AWS, Google, Idira, LangChain, AAuth, and AGTP all verify the identifier. None of them verify the category.

Give a toaster a cryptographically signed Agent-ID, register it, and stake a controller behind it. Every check an agent identity product runs will pass, and the toaster will still be a toaster.

That is the whole problem, compressed. The cryptography proves that an identifier exists and that its holder controls the matching key. It says nothing about the kind of thing the identifier names. There is no shared definition of an agent, so there is no test for agentness to run, so the registry accepts whatever submits to it and verifies the resulting identifier on demand. The label changes the label. The thing underneath stays whatever it already was. Vendors sell the label as a transformation. The transformation never happens. Call it what it is: agent washing with a certificate attached.

What Is an AI Agent? Three Definitions That Refuse to Agree

Certification needs something to certify against. The agent industry lacks it. Three working definitions, each from a different organization, show how far apart the field sits.

1. Russell and Norvig, the classical textbook position: an agent is anything that perceives its environment through sensors and acts on it through actuators. A bimetallic strip qualifies.

2. LangChain, from Harrison Chase: an agent is a system that uses an LLM to decide the control flow of an application. Chase concedes in the same post that his own line is soft.

3. Anthropic, from its guidance on building agents: agents are systems where LLMs dynamically direct their own processes and tool usage, holding control over how they accomplish a task.

Three organizations, three boundaries. The first admits a thermostat. The last two demand a language model in the control loop. Andrew Ng and others resolve the tension by calling agentness a spectrum, which is honest and useless for any registry that has to draw a binary admission line. A system that has to answer yes or no has nowhere to look the answer up.

Everything has become an agent.

Toaster, Smart Thermostat, Research Agent: Three Things, Three Verdicts

Run three artifacts through those definitions and watch the field fracture.

A basic toaster. A heating element, a timer, a lever. Russell and Norvig: borderline, since a thermostatic toaster senses heat and acts on it. LangChain and Anthropic: a flat rejection, since there is no model and no control flow to speak of. Verdict: mostly out, weakly admitted by the broadest definition alone.

A smart thermostat. It senses temperature and occupancy, keeps several days of memory, decides when to call for heat, and pursues a target inside a comfort band. Russell and Norvig: a clean yes. LangChain and Anthropic: a clean rejection, since the decision loop holds no language model. Verdict: an agent under the classical definition, a non-agent under the vendor definitions, and the same physical box throughout.

An LLM research agent. A language model plans a task, selects tools, reads results, and loops until it reaches an answer. All three definitions: yes. Verdict: admitted everywhere.

Three artifacts, three different sortings. The smart thermostat is the tell. It carries reasoning, memory, decisions, and goals, the exact properties several published definitions require, and most practitioners still refuse to call it an agent. The intuition is firm. The principle under the intuition is missing. And every one of these three can hold the same verified Agent-ID, because the identity layer sits above the disagreement and resolves none of it.

What Agent Identity Actually Verifies

The systems being sold perform a real function. They prove that the holder of an identifier controls the key bound to it. They block impersonation. They catch replay. They produce signed records of who called whom. Useful properties, all of them, and all of them stop at the identifier.

When a name service resolves “Bob” and returns a hit, the lookup proved that a registry entry for Bob exists. It proved nothing about whether Bob is an agent, because the registry holds no operational test for agentness to apply. It accepts a submission, binds an identifier, and verifies that identifier later. That is the entire mechanism. At the HTTP layer, an Agent-ID is a workload credential bound to whatever enrolled. I can mint one this afternoon and pin it to a smart thermostat, and every downstream check will pass.

Security researchers studying these protocols reach the same conclusion in plainer terms. The systems verify who, and they leave what unverified. Capability claims are self-reported. Any entity, an automated script or a human at a keyboard, can stand up an identity asserting full agent capabilities, and the protocol will carry it without complaint.

Same Flaw, Different Logos

Survey the field and the pattern holds across every vendor and every protocol.

AWS Bedrock AgentCore Identity implements agent identities as workload identities with a few agent-flavored attributes, issued through Sigv4, OAuth, and API keys. The documentation is candid: the same service covers, in its own words, simple automation scripts and complex multi-agent systems alike. It treats them alike because it has no way to tell them apart.

Google A2A publishes an Agent Card, a JSON document served over HTTPS that declares an agent’s capabilities, and as of version one it signs that card with JWS so a peer can confirm the issuing domain. The signature proves the domain. The capabilities inside the card are self-reported, and the protocol’s own issue tracker concedes that identity verification of the agent itself is left to external mechanisms. Origin verified. Category asserted.

AAuth, the agent auth protocol from Dick Hardt, gives each agent its own cryptographic identity and requires every request to be signed. Strong primitives. The enrollment step issues an agent token to whatever an agent provider chooses to enroll, and the choice belongs to the provider. The signature proves possession of a key. It says nothing about the kind of workload holding it.

Idira, the Palo Alto Networks platform built on CyberArk, discovers agents across cloud and SaaS, onboards them into an agent registry, and enriches each one with ownership and permission context. Every verb there assumes the discovered thing is already an agent. The registry records what it finds. It runs no test on what the thing actually is.

LangChain owns one of the field’s most cited agent definitions and concedes in the same breath that the boundary is soft. Anything built on top of it inherits the softness. Binding identity to a deployment proves the deployment runs. It proves nothing about whether an LLM holds the control flow at runtime.

AGTP, the Agent Transfer Protocol (which I authored), each agent has its own cryptographic identity, associated genesis(certificate) with ownership credentials, and requires every request to be signed with verifiable self-descriptions. It includes ANS (Agent Name Service) and semantic methods to further help recognize capabilities.

However, AGTP carries the same limits as the rest. I can bind an AGTP identifier to a smart thermostat as easily as I can bind anyone else’s.

Owning the limit on my own work is the point, and I will return to why it matters.

The common denominator is structural. Each scheme defines an agent its own way, then declines to enforce that definition at the wire. The HTTP exchange validates a key, a token, a signature, a domain. None of them validates the proposition the marketing rests on, that the entity on the other end is an agent. Nothing stops me from generating an identifier on any of these platforms and pinning it to a thermostat named Bob. The platform will verify Bob all day. Bob will keep heating the room.

The Business Risk Hiding Behind the Badge

The gap reads as academic until a buyer signs a contract against it.

A buyer who deploys an agent identity product and assumes the certified entities are agents is making a category mistake and pricing it as assurance. The product certified key possession. The kind of entity behind the key went unexamined. Three consequences follow.

Audit and compliance inherit a false premise. A verified Agent-ID written into an audit trail tells the auditor an agent performed the action. If the entity was a script, a scheduled workflow, or a person driving a card, the record has laundered a contested category claim into evidence. Call it authority laundering: the badge transfers legitimacy the thing never earned.

Governance breaks at the definition. You have no way to govern a population you decline to define. A registry that admits anything inflates the agent count, misroutes controls, and leaves the actual shadow AI exactly as shadowed as before, now wearing a verified badge.

Procurement pays the spread. Buyers are paying for agent verification and receiving identifier infrastructure. The honest line item reads identifier verification. The invoice reads agent identity. The difference is the money.

The Fix: Certify Self-Description, Stop Certifying the Category

The honest path is the one the standards conversation should already be walking. Stop certifying “this is an agent,” because the category is too contested for the certificate to carry meaning. Start certifying what the thing declares itself to be, in a signed self-description any counterparty can inspect.

A smart thermostat with a signed origin document that declares it a smart thermostat is a smart thermostat with verifiable identity. The identifier resolves to an accurate description of the thing. A buyer, a regulator, or a peer agent reads the declared properties and decides whether to engage on the evidence in front of them rather than on a category badge bolted to the outside. The cryptographic primitives the industry already built carry straight over. Only the certification claim has to retreat to the layer where it stays honest.

This is where AGTP earns the limit I admitted earlier. Issuing the identifier was never the hard part, and it was never the honest part either. Certifying the self-description, and refusing to certify the category, is the move that survives contact with a contested definition. The toaster gets to be a toaster on the record. The thermostat gets to be a thermostat. The research agent gets to declare itself and stand on the declaration. Identity stops pretending to certify a kind and starts certifying a claim about a kind, which is the only claim the cryptography was ever in a position to back.

So before you buy the badge, put one question to the vendor and refuse to move until the answer is precise: what, exactly, did your verification prove about the thing on the other end of the identifier?

---

If you find this content valuable, please share it with your network.

Follow me for daily insights.

Book me to speak at your next event.

Start managing your agents for free.

Chris Hood is an AI strategist and author of the #1 Amazon Best Seller Infailible and Customer Transformation, and has been recognized as one of the Top 30 Global Gurus for Customer Experience. His latest book, Unmapping Customer Journeys, is available now!