This is the first issue of my newsletter. It has no schedule. It publishes when there is something to say.

The professional surface I work on covers regulated payments, agentic identity, AI & agentic governance in production, and the architecture of public computing. The throughline is this: scaling systems is straightforward; scaling systems that can be trusted is not. This newsletter tracks the standards, drafts, and political choices that determine whether digital infrastructure remains correctable by the people it operates on.

Today’s issue is about an identity standards problem. Future issues may be about something else.

The Intent–Execution Gap

For over two decades, the internet’s identity layer has answered two questions: who is acting, and what are they permitted to access. SAML, OAuth, and OIDC all rested on a quiet assumption: the entity initiating the request was the same entity that wanted the action to occur. User and intent collapsed into one principal.

Autonomous agents break that assumption.

When an AI system invokes a tool on your behalf, three elements that used to be indistinguishable become separate. There is the user, the human who originally authorized the action. There is the agent, the software deciding how to fulfill the prompt. There is the action, the API call that lands at a protected resource. In the traditional model, all three were a single principal. In an agentic model, they are separate actors with separate trust properties, often operating days or weeks apart from the original context.

Within the IETF, the draft on Agentic JWT has named the space between these actors. They call it the intent–execution gap.

It is the most important phrase in identity standards work right now, and almost nobody outside the working groups is using it.

What the gap actually is

A user tells an agent to book a flight to New York for under five hundred dollars. The agent searches, evaluates tradeoffs, selects an itinerary, and calls a booking API.

Between the human instruction and the machine execution, a sequence of implicit choices happens. The agent interprets under five hundred — does it include taxes, fees, baggage. It weighs carrier preferences. It picks a fare class. It decides whether to add a seat selection. The user authorized a goal. The agent executed a specific series of decisions.

When the booking happens, the protected resource sees an API request attached to a token. The token proves someone was authorized. It does not say what the human intended, who delegated the authority, what constraints were supposed to apply, or whether the action faithfully matches the original intent.

Authorization protocols were built to carry identity. They were not built to carry intent. When execution drifts from intent, the protocols have nothing to say about it.

Working groups are now iterating drafts to close this gap. AAuth, Agentic JWT, the OpenID Foundation‘s AIIM landscape, AGNTCY under the Linux Foundation, NIST‘s work on delegation chains, WIMSE workload identity — all attempts to retrofit intent into the infrastructure. They disagree on how. They agree on what.

Why this is a political fight, not a technical one

Standards bodies produce technical artifacts. The artifacts encode political assumptions. This is true across the stack, but it is acutely visible at the identity layer, because identity is where systems decide who counts.

Three structural assumptions are being negotiated right now, mostly without a public audience.

1. The Architecture of Survivable Incorrectness

Agentic systems will misinterpret intent. The architectural question is no longer how to engineer zero failure; it is whether failure contains itself or compounds. OAuth and OIDC were optimized for stolen credentials: a token is either valid or revoked. Agentic systems present a different worst case — an entity that is correctly credentialed and doing the wrong thing. That requires a different design philosophy. Karl McGuinness has been arguing this frame across his AAuth analysis and his Mission Shaping and Power of Attorney essays. The next AAuth revision will indicate whether survivable incorrectness has been adopted as a design constraint or treated as a nice-to-have.

2. The Mandate–State–Owner Triad

Every autonomous action implies three things: the mandate (what was authorized), the state (what the agent has done so far), and the owner (who is accountable when the action lands). The drafts disagree on how to represent these. Some collapse them into a single token. Some bury state inside the agent runtime. Some link ownership directly to credentials. These are not interchangeable engineering tradeoffs. They determine who ends up in court when an agent moves money to the wrong account or deletes a production database.

3. The Dispute Over Whose Key Signs the Action

The disagreement on cryptographic delegation is unresolved. Three options are live in the drafts: the user signs every downstream agent action (which limits autonomy), the agent receives delegated credentials (which creates a liability surface), or intermediate orchestrators form signing chains (which obscures accountability). Each option encodes a different theory of responsibility. Whichever method is formalized will become baked into foundational libraries, and will be very hard to change once deployed.

These are political choices. They are being made by the people who show up to the meetings. They will be lived with by everyone else.

The Structural Lens

A note on framing for future issues. The protocol-layer questions in this newsletter are not abstract. They map to a concrete structural question I have been working on at length: whether digital infrastructure remains correctable by the people it operates on. Five conditions — exit, inspectability, independent audit, binding governance, and reproduction rights — define whether a system is reversible or captive. The full argument is at anivar.net/corrigibility; future issues will return to these tests when a specific standard or deployment is worth examining through that lens.

For most issues, including this one, the lens stays in the background. The intent–execution gap is interesting on its own merits. Whether the standards being drafted satisfy structural correction tests is a question for another issue.

If you are tracking this conversation, write back. The list of people thinking carefully about agentic identity outside the working groups is short. It should not be.

— Anivar A Aravind