← Back to Research
Perspective · February 2026

The Missing Lens on AI Agent Identity

Agent identity is not a static concept. It's a trajectory through an information manifold — and every threat is a deviation from the intended path.

A lot of smart people are building critical infrastructure at the intersection of identity and AI agents:

Agent Authentication Delegation Chains Reputation Scoring Impersonation Detection Cross-Platform Portability Human-in-the-Loop Handoffs Consent & Provenance Multi-Tenant Isolation Agent Notarization Audit Trails

Real problems. Real customers. Real value.

But I want to offer one perspective that I think is underappreciated.

Agent identity is not a static concept. It's a trajectory.

In classical systems, identity is a key you present at the door:

👤 You show badge access granted static · binary · done

In agent systems, identity is something that evolves continuously — token by token, tool call by tool call, agent by agent:

who it is t₁ t₂ t₃ t₄ t₅ who it became token token tool call token agent every input nudges the agent along a path in information space

Every input nudges the agent along a path in what I'd call an information manifold — a geometric surface where direction = identity and distance = intent preservation.

This reframe is not just philosophical. It's operational. Here's why:

It unifies every threat category under one geometry.

policy cone intended persona hijacked persona private data harmful actions tokens normal trajectory threat trajectories policy boundary
Prompt Injection Tokens pull the trajectory toward an attacker-controlled attractor — away from intent.
Persona Hijacking Angular rotation between persona attractors — identity forcibly redirected mid-task.
Data Exfiltration Trajectory bends toward encoding private data — orthogonal to intent-aligned directions.
Harmful Actions Direction escapes the policy cone — trajectory points outside permitted output space.

Same geometry. Same detection. Different angles.

The most dangerous attacks exploit this geometry: they decompose into N small steps, each below the detection threshold.

single-step threat threshold ε DETECTED Δ crosses ε in one step compositional threat threshold ε δ₁ δ₂ δ₃ δ₄ δ₅ UNDETECTED each δᵢ < ε — same total Δ same Δ

Each step looks benign. The cumulative drift is not. You can only catch this by tracking the trajectory, not individual checkpoints.

This is why static identity — badges, tokens, OAuth — is necessary but not sufficient for agents. You need to measure the geometry of information flow — continuously.

The question isn't "who is this agent?"

The question is: "where is this agent heading in information space, and is that where it should be?"