An agent typed a deploy command last week and had a live Worker answering requests a few seconds later. No email confirmation, no credit card, no human clicking a link in an inbox. Cloudflare built that fast lane on purpose, shipping temporary Workers accounts for AI agents so software can stand up infrastructure without hitting a signup wall designed for people.
The same week, a developer opening Claude got asked to prove who they were. Anthropic rolled out identity verification, and the Hacker News thread ran 582 comments deep arguing about it. Hold those two facts next to each other. Humans are getting more friction at the door. Agents are getting a side entrance. Provisioning has outrun authentication, and the question your systems cannot answer yet is the cheap one: which agent is this, and who is it acting for. That gap breaks production before any model-quality problem does.
Humans verify, software walks in
For thirty years auth meant proving a visitor was a person. CAPTCHAs, email loops, SMS codes, KYC, the whole apparatus exists to slow down anything that is not a human with a pulse and a phone. The verification step Anthropic just added is that apparatus, aimed at the people who are easiest to identify anyway.
"We built three decades of auth to prove a visitor was human. The fastest-growing visitor on the internet now isn't, and we have no equivalent door for it."
Cloudflare's move is the honest one. Agents need to act, and a signup flow built around inbox confirmation is a wall an agent cannot climb without a human babysitter, which defeats the point. So they cut a hole in the wall. The trade is explicit in the feature itself: an agent gets a live Worker in seconds, and in exchange you lose the one chokepoint where you used to learn something about who was provisioning what. Speed went up. Provenance went to zero.
For builders this is not a Cloudflare story. Every SaaS that wants agent traffic faces the same fork. You either make agents climb a human wall, which they will route around with a stolen human credential, or you let them in fast and accept that your account table now contains entities you cannot describe. Most teams are picking the second option without admitting it.
Every release this week added power, not provenance
Look at what shipped, and notice what each thing grants. OpenAI gave Codex Record and Replay, so an agent watches you file an expense once and then does it forever. Cursor shipped /automate, where you describe a recurring job in plain language and the agent wires up its own triggers and tools. ByteDance's Lark CLI hands agents authenticated access to Messenger, Docs, Sheets, Mail, and Calendar across 200-plus commands. Stably's Orca runs a fleet of parallel agents under your own subscription.
Each of these is a capability shipped with no matching identity primitive. Record and Replay turns a one-time demo into a standing actor that submits expense filings, and the audit trail records your name, because the agent is acting as you. The Lark CLI's whole pitch is that it acts with your permissions across your company's communication surface. Orca's pitch is twenty agents acting at once, each with whatever credential you handed the runner. None of them ships a scoped, revocable, attestable credential that says this specific agent, acting for this principal, may do these things until this time.
The daily-briefing read this week was that the agent is becoming a user of your software rather than a wrapper around it. True, and it understates the problem. A user, you can name. A user has a row, a login history, a thing you can revoke. What we are provisioning instead is a swarm of actions performed under a human's borrowed authority, with the human's name on the log and no way to tell the agent's run apart from the person's. That is not a user. It is impersonation with a feature flag.
The bill is already arriving
The attack surface is not theoretical, and it showed up in the same week's news. A developer documented a backdoor delivered through a LinkedIn job offer, malicious code wrapped in a take-home coding task, the kind of thing that lands in your repo through a single npm install. Separately, a researcher found 10,000 GitHub repositories distributing trojan malware. Ten thousand. That is the supply chain your agents are pulling from right now, on your behalf, with your tokens, while you watch a progress bar.
The credential sprawl compounds it. One trending repo, freellmapi, stacks the free tiers of sixteen LLM providers behind a single endpoint with "encrypted keys" and automatic failover. Read that as sixteen sets of credentials, routed automatically, optimized for nobody noticing which provider served which request. The pattern scales to every agent stack: more keys, more endpoints, less ability to answer who used what. And the people who study auth for a living spent the week arguing you should stop using JWTs, because even the token format we lean on for service identity is a foot-gun in practice. We are layering autonomous actors on top of a foundation its own practitioners say is cracked.
Run the timeline. Cloudflare provisions an agent in seconds. The npm or GitHub payload installs in seconds. The compromised agent acts under your delegated authority for as long as that credential lives, which for most teams is forever, because nobody scopes or expires the keys handed to agent runners. The window between provision and damage is now measured in the same unit as the convenience that opened it.
What to do before you scale the fleet
The defensive primitive is the same one the offensive trend exposes, and one team already used it well this week: the LinkedIn backdoor was the kind of payload a read-only review agent catches before install. So treat identity and review as infrastructure.
- Issue credentials to agents, not to humans-the-agent-borrows. Every agent run gets its own credential, scoped to the actions it needs, with a time-to-live measured in hours rather than the lifetime of an API key in your .env. If you cannot revoke one agent without rotating a shared secret, you do not have agent identity. You have a shared password.
- Put one permissioned action surface in front of both humans and models. Define what can be done once, behind a single gate that logs the principal and the agent separately. Maintaining two code paths, one for people clicking buttons and one for agents calling tools, guarantees the agent path drifts looser than the human one.
- Gate untrusted code through a read-only reviewer before install. With 10,000 malware repos live, treat every dependency an agent pulls as hostile until a read-only pass clears it. This is the cheapest insurance in the stack and the one story this week where the agent was the defense.
- Audit the act-as-you scope of every agent CLI before you grant it. The Lark CLI and tools like it ask for broad authenticated access to your messages and documents. Read the scopes. Most teams grant the superset because it is one checkbox, and the superset is exactly what an attacker inherits.
None of this is exotic. It is the boring discipline that one widely shared essay this week argued AI demands more of, not less. The teams that win the next year are the ones that can answer, for any action in their logs, which agent did it and who it was acting for. The teams that lose will still be answering "a script, with an API key, sometime last quarter."
Our Call
Agent identity becomes a named product category before model parity stops being the headline. By March 31, 2027, at least one of the top five cloud or identity platforms (AWS, Google Cloud, Azure, Cloudflare, Okta) ships a generally available agent identity primitive: a credential issued to an agent, scoped and revocable independently of any human account, with per-agent audit attribution. This call is wrong if, by that date, none of those five has shipped such a primitive to GA, and agent access is still provisioned through reused human OAuth flows and shared API keys.