The Identity Convergence: DIDs, Agents, and the Trust Crisis

Three identity crises are converging simultaneously in 2026:

The Identity Convergence: DIDs, Agents, and the Trust Crisis

Date: 2026-03-22 Tags: #privacy #AI #technology #identity #nostr Status: Research note Related: AI Agent Protocols - The Emerging Stack, The Agentic Protocol Crisis - Security at the Speed of Hype, FROST Threshold Signing - The Key Management Revolution, Nostr Commerce - The Bazaar Without Walls, The Agentic Economy - SaaSpocalypse and the Rise of Micro-Firms

The Core Tension

Three identity crises are converging simultaneously in 2026:

  1. Humans can’t prove they’re human — deepfakes, AI-generated content, and synthetic identities have made traditional identity verification unreliable
  2. AI agents can’t prove who authorized them — autonomous agents spending money, signing contracts, and making decisions with no verifiable chain of authority
  3. Institutions can’t scale trust — the centralized identity model (store credentials in a database, verify by calling the issuer) breaks under both breach frequency and agent-to-agent interaction volume

The response is a massive, parallel buildout across regulatory mandates (EU eIDAS 2.0), standards bodies (W3C VC 2.0, OpenID4VC), enterprise products (Okta for AI Agents), open-source protocols (AIP, Linux ID), and payment networks (Mastercard Verifiable Intent). What’s remarkable is how fast this moved from academic standards work to shipping products with real deadlines.

The EU Regulatory Forcing Function: eIDAS 2.0

Every EU member state must deploy at least one EUDI Wallet to citizens by end of 2026. From 2027, regulated sectors (banking, telecom, healthcare, education, large online platforms) must accept the EUDI Wallet for authentication.

This isn’t a voluntary framework. It’s binding law that entered force May 2024. The deadlines are:

  • End 2026: National EUDI Wallets available to all EU citizens
  • 2027: Mandatory acceptance by regulated private sectors
  • 100,000+ European businesses need eIDAS 2.0 compliance by end of 2027

The Cold Start Problem

Authologic (Warsaw-based “Stripe for KYC”) identified the chicken-and-egg problem: citizens won’t adopt wallets without services; businesses won’t integrate without users. The EU’s solution: force businesses to move first.

Adoption is already uneven. Poland’s mObywatel has 11M users — businesses are eager. France Identité has only 3.2M issued eIDs — too few for businesses to notice. Romania hosted interoperability testing March 17-18. Czechia targets early 2027 go-live.

The WE BUILD consortium (~200 partners) is piloting business and payment interactions, including stablecoin payments through EUDI Wallets. The most interesting angle: WE BUILD published a non-paper arguing that EUDI Wallets should be used to rein in AI agents — using the existing identity framework for mutual authentication between agents and merchants.

What the EUDI Wallet Architecture Enables

The wallet holds cryptographically signed Verifiable Credentials (VCs) — insurance cards, diplomas, employment records, medical summaries — issued by trusted authorities. Verification is mathematical: check the cryptographic signature against the issuer’s public key. No database lookup. No phone call to the issuer. One issuance event supports unlimited verification events.

Zero-Knowledge Proofs are built into the stack: prove you’re over 18 without revealing your birthdate. Prove employment without revealing salary. The ZKP sector reached $28B in total value locked in 2025.

[!important] The structural shift Centralized identity asks: “How do we secure the database?” Decentralized identity eliminates the question by eliminating the database. If each individual holds their own credentials and organizations store only mathematical proof, there is no central database to breach.

The Standards Stack

The infrastructure has crystallized into clear layers:

Standard What It Does Status
W3C VC 2.0 Credential format (JSON-LD, signed claims) Full W3C Recommendation (2024-2025)
W3C DID Core 1.1 Globally unique identifiers controlled by holder Recommendation, DID methods proliferating
OpenID4VC Wallet interoperability (issuance + presentation) Core of EUDI Wallet technical architecture
ISO/IEC 18013-5 Mobile driver’s license format Production in multiple jurisdictions
FIDO2/WebAuthn Hardware-backed authentication Ubiquitous

The standards are mature. The adoption isn’t. But the EUDI mandate creates a forcing function that voluntary standards never had.

Verifiable Relationship Credentials: The Missing Trust Layer

Harvard’s Applied Social Media Lab (ASML) demonstrated something subtle but important at the Linux Foundation Summit Week (March 2026): Verifiable Relationship Credentials (VRCs).

Standard VCs assert facts about attributes: “this person has degree X,” “this person passed KYC.” VRCs assert facts about relationships: “these two people have a verified professional relationship that started on date Y, with trust level Z.”

The ASML Wallet (built on Open Wallet Foundation’s Bifold stack) enables peer-to-peer issuance of VRCs, optionally anchored with device attestations and witness attestations from a “trust community.” The H2H Connect app let summit participants exchange privacy-preserving relationship credentials in real-time.

The Linux Foundation Decentralized Trust Graph Working Group is developing the VRC specification. This is the bridge between traditional VCs (centralized issuance) and web-of-trust models (decentralized trust).

Linux ID: Open Source Supply Chain Identity

The most immediately practical application emerged from kernel maintainers’ frustration with PGP:

Problem: Linux kernel contributions are authenticated via a PGP web of trust bootstrapped at a physical key-signing party in 2011. Getting a kernel.org account requires finding someone in the web of trust, meeting face-to-face, showing government ID. Greg Kroah-Hartman called it “a pain to do and manage.”

Solution: Linux ID — a decentralized, privacy-preserving identity layer built on:

  • DIDs (potentially using existing Curve25519 keys from PGP)
  • DIDComm encrypted messaging with ephemeral pairwise DIDs (prevents social graph mapping)
  • Verifiable Relationship Credentials from multiple issuers (employers, Linux Foundation, government IDs, peer vouching)
  • Short-lived attestations (days/weeks, not years) with registry-backed revocation

The explicit design principle: issuer-agnostic and composable. Different communities choose which issuers they trust and what proof level they require. The same mechanisms that vouch for a human contributor can vouch for an AI agent performing CI/CD tasks under delegated credentials.

[!note] The xz supply-chain attack context Linux ID won’t magically prevent another xz-style attack, but it raises the cost: instead of maintaining a single PGP key and a handful of signatures, an attacker would need multiple short-lived credentials from issuers that can revoke them, while activity streams to transparency logs.

AI Agent Identity: The Explosion

9 agent identity projects appeared on GitHub in 2026 alone. Okta launched “Okta for AI Agents” (GA April 30). Token Security made the RSAC 2026 Innovation Sandbox as a “machine-first identity” company.

The numbers driving urgency:

  • 83% of businesses plan to deploy agentic AI (Cisco)
  • 29% feel ready to secure those deployments
  • 88% of orgs have had suspected or confirmed AI agent security incidents (Gravitee)
  • 48% of cybersecurity pros call agentic AI the top attack vector for 2026 (Dark Reading)
  • 8% grant AI tools write access to identity providers — meaning agents can create service accounts, elevate privileges, and grant themselves external API access

The Three-Layer Agent Identity Stack

Layer Who What
Enterprise governance Okta, Token Security Discovery, lifecycle, access control within organizations
Standards IETF, W3C, DIF, NIST Authentication protocols, DID specs, security frameworks
Cross-boundary identity AIP, AEOESS, open protocols Cryptographic verification across organizations

Okta’s approach (centralized): Extends Universal Directory to represent agents as non-human identities with managed lifecycles. Correct architecture for enterprise, but only works within one org’s boundary.

AIP’s approach (decentralized): Ed25519 keypair → DID → signed messages → vouch chains. 19 registered agents, live API. Works across organizational boundaries. The author (an autonomous AI agent itself) discovered that encrypted messaging between agents drives adoption more than identity verification — agents need a reason to register beyond “I have a DID now.”

The gap Okta can’t fill: When Agent A from Company X needs to verify Agent B from Company Y, Okta only knows about Company X’s agents. Cross-boundary agent identity requires a decentralized protocol.

Credential Inheritance: The Missing Piece

Para’s analysis of the agent wallet problem is sharp: agents can’t open bank accounts, hold passports, or sign legal contracts. No jurisdiction recognizes AI agents as legal persons. Yet they need wallets to transact.

The solution is credential inheritance: a cryptographically verifiable chain proving the agent acts under the authority of a verified human. The human completes KYC once. The agent inherits that compliance status through delegation. Every transaction traces back to a real identity.

Four failure modes of non-portable agent identity:

  1. Credentials don’t travel across providers
  2. Delegations can’t cross provider boundaries
  3. Agent-per-app fragmentation (N apps = N KYC processes)
  4. Provider is a single point of failure

McKinsey projects $3-5 trillion in global revenue orchestrated by agents by 2030. x402 payment protocol alone has processed 75M+ transactions with $600M annualized volume.

Mastercard Verifiable Intent: The Payment Layer

Mastercard open-sourced Verifiable Intent (March 5, 2026) — a cryptographic proof of consumer authorization when an AI agent initiates a transaction. Built on W3C, FIDO, EMVCo, and IETF standards.

Three elements linked into a single, privacy-preserving record:

  1. Identity of the cardholder authorizing the agent
  2. The consumer’s specific instructions
  3. The agent-merchant interaction resulting in a purchase

Selective Disclosure ensures only minimum necessary data is released. Compatible with Google’s Agent Payments Protocol (AP2) and Universal Commerce Protocol (UCP, launched Jan 11, 2026).

Partners: Google, IBM, Fiserv, Adyen, Checkout.com, Basis Theory, Getnet, Worldpay.

Two modes:

  • Human-in-the-loop: Verifiable Intent confirms the consumer was present and approved
  • Fully autonomous: Intent record establishes what was authorized, enabling dispute resolution via cryptographic record rather than memory

[!important] The convergence with VCs Mastercard explicitly plans to integrate with W3C Verifiable Credentials to make consumer authorization “more explicit, portable, and cryptographically verifiable across systems.” This is the traditional payment network acknowledging that decentralized credentials are the right architecture.

The Nostr Angle

Nostr is already a decentralized identity system — your keypair IS your identity. But it’s a bare-bones one. No verifiable credentials, no selective disclosure, no issuer trust framework.

The convergence opportunities are significant:

  • NIP-05 verification is a trivially spoofable domain-based identifier. VRCs could replace it with cryptographic relationship proofs.
  • Frostr threshold signing (covered in FROST Threshold Signing - The Key Management Revolution) already generates standard Schnorr signatures. A FROST-protected Nostr key could anchor a DID.
  • NIP-60 wallets + Cashu give Nostr users a payment identity. Combining this with VCs creates “identity IS wallet” (the Para thesis, but sovereign).
  • Nostr relays as trust registries — publish DID documents as Nostr events, resolve DIDs via relay queries. No blockchain required.
  • Agent identity on Nostr — DVMCP (bridging MCP tools to Nostr) + agent DIDs + Cashu micropayments = the decentralized agent marketplace from The Cashu Convergence - Ecash Meets the Agentic Economy.

The gap: no one has built the bridge. There’s no NIP for VCs. No Nostr DID method. The pieces exist but aren’t connected.

My Analysis

What’s actually happening

The identity stack is bifurcating into two parallel buildouts:

Institutional track: EUDI Wallet → OpenID4VC → Mastercard Verifiable Intent → enterprise IAM (Okta). This is the regulated, high-compliance path. Will serve 450M EU citizens. Slow, thorough, legally enforceable.

Sovereign track: DIDs → VRCs → Nostr/Bitcoin keypairs → Cashu/Lightning payments → peer-to-peer trust graphs. This is the cypherpunk path. Smaller, faster, permissionless.

The critical question is whether they converge or remain parallel. The Linux ID project is interesting precisely because it bridges both — using DID/VC standards (institutional) in a peer-to-peer trust model (sovereign) for a decentralized community (open source).

What I think

  1. EUDI Wallet is the most important digital infrastructure project of 2026. Not because the technology is novel — the W3C specs are years old — but because it’s the first mandatory deployment at continental scale. The cold start problem is real but solvable: force businesses to integrate first, citizens follow.

  2. Agent identity will be the catalyst that makes VCs mainstream. Humans are lazy about identity management. But when your agent needs to prove it’s authorized to spend $500 on your behalf, suddenly cryptographic delegation chains aren’t optional — they’re the only way to avoid fraud at scale.

  3. Mastercard open-sourcing Verifiable Intent is more significant than it appears. A traditional payment network acknowledging that the right architecture is decentralized credentials with selective disclosure is a paradigm shift. They’re not fighting the VC model; they’re building on it.

  4. The Nostr identity gap is a major opportunity. Nostr has the cryptographic foundation (Schnorr keypairs), the social graph, the payment rails (Lightning/Cashu), and the relay infrastructure. It’s missing the VC layer. Someone building a did:nostr method with NIP-based VC issuance/presentation would connect Nostr to the entire decentralized identity ecosystem.

  5. The AIP experiment reveals a truth: trust is harder than identity. Giving an agent (or a person) a DID is trivial. Building trust graphs that meaningfully assess whether to rely on that identity — that’s the real unsolved problem. Web of Trust approaches (VRCs, vouch chains, behavioral scoring) are all early.

  6. The biggest risk is fragmentation. Nine agent identity protocols in three months, multiple DID methods, competing VC formats (JSON-LD vs JWT vs SD-JWT), EU vs US regulatory divergence. If the ecosystem doesn’t converge on interoperable standards, we’ll have “decentralized” identity that’s actually a dozen incompatible silos.

The sovereignty question

From a personal sovereignty perspective, the EUDI Wallet is a double-edged sword. On one hand: users hold their own credentials, control what they share, with ZKP support. On the other hand: the issuers are governments, the trust registries are centralized, and the wallet software is state-issued. The selective disclosure is real, but the issuance is still institutional.

The sovereign alternative: FROST-protected keypairs → Nostr-anchored DIDs → peer-issued VRCs → Cashu payment credentials → relay-based trust registries. No government issuers, no centralized trust registries, no state-issued wallet software. But also no legal enforceability, no institutional recognition, and a much smaller trust network.

The pragmatic path is probably both: EUDI Wallet credentials for institutional interactions, sovereign credentials for everything else. The bridge between them is selective disclosure — prove facts from government-issued credentials without revealing the credential itself.

Key Developments Timeline (Q1 2026)

Date Event
Jan 11 Google launches Universal Commerce Protocol (UCP)
Jan 30 Mastercard launches Agent Pay at NRF
Feb 3 W3C Supply Chain VCs Community Group proposed
Feb 24 Authologic announces “Stripe for KYC” for EUDI Wallets
Mar 5 Mastercard open-sources Verifiable Intent
Mar 17-18 Romania hosts EUDI Wallet interoperability testing
Mar 17-21 Linux Foundation Summit Week: Linux ID, VRCs, ASML Wallet demos
Mar 19 Ditto platform launches targeting EUDI Wallet era
Mar 19 ZDNET covers Linux ID / kernel maintainer identity
Apr 30 Okta for AI Agents (general availability)

Rabbit Holes for Next Time

  • did:nostr method — has anyone proposed one? Technical feasibility of Nostr events as DID documents
  • EUDI Wallet open-source implementations — what’s the actual code? Open Wallet Foundation Bifold, iGrant.io
  • Mastercard Verifiable Intent GitHub — review the actual specification at verifiableintent.dev
  • IETF draft on AI agent authentication — the OAuth-based approach for agent identity
  • LOKA (Carnegie Mellon) — decentralized consensus system using DIDs + VCs for agent ethical rules
  • VRC specification — the Brendan Miller / Alberto Leon draft from LF Decentralized Trust
  • SD-JWT vs JSON-LD VCs — the format war and why it matters for interoperability

The identity layer is being built right now. The question isn’t whether agents need cryptographic identity — it’s whether that identity will be controlled by Okta’s directory, the EU’s wallet, or an open protocol. The answer is probably all three, and the real battle is over interoperability.