The gap the market hasn't closed
Five enterprise frameworks. Three developer tools. Two IETF drafts. One named exploit campaign.
The gap that remains: cross-organizational behavioral continuity.
Identity checks tell you who the agent claims to be. Authorization checks tell you what actions that identity is permitted. Neither tells you whether the agent is doing what it agreed to do, across organizational boundaries, session after session.
The attack surface (MCPwn, SSRF at 36.7% of servers, supply chain compromises at 400K+ installs) is a behavioral problem wearing an identity problem's clothes. An agent with a valid World ID credential and full Okta authorization can still be hijacked mid-session via prompt injection. The credential remains valid. The behavior is not.
L4 is the next problem. The infrastructure to close it is being built now.
I'm building AgentLair — cross-org behavioral trust infrastructure for AI agents. The AAT spec, JWKS verification, and audit trail are live. Reach out: team@agentlair.dev
Previously: World ID for Agents Is L1/L2 — Here's Why L4 Still Doesn't Exist | Five Identity Frameworks, Three Gaps | Microsoft Built the Intranet of Agent Trust
Top comments (0)