introducing Passkey, starting the migration from existing PASS · NICE identity verification defaults.
One Thing Worth Noting
Passkey and World ID look like the same “human verification” market but answer different questions. Passkey solves “is the person holding this device the actual account owner?” World ID solves “is this person one unique human, distinct from other people?” The first is strong against phishing; the second is strong against Sybil attacks (one person posing as many accounts). In the era of AI bots, both questions need answers — meaning the two standards occupy different usage contexts.
Decentralized Identity — Government Infrastructure Going In
Decentralized Identity (DID) lets users control their identity data and selectively prove parts of it when needed. World ID belongs broadly to this category, but market analysts typically group enterprise solutions like Privado, Indicio, Microsoft Entra Verified ID, Sphereon, plus government infrastructure like the EU EUDI Wallet, into the DID category.
| Decentralized Identity Market (2026 est.) | Figure |
|---|---|
| Market size | $7.4B |
| CAGR (next 5 years) | 25%+ |
| Core use cases | Digital ID cards, KYC automation, education / credential verification, medical record sharing |
| Adopting nations | EU member states (EUDI Wallet mandate), Korea (mobile driver’s license / ID), Singapore (Singpass) |
| Standards bodies | W3C VC (Verifiable Credentials), DIF (Decentralized Identity Foundation) |
EU EUDI Wallet — Mandated by 2027
| EUDI Wallet Major Milestones | Details |
|---|---|
| 2024.06 | eIDAS 2.0 regulation in force |
| 2025–26 | Member-state pilots (Germany, France, Italy, Spain, etc.) |
| 2026.11 | Member-state provision mandate deadline |
| 2027 onwards | User adoption rate KPIs introduced |
The EU designed the EUDI Wallet not as a simple digital ID card but as integrated infrastructure spanning KYC, contract signing, credential verification, payments, and travel authentication. From the mandate date, EU users will handle bank KYC, flight ticket issuance, medical record sharing, and credential verification on a single infrastructure stack via their EUDI Wallet. Korea’s mobile driver’s license (started in 2022) moves in a similar direction, with expansion into education, credentials, and medical areas under review for around 2027.
Layer Transition — From Person Verification to Agent Delegation
That covers Layer 1 (person verification). One step deeper on the same infrastructure is Layer 2 (agent delegation identity). Beyond verifying a single person, when AI agents they delegated to start acting, traceable identity becomes infrastructure.
The AI agent wave that took off in 2025 created a new category in identity infrastructure. As AI agents started searching, booking, paying, and calling APIs on behalf of humans, “who authorized this action?” hit gaps in operational, legal, and payment infrastructure.
Until now, IAM (Identity and Access Management) separated humans and machines relatively cleanly. Humans got SSO login; machines got API keys or service accounts. AI agents sit between the two — a new identity type: a machine to which a human delegated authority. Acting automatically, but with responsibility that has to remain with a person.
NHI Explosion — 144:1 Machine-to-Human
NHI (Non-Human Identity) is a term that started circulating in the IAM industry around 2022. It encompasses the identity that non-human actors — service accounts, API keys, cloud resources, containers, RPA bots, AI agents — hold within systems.
| Non-Human Identity Data | Figure |
|---|---|
| NHI year-over-year growth | +44% |
| Machine-to-human ratio (some cloud environments) | 144:1 |
| Average NHI count per enterprise (Aembit) | 50,000+ |
| Major NHI types | Service accounts, API keys, cloud resources, containers, RPA bots, AI agents |
| Share of credential-leak incidents that are NHI-related | 60%+ (CrowdStrike 2025 Global Threat Report) |
The 144:1 ratio is a measurement from some cloud-native environments. It doesn’t apply universally, but multiple reports consistently document that the market average is tilting fast toward machine identity. The problem is that the overall security model was designed around humans. SSO, MFA (Multi-Factor Authentication), audit logs, and permission reviews all assume human users. AI agents accelerate this trend.
OpenAI Operator takes user delegation and acts on websites (form entry, payment, booking). Each action needs an automatically attached attestation that “this was delegated by user X” for payment and legal responsibility to flow. Currently OAuth token-based temporary delegation is the default, but as its limits become clear, a new category (Identity for AI Agents) has started growing.
Defakto · t54 Labs · Indicio — Three Tracks of Capital Concentration
| Round | Date | Size | Category | Major Investors |
|---|---|---|---|---|
| Defakto Series B | 2026 | $30.75M ($50M cumulative) | NHI lifecycle management | Ballistic Ventures, Forgepoint |
| t54 Labs Seed | 2025 | $5M | AI agent payment / compliance | Anagram (lead), Ripple, Franklin Templeton |
| Indicio | 2025 Strategic | NEC X investment | Integrated DID for people, orgs, devices, AI | NEC Group |
Three companies occupy different positions in the same category.
Defakto rebuilt NHI management from machine-first principles instead of grafting onto human-centric IAM. Service-account issuance, permissioning, rotation, expiry, and monitoring across the full lifecycle. It occupies the machine-identity-only territory that Okta, Ping Identity, and Microsoft Entra don’t fully cover. The Series B at $30.75M signals that the category is expanding from a cybersecurity-only market into infrastructure.
t54 Labs specializes in AI agent payments and compliance. Founded in January 2025, seed of $5M in the same year. The most striking part of the round is Ripple and Franklin Templeton joining. Ripple sits in payment infrastructure (especially international remittance); Franklin Templeton is a global asset manager. The two entering a seed-stage startup signals that AI-agent identity is being recognized as an adjacent market to payment and finance infrastructure.
Indicio extends Decentralized Identity (DID) infrastructure so that people, organizations, IoT devices, and AI agents can all use the same substrate. NEC X’s investment (2025) signals that Japanese conglomerates view this category at infrastructure depth. In Korea, similar exploration has reportedly started at KT, SK Telecom, and LG U+.
One Thing Worth Noting
Defakto and t54 sit at different layers. Defakto handles the machine-identity lifecycle that human IAM doesn’t cover. t54 handles verification and compliance for when that machine identity “pays or transacts on a human’s behalf.” Same NHI category, different positions. Whether this division of labor solidifies or one company consolidates both is a watch-point for the next 1–2 years.
Payment Networks’ Own Standards — Visa and Mastercard Entries
Beyond indie players, payment networks themselves have entered the category.
Visa Intelligent Commerce (announced 2025): Standardized AI-agent authentication tokens, per-transaction delegation chain attestation, machine action classification added to fraud-detection algorithms, separate refund and dispute processing for AI-agent transactions.
Mastercard Agentic Payments (announced 2025): Standardization for multi-agent environments (multiple AI agents acting on the same user’s delegation), clearer AML/KYC obligations in cross-border transactions, merchant-side agent transaction identification interface.
Two payment networks creating their own standards means two things. First, the category is expanding into infrastructure markets. Second, the positioning of indie players like t54 Labs is likely to shift toward payment-network compatibility and integration. If a single standard solidifies, indie player differentiation narrows, and multi-network compatibility becomes a new differentiation axis.
Korean market impact: Once Visa and Mastercard establish global standards, Korean card issuers (Shinhan, KB, Hana, etc.) will need to maintain compatibility. Korean card issuers making their own AI-agent payment standard is less likely than accepting the global standard and operating it for the Korean market.
Okta Ventures “2026 Identity 25” — Category Officially Established
The established IAM camp moved in the same direction. Okta Ventures published the “Identity 25” list in January 2026, formally establishing an Identity-for-AI category.
| Okta “2026 Identity 25” Categories | Details |
|---|---|
| AI Agent Identity | Agent identity, permission delegation |
| Non-Human Identity Management | Machine and service account lifecycle |
| Identity Verification (KYC) | People and organization verification automation |
| Decentralized Identity | DID + Verifiable Credentials |
| Continuous Authentication | Behavior-pattern-based continuous auth |
The fact that the established IAM camp set up a new category at all is itself a market-recognition signal. Okta is the global leader in human IAM, and it carved out AI agents and NHI as a separate track inside its own core category — an admission that its own solutions can’t cover this territory fully.
OpenAI’s New SNS — Integration as a Two-Layer Case Study
Per Forbes reporting (2026.04), OpenAI is building a new social network to confront the bot problem head-on. Core design hypothesis: “An AI-era SNS must attest ‘account = human’ from the sign-up step.”
Authentication candidates under evaluation (per reporting):
- World ID (iris scan) — Layer 1
- Apple Face ID (device biometric) — Layer 1
- Passkey (FIDO standard) — Layer 1
- Coinbase Open Protocol — Layer 2 (verifying humans behind AI agents)
Evaluating multiple candidates simultaneously is a signal in itself. Not single-solution reliance, but multi-layer authentication integrated from the sign-up step. Hypothesis flow:
- World ID for one-time “unique human” attestation (Layer 1)
- Passkey or Face ID for per-session “device = owner” authentication (Layer 1)
- Coinbase Open Protocol for delegation chain tracing when AI agents are used (Layer 2)
If OpenAI picks a single solution, that solution becomes the de facto global default. If multi-layer is adopted, market consensus solidifies around “no single solution is sufficient.” Sam Altman is a World co-founder, so World ID adoption likelihood is high — but picking World only makes cross-camp adoption harder. Multi-layer adoption with OS standards like Apple Face ID and Passkey is more advantageous for global standard formation. The two pressures collide, and which direction OpenAI goes is a watch-point for the next 1–2 years.
Closing — Two Layers, One Assumption
Sam Altman solves it with iris. Apple solves it with face. Google and Microsoft solve it with OS-level Passkey. EU and Korean governments solve it with DID. On top of that, Defakto manages NHI lifecycle. t54 Labs handles agent payment compliance. Indicio integrates humans, machines, and AI on decentralized identity. Visa and Mastercard pursue standardization at the payment network layer.
Bundled together — all eight approaches rest on the same assumption. The account no longer means a person, and AI agents cannot, on their own, be accountable parties. As AI bots cross half of internet traffic and AI agents start triggering payments on behalf of humans, the authentication baseline is moving from “email and phone” to “biometric and unique proof + delegation chain tracing” in a single direction.
The identity track is solidifying into a shape where person verification and agent delegation — two layers — combine on one infrastructure. World ID’s Full-Stack Proof of Human is the clearest attempt to bind both layers, but a multi-layer combination like Apple + Passkey + Coinbase could equally become the default.
The next piece steps out of infrastructure and into the market itself. Who the real buyers are for the Deepfake Detection $15B market — and how this flow lands on the BFSI KYC 2.0 agenda.
References
- World.org — “Proof of personhood: What it is and why it’s needed” / “World ID Full-Stack Proof of Human”
- Yahoo Finance — “Worldcoin Jumps 16% After Report OpenAI Is Exploring Proof of Personhood”
- Pantera Capital — “World: A Mission Critical Identity Solution”
- Forbes — “OpenAI Is Building a Social Network with Proof of Personhood” (2026.04)
- CryptoNews — “Sam Altman’s World Taps Coinbase’s Open Protocol to Verify Humans Behind AI Agents”
- Apple Developer — Passkey documentation
- Microsoft Security — Passkey adoption report (99% account compromise reduction)
- FIDO Alliance — 2026 member list + 5B cumulative registration announcement
- Imperva — 2026 Bad Bot Report (51% bot traffic)
- European Commission — EUDI Wallet roadmap + eIDAS 2.0 regulation
- Aembit — “IAM for Agentic AI: The New Perimeter of Trust in 2026”
- Help Net Security — “Cyber valuations climb” (2026-02-25)
- The Block — “Ripple, Franklin Templeton join $5 million seed round for t54 Labs”
- NEC Press — “Indicio secures investment from NEC X”
- Okta Ventures — “The 2026 Identity 25”
- Defakto — official site, Series A/B announcement
- CrowdStrike — 2025 Global Threat Report
- Visa — “Intelligent Commerce” 2025 announcement
- Mastercard — “Agentic Payments” 2025 announcement
- W3C — Verifiable Credentials Data Model
Related Posts
The AI Trust Stack — Content, Personhood, and Agents in Three Layers
As AI-generated content becomes the default, trust infrastructure is splitting into content, personhood, and agent-identity tracks. Five markets, a 5-layer frame, five Big Tech camps, VC flows, and regulation — placed on a single plane.
SynthID vs C2PA — The Standards War in Adoption Data
The two dominant AI content watermark standards — SynthID and C2PA — adoption broken down by modality, timeline, and camp. Same trust problem at different layers, heading toward coexistence rather than displacement. Plus EU Article 50's operational gaps and compliance gaming scenarios.
Is 'No-Code Builders Are Over' Actually True?
The canvas commoditizes, but the builder market explodes. What ends is not the builder — it's the premise that the canvas is where value lives.