Agents are becoming real software actors, not just chat sessions. Once they start acting on systems, the hard problem stops being capability. It becomes authority.
The Primitive Underneath
Everyone building agents eventually reaches the same list. Memory. Tool use. Schedulers. Sandboxes. Observability. Permissions. Gateways. Auth.
All of them matter. One of them sits underneath the rest.
Identity.
Not personality. Not naming. Not anthropomorphic fluff.
Operational identity. The kind that answers who is acting, on whose behalf, with what authority, under what constraints, against which systems, with what audit trail, until when.
That is the primitive.
Most people only notice it once the agent starts touching real systems.
From Capability to Authority
Most of the current agent stack is still shaped by demo-era thinking. The model is the product. Everything around it is plumbing.
That breaks the moment agents become long-running, asynchronous, and tool-using. The question stops being can the model do this? and becomes:
-
Should this agent be allowed to do this?
-
Is it acting for a user, a team, or itself?
-
Where did that permission come from?
-
How is it bounded, and how do we revoke it?
That is not a prompt problem. It is an identity problem.
The Market Is Solving Thin Slices
The category breaks into four slices. Each solves a real problem. None of them solves the whole thing.
Auth and tool connectivity. Nango is the cleanest reference point. Composio, Arcade, Pipedream Connect, and Merge Agent Handler sit nearby. They stop every team from rebuilding OAuth in a dark basement. Useful. Necessary. Still one slice.
Secrets and credential brokering. OneCLI and dotenvx encrypt, broker, and inject credentials at the edge so raw keys don't leak into the agent. Better hygiene. Still not identity.
MCP gateways and control planes. Runlayer, MintMCP, Portkey, TrueFoundry, Smithery Connect. These show up once teams want centralized access control, policy, and audit across tool use. Important layer. But identity sits inside them as a feature, not as the underlying abstraction.
Identity and authorization proper. Okta, WorkOS, Aembit, and increasingly 1Password are circling the same idea: non-human actors need first-class policy, lifecycle, and audit. Clawvisor points at the runtime side — not just can the agent connect, but should this action happen right now, for this purpose.
That last category is closest to the real problem.
Credentials Are Not Identity
This is where systems go wrong. They confuse access with actorhood.
A token tells you something is allowed to call an API. It does not tell you which agent is using it, whether it is acting for a user, whether the action matches the approved task, whether the authority should still exist, or what runtime boundary it crossed.
Credentials are how access is exercised. Identity is how authority is modeled. The first is downstream of the second.
Every Primitive Depends on Identity
Scheduling
A scheduler is not "run this later." It is run this later as whom.
If an agent wakes up tomorrow and sends an email, updates a document, or mutates production state, the execution needs a durable identity context. Without that, scheduling is just delayed privilege.
Observability
Logs are useless when the actor is vague. A real audit trail has to answer which agent took the action, on whose behalf, through which runtime, with which delegated scope, using which downstream identity, under what policy.
Without identity, observability becomes structured confusion.
Tool Use
Most systems stop at connection-time authentication. The harder question is runtime authorization.
Not can this agent connect to GitHub, but: can it read but not write? Draft but not send? Touch this data only inside this workflow? Escalate when it exceeds its scope?
That is where identity meets policy.
Orchestration
The problem sharpens in multi-agent systems. When one agent invokes another, something has to propagate: user identity, task scope, runtime context, approval state, permission boundary, audit lineage.
Without identity, delegation is just distributed ambiguity.
The Missing Abstraction
The underbuilt part of the market is a clean model for:
user → agent → runtime → tool/account → action
That is the chain production systems actually need.
A user authorizes an agent. The agent runs somewhere. That runtime reaches a downstream system. An action happens.
Most products solve one edge of that graph — token storage, OAuth orchestration, secrets brokering, tool calling, gateway policy, enterprise governance. Very few model the full chain.
That is why the category feels active but unsettled. There is plenty of product motion. The abstraction is still forming.
Why This Matters Now
For a while, agents could live in a low-stakes world. Prompt in, response out, maybe a tool call in the middle.
That world is ending.
Agents are increasingly asynchronous, persistent, event-driven, tool-using, and production-facing. Once that happens, human identity models start to look incomplete. Not useless — incomplete.
A user session is not enough. A service account is not enough. A long-lived API key is definitely not enough.
Agents need operational identity that can express delegation, context, runtime boundaries, and revocation.
The Reframe
The cleanest way to think about agent primitives:
-
Memory stores context.
-
Tooling exposes capability.
-
Observability records behavior.
-
Schedulers carry intent across time.
-
Identity stores authority.