Technology
Sathya
Last week, Anthropic announced that it would not publicly release its newest frontier model. Claude Mythos Preview, in internal testing, surfaced thousands of zero-day vulnerabilities across every major operating system and every major web browser. It found a twenty-seven-year-old bug in OpenBSD. It found Linux kernel flaws that would let an attacker take complete control of most of the servers on the internet. Anthropic decided the model was too dangerous for general release and routed it instead through Project Glasswing, an invitation-only program limited to a coalition of defenders at Apple, Google, Amazon, Microsoft, Nvidia, JPMorgan, CrowdStrike, Palo Alto Networks, Cisco, Broadcom, and the Linux Foundation. The line the press repeated, correctly, was that we have crossed a threshold: a frontier agent can now reason about security-critical software better than nearly any human expert alive.
That is the top of the stack. Now look at the bottom.
Underneath the agents we are deploying in 2026, agents with reasoning capability that would have been considered science fiction three years ago, sits an identity layer that has not materially moved since the late 1990s. Humans still log in by typing shared secrets into forms. Machines still authenticate to other machines using static API keys pasted into environment variables. OAuth tokens are long-lived, broadly scoped, and readable by the running workload. Half of the plumbing that carries agent authority from one service to another was designed for a world in which the authenticating party was a single human sitting at a single browser, not an autonomous reasoner making thousands of tool calls per hour on behalf of a workflow on behalf of a team on behalf of an organization.
This is the gap. And it is about to matter more than any other security problem in the stack.
Humans still can't log in properly either
Start with the easier half of the argument. Passwords, as a primary authentication primitive for humans, have been broken for at least two decades. Everyone agrees on this. Passkeys and WebAuthn were supposed to be the answer, and the cryptography is there: hardware-bound, phishing-resistant, no shared secret on the wire. On the technology, the debate is largely settled.
Adoption is not. And the reason adoption has stalled is architectural, not cultural. Passkeys were defined inside ecosystems that do not talk to each other cleanly. Moving a passkey from an iPhone to a Windows laptop, from a Google account to a Mac, or from a personal device to a work device turns into a confusing sequence of QR codes, recovery flows, and vendor-specific syncing. Most users cannot picture where their passkey actually lives, which means they cannot reason about what happens when a device is lost or replaced. The design holds together in a single-vendor world and fragments the moment a real person's life crosses device boundaries, which it always does. Surveys in 2026 still show passwords as the dominant authentication method across consumer and enterprise, and it isn't because people love typing them. It's because the replacement, as currently architected, asks users to understand a trust graph they have no mental model for.
So the human half is not "mostly finished." It is stuck, for concrete reasons, on a problem the industry has not yet decided to fix at the root.
But it is still the smaller story. If your mental model of "identity in the age of AI" is "we finally need to kill passwords," you are underestimating the problem by about an order of magnitude. The interesting problem, the one that is about to matter more than any other security problem in the stack, is machine identity. Specifically, it is the identity layer underneath agents.
What agent authentication actually looks like today
A reasonable sketch of how a production agent authenticates to the services it acts on in April 2026 goes something like this. A human, at some point in the past, went through an OAuth consent screen on behalf of a workflow. The workflow got a long-lived refresh token scoped to whatever bundle of permissions the consent screen offered, which is almost always much broader than any single action the agent will ever take. That refresh token, or the API keys it mints, sits in an environment variable on the machine running the agent. The LLM process itself can read the credential. The credential is a bearer token: anyone who holds it can use it. It does not expire for weeks or months. It is not bound to the request it authorizes. There is no cryptographic record, outside the application log, of what the agent was actually authorized to do at the moment it did it.
A security researcher looking at that architecture would call it a collection of confused-deputy problems waiting to happen. An auditor looking at it would call it uncompliable. A capable agent looking at it would call it a target.
Recent third-party studies of the MCP ecosystem, the protocol most agents use to reach external tools, have found that more than half of open-source MCP servers authenticate with static API keys or personal access tokens, that roughly four in five of those keys are passed through environment variables, and that only a small single-digit percentage use any form of OAuth, let alone anything more modern. A critical-severity CVE was published last year against a widely-used MCP client's OAuth discovery flow. None of this is hypothetical. The infrastructure we are placing agentic reasoners on top of is, at the credential layer, held together with duct tape and custom.
Why Mythos makes this worse
Mythos is a demonstration that frontier agents can now reason about complex, adversarial systems at superhuman levels in at least one narrow domain: software vulnerabilities. Identity infrastructure is a complex, adversarial system. Every broad OAuth scope, every reused service-account key, every environment-variable secret, every workflow that accidentally grants an agent authority it was never meant to exercise is a vulnerability in exactly the sense Mythos was trained to find. You do not need a new class of attack to exploit this. You need a patient, capable reasoner that can enumerate the mess we have already built. We are now deploying exactly those reasoners, at scale, on top of exactly that mess.
The second implication is about the shape of authority itself. Human identity systems were designed around a principal (a person) who has intent, who can be held accountable, and who issues a bounded set of actions per session. Agent workflows violate every one of those assumptions. An agent has no intent of its own; it inherits intent from a chain of humans, workflows, and other agents. An autonomous long-running agent may issue hundreds of thousands of actions against dozens of services without any human in the loop. "Who is allowed to do what" stops being an access-control question, which we have tools for, and becomes a cryptographic-proof question, which we largely do not. The gap between the authority an agent should have for a single task and the authority the current credential system lets it inherit is where the damage will come from.
What the post-2026 identity layer looks like
We think the next generation of identity infrastructure, the one sturdy enough to sit underneath agentic reasoners, will be built from a small set of principles. None of these are individually novel. The novelty is insisting on them all at once, as a default, rather than as advanced deployment options.
The first principle is that the agent runtime is untrusted. Long-lived credentials and signing material should not be readable by the process doing the reasoning. They should live behind a sidecar, an HSM, or an equivalent boundary, and the runtime should only see the short-lived artifacts it needs for the call it is currently making. The right mental model is the one hardware security has used for decades: keep the thing that matters out of the thing you cannot trust.
The second principle is that authorization should be scoped to the invocation, not to the session. A tool call that needs to read one file should be authorized to read that file, for the next few seconds, and nothing else. This is the opposite of how OAuth scopes work today, and it requires carrying task-bound authorization inside the credential itself rather than delegating it to a downstream policy engine. Per-session bearer tokens are the wrong primitive for a world where a session can do a million things.
The third principle is that credentials should be single-use and replay-resistant by default. The existing world treats replay protection as an optimization. The agent-era world has to treat it as the baseline, because the cost of a leaked reusable token scales with how capable the reasoner holding it is.
The fourth principle is that there must be cryptographic evidence of what was authorized, living outside the application log, that can settle disputes across trust boundaries. Application logs are forensics. They are not evidence. In a world where an autonomous agent touches regulated systems on behalf of multiple principals, the audit layer has to produce cryptographic artifacts that a regulator or counterparty can verify independently of the runtime that produced them.
None of these ideas are unprecedented. Parts of them live in the workload identity community's decade of work on SPIFFE and related standards. Parts live in DPoP and the sender-constrained token work happening at the IETF. Parts live in emerging draft work on credential brokers for agents. Parts live in the quiet victory WebAuthn has already won on the human side. What does not yet exist, and what we think the market is going to demand in the next eighteen months, is a coherent protocol layer that insists on all of them at once, and treats the existing world of bearer tokens, static keys, and over-broad OAuth scopes as the legacy it is.
What we're excited about
We think the next durable platform in the security stack is something in the shape of Hawcx, a team building a cryptographic protocol that treats human identity and agent identity as one problem rather than two adjacent ones. On the human side, they replace passwords entirely with a hardware-bound, zero-knowledge biometric enrollment in which no secret (not a password, not a hash, not a private key) ever crosses the network. On the agent side, every agent a human owns derives its credentials from that same verified root, each action carries a single-use task-scoped token, and every call produces a bilateral cryptographic receipt that any third party can verify without access to session keys. Revoke the human, and every agent they own locks out instantly. That is what rebuilding this layer from first principles actually looks like: one root of trust across both worlds, runtime-isolated credentials, invocation-scoped authorization, and cryptographic evidence that survives outside the application.
The founders who get this right will not be selling a better OAuth. They will be selling the substrate that every serious agentic workflow, in every regulated industry, will need in order to operate at all.
Mythos was quarantined. The attack surface wasn't.