“NHI visibility and AI agent visibility feel like the same problem. They’re not. A service account is relatively static. It was created for a purpose, it has credentials, it authenticates to something. You can find it, document it, rotate its credentials, put it in a vault. That’s a solvable problem with existing tooling.
“An AI agent is different in almost every dimension that matters. It’s dynamic. It’s often ephemeral. It doesn’t have a fixed identity. It borrows one, or several. It makes decisions at runtime about what it needs to access. And it operates at machine speed, which means by the time your SIEM fires an alert, the transaction is already done.”
One way is via cryptographics. As I discussed previously, the Secure Production Identity Framework For Everyone (SPIFFE) and the SPIFFE Runtime Environment (SPIRE) provide non-person entities with “strongly attested, cryptographic identities.”
Problem solved, right?
As any human who has used a password knows, a single factor can be stolen. And that includes cryptographic factors.
Provenance
Which means that we have to look at provenance. But instead of looking at the provenance of an AI-generated image or video, we are looking at the provenance of an agent that performs actions. The network origin. The environment. The associated attributes. Is the agent running on a specific, authorized, and known virtual machine or container at a specific network address, or is it running…somewhere else?
Behavior
And if you’ve read my book, you know that human identities can be evaluated based upon their behavior (either tendencies or intent). You can also look at the behavior of agents. Is the agent acting at an unexpected time of day? Is it executing an unusually high volume of requests? Is it “scoping out the joint”?
Multi-factor authentication
Again, it’s possible to spoof one factor, but much harder to spoof multiple factors. And that applies to both humans and non-human agents.
A former coworker reshared the story of Clifford Stoll investigating an accounting error and discovering a Cold War spy network. But a few years later, Stoll was wrong about the emerging Internet…and also right.
Stoll shared his views in a 1995 Newsweek article that was an amusing read after the fact.
Replacing your daily newspaper?
For example:
“The truth is no online database will replace your daily newspaper…”
Stoll lived long enough to see the decline of printed newspapers in the early 21st century.
Electronic books?
Another one:
“How about electronic publishing? Try reading a book on disc. At best, it’s an unpleasant chore: the myopic glow of a clunky computer replaces the friendly pages of a book. And you can’t tote that laptop to the beach. Yet Nicholas Negroponte, director of the MIT Media Lab, predicts that we’ll soon buy books and newspapers straight over the Internet. Uh, sure.”
Let’s pick this one apart piece by piece.
A book on disc? What’s a disc?
Yes, to some the myopic glow of an electronic book isn’t the best experience, whether on light or dark mode. But a traditional printed book cannot be read at all when you turn the lights off.
Stoll assumed that you would always need a laptop to read an electronic book. He did not envision dedicated electronic reading devices that were smaller than a laptop…to say nothing of “smart” phones with an “app” called “Kindle.”
Speaking of Amazon Kindles, you CAN buy books straight over the Internet. And music also, from a company that is no longer called Apple Computer.
So Stoll was not perfect. But he anticipated some things that we still struggle with today.
Unedited data!
“What the Internet hucksters won’t tell you is tht the Internet is one big ocean of unedited data, without any pretense of completeness. Lacking editors, reviewers or critics, the Internet has become a wasteland of unfiltered data. You don’t know what to ignore and what’s worth reading.”
While many companies from Yahoo to Altavista to Google to Wikipedia to OpenAI have tried to solve this problem, it is not fully solved.
And then there’s the biggie.
Isolation!
“What’s missing from this electronic wonderland? Human contact. Discount the fawning techno-burble about virtual communities. Computers and networks isolate us from one another. A network chat line is a limp substitute for meeting friends over coffee. No interactive multimedia display comes close to the excitement of a live concert. And who’d prefer cybersex to the real thing?”
Today’s world is actually worse than the one Stoll envisioned. Not only have I conducted most of my interactions with people over chat boxes and screens. But in 2026 we are now interacting with “HAL 9000” non-person entities…and we may not even know that they aren’t human, but synthetic or deepfake identities.
Despite the benefits of remote interactions—they’ve kept me (and my former coworker) employed—Stoll’s warnings about this new world remain valid.
Wrong but right
So I wouldn’t laugh at Stoll’s derision over the emerging Internet. If you were alive in 1995, be honest: did you anticipate THIS?
“SPIFFE and SPIRE provide strongly attested, cryptographic identities to workloads across a wide variety of platforms”
That wide variety of platforms is distributed.
“SPIFFE and SPIRE provide a uniform identity control plane across modern and heterogeneous infrastructure. Since software and application architectures have grown substantially, they are spread across virtual machines in public clouds and private data centers.”
Distinguishing between the two, the SPIFFE Project “defines a framework and set of standards for identifying and securing communications between application services, while the runtime environment SPIRE “is a toolchain of APIs for establishing trust between software systems across a wide variety of hosting platforms.”
Benefits
Forget all that. Let’s get to the benefits.
Enable defense in depth: Provide strongly attested identities to reduce the likelihood of breach through credential comprise
Reduce operational complexity: Consistent, automated management of identity reduces the burden of devops teams
Interoperability: Simplifies the technical aspects of full interoperability across multiple stacks
Compliance and auditability: Enables mutually authenticated TLS and multiple roots of trust to meet regulatory requirements
Use at Uber
But does anyone use it? Yes. Take Uber:
“We use SPIRE at Uber to provide identity to workloads running in multiple clouds (GCP, OCI, AWS, on-premise) for a variety of jobs, including stateless services, stateful storage, batch and streaming jobs, CI jobs, workflow executions, infrastructure services, and more. We have worked with the open source community since the early stages of the project in mid-2018 to address production readiness and scalability concerns.”
Now this is admittedly a whole new world for me, far afield from the usual 12345 and gummy arguments where I usually reside. But since bots will soon outnumber people (if they don’t already), we had all better learn it.
There is a difference between a writer and a content creator. It becomes obvious when you read WordPress’ recent post, “How to Slop Your Content in Five Steps.”
With one glaring exception, the Bredebot project. This is a highlighted experiment to see how far a well-prompted bot will go.
So my specific response to these steps is to consider the gap analysis in step 2. Bots are good at such analysis, but they have to be watched in case they don’t get their facts straight.
But I won’t give Claude the permission to write and post articles, or even any permissions on WordPress. This is a security issue, after all; how do YOU control site access for non-human identities?
In fact, I may not even use Claude for step 2, even if it’s the cool kid this week last I checked. I may use Gemini…or a thousand Bangladesh techies…or a million Pentiums…or Mika.
How you work with outside content creators
But what about you?
Before answering, take the five steps above and change the name “Claude” to Barney…or Bredemarket.
Would you give Barney or Bredemarket that power over your website?
Maybe…or maybe not.
How Bredemarket works with you
In the case of Bredemarket, I usually do NOT have direct access to my clients’ websites, sending them Word documents instead. And in the one instance where I did have website access, I left every one of my drafts in draft mode.
And when I perform a gap analysis, I present my client with choices and ask the client to choose the topic, or at least approve my suggested topic.
Because your website is not mine, or Mika’s…or Claude’s.
I don’t have access to Forbes, so I’m relying on this LinkedIn message from Certuma:
“We raised $10M in seed funding led by 8VC to build the first FDA-approved AI doctor.”
The way that sentence is worded, it sounds like the goal is to have the FDA approve a doctor who can…well, doctor. Like my fictional Dr. Jones. (See the 2013 version in tymshft.)
““I don’t mind answering the question,” replied the friendly voice, “and I hope you don’t take my response the wrong way, but I’m not really a person as you understand the term. I’m actually an application within the software package that runs the medical center. But my programmers want me to tell you that they’re really happy to serve you, and that Stanford sucks.” The voice paused for a moment. “I’m sorry, Edith. You have to forgive the programmers – they’re Berkeley grads.””
But Certuma’s website tells a more cautionary story in which the “AI doctor” is NOT in control.
“Certified clinical decisions at machine speed. Physician-verified and fully auditable.”
And the workflow indicates that this “doctor” is more like an intern, or even a student.
“Certuma routes every in-scope plan through physician verification. That workflow is the point: fast turnaround without removing accountability….
“Red flags, contraindications, interaction checks, scope limits, and uncertainty thresholds run through the deterministic verification layer. If something is emergent or out of scope, the system escalates instead of guessing.
“Clinicians see structured intake, highlighted risks, and a draft plan with supporting evidence. They approve, edit, or escalate; changes are captured with reason codes and a durable audit trail.”
Now there is clearly some benefit in having the bots grind out the plan, provided that the bots don’t hallucinate. There are potential time savings, and a real doctor reviews the final results.
But an “AI doctor” who can doctor independently is NOT on the horizon.
“Within the space of a single week, nearly every major identity vendor announced or shipped a platform specifically designed to govern AI agents. The timing was not coordinated. It was convergent.”
Bredemarket 