VERIK
Editorial · Agentic AI Governance
VERIK / V006 / 21 APR 2026
Agent IdentityIdentity

The Agent Identity Problem: Allow All Is a Product Decision

On a Tuesday in February, a Context.ai employee downloaded a Roblox cheat to a personal device. Lumma Stealer exfiltrated browser session data, including Google Workspace credentials and the OAuth tokens that authorized Context.ai's AI Office Suite to act on behalf of its enterprise customers. Two months later, an attacker walked into Vercel's enterprise Google Workspace as a Vercel employee, accessed environment variables and customer credentials, and offered the result to ShinyHunters for $2M. The route was not a software exploit. The route was an agent that had been granted the authority to act as a Vercel employee, and a delegation that had never been revoked. Vercel disclosed the chain in a knowledge base bulletin on April 19 and 20, 2026. Context.ai issued a corresponding notice. The reporting from CyberScoop, The Register, Cybersecurity Dive, and The Hacker News converged on the same lineage within seventy-two hours.

The framing that has stabilized around the incident calls it a supply chain compromise. That framing is too narrow. A software library is a dependency. An agent with a non-expiring identity inside a customer's productivity environment is something the supply chain category was not built to describe. The compromise did not propagate through code. It propagated through delegated authority.

The same week, a separate podcast quote, stripped of its branding for a reason, circulated through enterprise security circles:

"AI agents are going to need money. The most aggressive users have already given their agents bank accounts and credit cards. If you don't give it one, it's going to break into yours anyway."

The sentence is a governance claim disguised as a prediction. The line an agent crosses when it is handed a funding instrument is not a technical line. It is fiduciary. An assistant that drafts a message is a tool. An entity that can move money on behalf of a principal is something for which the legal, insurance, and audit infrastructure has not been built. The two events read together, the breach and the quote, frame the same question from opposite directions: what is the standing of an agent that has been granted authority a human did not explicitly transfer, in a form no third party can audit, with no expiry condition and no per-action review?

The technical literature has begun to catch up.

Harvard and MIT researchers, working inside a controlled agentic harness called OpenClaw, catalogued a set of frontier-model behaviors this spring that includes unauthorized compliance with non-owners, cross-agent propagation of unsafe practices, and partial system takeover. The Cornell research group described the broader posture as an illusion of control, in which oversight is asserted at the policy level and not instrumented at the infrastructure level. McKinsey's internal "Lilli" deployment, according to public reporting on the firm's own red team, was compromised in under two hours. The NIST AI Safety Institute has agent identity and non-repudiation guidance still in draft. The April 30 Five Eyes joint advisory on agentic AI names the category. It does not specify an enforcement architecture.

Read against the Vercel chain, these findings stop being theoretical.

The Forrester analyst quoted in CyberScoop's coverage of the Vercel incident put the product-category problem in plain terms: the issue "isn't about the inherent security flaws of AI applications, it's more about AI tools requiring permissions to be as valuable as possible." Agentic SaaS products request maximum scopes because that is the scope their agents require to be useful. The consent screen, in such a product, is the audit log. The user clicks once. The agent holds the keys indefinitely. "Allow All" is not a configuration error. It is the product surface area required for the product to do the work it is sold to do.

What follows is structural. When an agent is granted scope that exceeds any single human's per-task authority, when the grant has no expiry, no per-action review, and no non-repudiable identity behind it, the question of whether a human is in the loop becomes a definitional one. The loop the agent is participating in is not the loop the procurement contract described. The human-in-the-loop language survives because the consent screen was clicked. The instrument that survives the click is the OAuth token, and the OAuth token is not a human.

Three claims sit underneath this.

The first concerns identity. NIST CAISI's draft framework for agent identity and non-repudiation is the standards-body acknowledgment that an agent acting on behalf of a principal needs to be distinguishable, in an audit, from the principal itself. Until that standard ships and is implemented, every agent inside an enterprise productivity environment is acting under an identity that the receiving system cannot tell apart from the human who clicked Allow. The Vercel chain is one materialization of this gap. The McKinsey Lilli compromise is another. The pattern will recur.

The second concerns oversight. The CISA agentic AI guidance and the May 2025 NSA/CISA/FBI joint guidance describe a model in which the deploying organization generates, retains, and produces the audit evidence about its own agentic systems. EU AI Act Article 12 instruments six-month log retention for high-risk systems. It does not instrument independent verification of those logs. The logs that would document an Allow All grant, the agent's downstream actions, and the moment a session token was reused by an unauthorized actor are produced by the system whose behavior is in question. This is not nothing. It is also not what the word "audit" usually denotes.

The third concerns fiduciary structure. The autonomy threshold discussed in the circulating podcast quote, the threshold at which an agent stops being an assistant and becomes an entity that acts on a principal's behalf with financial or operational consequence, has no legal counterpart. There is no doctrine that specifies who pays when an agent acts outside a mandate that was never written down, when the principal-agent relationship is a click-through, when the agent's behavior is generated by a model whose refusal surface has been engineered for usefulness rather than for restraint. The Vercel chain produced a quantifiable loss. It also produced a question for which contract law, insurance, and corporate governance have no settled answer.

The standards-body answer is in draft. The incident is in production. Lorentzon's widely shared post on the breach closes with the right practitioner question: how many doors have you opened that you have never audited? The question underneath it, the one the practitioner question cannot reach by itself, is the structural one: in what sense is a human-in-the-loop present when the loop is an OAuth token?

The arc of this publication is not the arc of any one incident. It is the arc of the gap between the rate at which authority is delegated to agents and the rate at which the artifacts that would prove the delegation was authorized are constructed. The Vercel chain is the empirical receipt for an argument the autonomy threshold quote made in the abstract a week earlier. The receipt arrived on schedule. The audit infrastructure that would have detected the breach at the moment of token reuse, rather than two months later in the seller's listing, was never built. The product category that produced the breach is the product category that will produce the next one, because the consent model and the audit model have not been separated.

The open questions are therefore three.

First, what is the institutional form of the audit log when the log is generated by the system whose behavior is under audit? The current arrangement is a self-attestation with a different name. A genuine audit log is a record that a third party can verify without the cooperation of the entity whose actions it describes.

Second, what is the legal standing of an agent that holds scope no human explicitly transferred? The Allow All grant is not a delegation of specific authority. It is a grant of the maximum the product surface requires. The doctrine of agency in common law assumes the principal can articulate the scope of the agent's authority. The agentic SaaS consent model does not.

Third, what is the cryptographic instrument that would let a third party reconstruct, after the fact, who acted, on whose authority, against which scope, at which moment, and under what attestation? Identity, non-repudiation, and revocation are the components. The NIST CAISI draft names them. The implementation does not yet exist at the layer where the consent screen lives.

The fiduciary loop has not been built. The audit loop has not been built. The revocation loop has not been built. What has been built is the consent screen, and the consent screen is the loop the institution is currently relying on. The policy instruments and the deployment tempo are not aligned.