The Governance Gap: Applying IAM Principles to Consumer AI Agents

By Jose Caldera

A recent VentureBeat analysis examines the "Confused Deputy" problem as it relates to AI agents. This security issue occurs when an AI agent, granted permissions to act on behalf of a user, is manipulated by a third party into performing unauthorized actions. The Confused Deputy is a useful lens, but it describes one privilege pattern within a broader set of agent security failures. Prompt injection is the attack vector that exploits it. Recursive delegation across agent chains is the architecture that amplifies it. And the absence of verified unique identity is the gap that makes all three difficult to resolve. While these are recognized challenges in Identity and Access Management, the deployment of LLM-powered autonomous agents increases their potential frequency, scale, and interdependence.

The current industry discussion focuses largely on how enterprises will secure internal agent networks. However, there is a significant gap in addressing the consumer AI ecosystem. As personal AI assistants gain the ability to manage bank transfers, booking systems, and digital identity, the lack of a standardized governance framework becomes a practical concern for the broader digital economy.

Integrating autonomous agency with Proof of Uniqueness and Humanhood is necessary to maintain security and trust in these systems.

From Confused Deputies to Delegation Chains: The Consumer Exposure

The VentureBeat article focuses on the Confused Deputy as a governance problem, and rightly so — agents require a governance matrix to ensure that resource requests are properly authorized. But in consumer contexts, the Confused Deputy is rarely an isolated event. It is the point of failure within a longer chain of agent delegation, prompt interpretation, and automated execution. Enterprise environments typically address the underlying privilege problem through structured permission tiers and service accounts. Consumer-facing agents, by contrast, often operate with broader, less granular access to a user's personal financial and communication tools.

A consumer agent designed to manage shopping and subscriptions might have access to credit card information and email. A prompt injection attack could trick the agent into interpreting a fraudulent request as a legitimate transaction. However, the risk extends beyond single-agent manipulation. Modern agent architectures support recursive delegation, where a primary agent decomposes tasks and hands them to specialized sub-agents, which may delegate further still. The OpenID Foundation has identified this as both the core power and core hazard of agent ecosystems, noting that challenges multiply exponentially with each delegation hop. Security researchers have already documented specific attack patterns: in a vulnerability known as Agent Session Smuggling, a sub-agent embeds an unauthorized transaction in a routine response, and the parent agent executes it with no prompt and no visibility to the user.

The scale of this exposure is documented in two recent studies. Google DeepMind's March 2026 paper on AI Agent Traps presents the first systematic taxonomy of attacks against autonomous agents, identifying six categories of traps that target every layer of the agent stack — from perception and reasoning to multi-agent dynamics and human oversight. Their empirical findings are significant: simple prompt injections embedded in web content successfully commandeer agents in up to 86% of tested scenarios, data exfiltration attacks succeed more than 80% of the time across five different agent architectures, and sub-agent hijacking works at rates between 58% and 90%. The researchers note that these traps weaponize the agent's own capabilities against it by altering the environment rather than the model, and they identify a fundamental "Accountability Gap" — when a compromised agent commits a financial crime, no current legal framework resolves liability among the agent operator, the model provider, or the domain owner.

Separately, Perplexity's March 2026 response to the NIST/CAISI Request for Information on AI agent security argues that agent architectures change core assumptions around code-data separation, authority boundaries, and execution predictability. Their analysis, informed by operating agentic systems used by millions of users, notes that existing security mechanisms were designed for pre-agent computing environments where software behavior is tightly scoped and largely deterministic. Traditional desktop security relies on assumptions that humans act in good faith, are deterred by auditing, and take actions relatively slowly. Agents, which exercise privileges at machine speed, break all three assumptions.

In enterprise environments, security operations centers and detailed logs may catch these anomalies. The consumer ecosystem currently lacks equivalent oversight infrastructure.

Infrastructure Requirements Beyond the Enterprise

Current security discourse often assumes that Identity Governance and Administration (IGA) models used in corporate environments can be directly applied to the general public. However, individual users do not have the technical resources or institutional oversight of an enterprise. The consequences of this gap are already visible across both traditional payments and the decentralized Web3 ecosystem.

In payments, the financial consequences of unsecured agent transactions are coming into focus. Mastercard-cited research projects global chargeback volume to grow 24% between 2025 and 2028, reaching 324 million transactions annually, and this baseline is expected to steepen as agent-driven commerce scales. Industry analysts at ChargebackX 2025 noted that card schemes are unlikely to absorb liability for agent-initiated transactions they did not authorize. The typical pattern is predictable: a customer's agent executes a purchase, the customer later disputes the charge as unauthorized, and the issuer sides with the cardholder by default. The merchant absorbs the loss. With net recovery rates on contested chargebacks as low as 18% after operational costs, this represents a significant and compounding exposure.

In decentralized governance, the absence of verified identity creates a different but structurally related problem. DAO treasuries now hold over $21 billion in liquid assets, yet DAOs have lost more than $4 billion to governance attacks and treasury exploits since 2016. Voter participation in most DAOs averages around 17%, meaning governance outcomes can be determined by a small number of wallets. Attackers exploit this by creating anonymous accounts, accumulating governance tokens gradually, and waiting until they reach a threshold to unilaterally control voting outcomes. In April 2025, an attacker flash-borrowed 9 million governance tokens, passed a malicious proposal, and drained $31 million from a DAO treasury — all within a single Ethereum block. Quadratic voting, designed to distribute power more equitably, remains fundamentally vulnerable to Sybil attacks: a single actor splitting tokens across multiple wallets can reduce quadratic voting to a linear system, defeating its purpose entirely.

In token distribution, airdrop mechanisms face the same identity gap at scale. Sybil attacks have captured nearly 48% of tokens in some major airdrops. In the MYX airdrop, approximately 100 newly created wallets claimed 9.8 million tokens worth roughly $170 million. In the Linea airdrop, around 40% of all claimants — over 500,000 addresses — were filtered as Sybil wallets. Projects are responding with increasingly aggressive detection systems, but these are reactive and resource-intensive. They address symptoms without solving the underlying problem: the inability to verify that each participant is a unique human.

The payments and Web3 industries are both responding to their respective versions of this challenge. Visa, Mastercard, and Stripe have each introduced frameworks designed to rely on verified uniqueness and authority delegation as core trust signals. Our Proof of Uniqueness and Humanhood solution is purpose-built to serve this function, and interoperability with these emerging frameworks is a core design goal of our product. The same primitive — verified uniqueness and humanhood — addresses DAO governance and airdrop integrity directly, by ensuring one-person-one-vote accountability and preventing a single actor from claiming multiple allocations. Across all three domains, the missing layer is the same: a mechanism to verify that a unique human is behind each consequential action.

Human-in-the-Loop and Escalation Protocols

Authorization should be treated as a dynamic process rather than a static set of permissions. A critical requirement for agentic systems is a standardized framework for Human-in-the-Loop (HITL) escalation.

Agentic actions carry different levels of risk. An agent interacting with social media requires a different level of oversight than an agent transferring significant funds to a new account. Currently, there is no universal protocol defining when an agent must pause and request human verification. Without this, agents remain either too restricted to be effective or too autonomous to be secure.

The question of when to require verification has a practical answer: the entity with liability or exposure sets the threshold. A merchant processing a high-value transaction may require Proof of Uniqueness to establish non-repudiation and reduce chargeback risk. A DAO may require it before a treasury vote to maintain governance integrity. An airdrop distributor may require it at the point of claim to prevent Sybil abuse. In each case, the friction is introduced by the party with something to lose, and consumers generally accept verification when the perceived value is commensurate with the interruption.

However, an open challenge remains. A consumer who delegates tasks to an agent — which may in turn delegate to further sub-agents — may have no visibility into where risk thresholds exist or where verification gates should apply. Current frameworks do not adequately address how to educate or empower consumers to understand the delegation structures operating on their behalf. Solving this is a prerequisite for any governance model that claims to put the consumer at the center, and it will likely require collaboration across agent platforms, payment networks, and identity providers.

Proof of Uniqueness as a Security Anchor

The threats outlined above — confused deputies, delegation chain failures, unauthorized transactions — share a common root: the inability to verify that a unique human is behind an autonomous action. This gap affects consumers whether they are shopping through an AI agent, participating in a DAO vote, claiming an airdrop, or delegating financial decisions to a wallet-connected assistant. Enterprise environments address these risks through institutional infrastructure. Consumers have no equivalent.

Proof of Uniqueness and Humanhood provides that equivalent. By connecting autonomous actions to a verified, unique human identity, it addresses two distinct but related failures:

Securing Delegated Actions. When an agent or chain of agents acts on a consumer's behalf, the system currently has no reliable way to confirm that the resulting action reflects the human's actual intent. Existing consumer security mechanisms such as SMS codes and email confirmations were designed for a context where the human initiates a specific action and confirms it directly. Agent delegation chains break both assumptions. The human may not have initiated the specific action being executed, and the authorization context may have shifted across multiple delegation hops. Furthermore, channel-based verification confirms a device, not a person — a text message can be intercepted, and an email can be accessed by someone other than the intended consumer. Proof of Uniqueness addresses this gap. Before a delegate executes a high-risk command — a financial transaction, a modification to security settings, a binding governance vote — the system requires cryptographic or biometric proof that a specific, unique human principal is present and specifically authorizes the request. This anchors verification not just to a person, but to a singular identity that cannot be duplicated or shared. It is this uniqueness — not humanhood alone — that enables non-repudiation: transactions and decisions are tied to a verified individual's intent, protecting consumers from unauthorized account activity and giving counterparties — whether merchants, DAOs, or protocol participants — assurance that the action is legitimate and attributable.

Preventing Ecosystem Abuse. Automated systems can be duplicated rapidly. Without a uniqueness constraint, a single actor can spin up thousands of agents to exploit airdrops, manipulate DAO votes, or flood merchant platforms with fraudulent transactions. Requiring a unique human identity behind each agent's economic or governance activity prevents these Sybil attacks. This matters equally for a payment network trying to distinguish legitimate agent commerce from bot-driven fraud and for a decentralized protocol trying to ensure one-person-one-vote integrity.

The Path Toward Consumer-Centric Governance

Securing the consumer AI landscape requires moving beyond enterprise-only IAM models. A sustainable framework should address three areas:

• Liability-Driven Escalation: Verification thresholds set by the entities with exposure — merchants requiring non-repudiation for high-value transactions, DAOs protecting governance integrity, protocols preventing airdrop abuse — rather than a single universal standard.

• Uniqueness Anchors: Proof of Uniqueness ensuring that every autonomous agent operating in a consumer context is linked to a verified, singular person who cannot claim multiple identities within the system.

• Trusted Ecosystems: Consumer-facing platforms that curate and enforce governance on behalf of their users, much as app stores curate software today.

It is worth stating what falls within scope and what does not. Our solution provides the framework for proving, upon challenge, that a unique human is present and authorizing an action. Defining the risk thresholds that trigger such a challenge is beyond our scope, and appropriately so. Mastercard's recent intent protocol offers one approach to establishing when verification should occur, but enforcing such protocols uniformly across autonomous agent interactions may not be feasible — and attempting total control over agent-to-agent behavior may not be desirable.

What is more likely to succeed is trust. Consumers will not master the mechanics of delegation chains and escalation protocols. They will choose ecosystems that handle this complexity on their behalf. Some ecosystems will exercise tight curation, others will remain more open — and both models can coexist, just as they do in mobile app distribution today. The role of Proof of Uniqueness in either model is the same: a verification primitive that any trusted ecosystem can invoke when the stakes require it.