The deployment of large language models and AI assistants inside enterprise environments through 2023 introduced an identity problem that most organisations had not anticipated: how do you verify that the entity making an API call is the human or system it claims to be, when the call may be generated by a model acting on behalf of a user who authorised a scope the user did not fully understand? Traditional OAuth 2.0 flows are designed around a relatively legible delegation model — a user grants a third-party application specific scopes, the application acts within those scopes. When an AI agent is the client, the delegation chain gets longer and the semantic content of the authorised action becomes harder to audit. A user who says "manage my calendar this week" to an AI assistant has not meaningfully consented to each individual action the assistant will take, and the access token the assistant holds does not carry information about the user's intent at the level of granularity needed to evaluate whether any specific action is within scope.
This is not primarily a credential security problem — it is an identity semantics problem. The protocols we use for enterprise identity were not designed to represent intent, context, or the nature of the delegation chain that led to an access request. They were designed to answer "is this credential valid and does the associated principal have permission to access this resource?" The emerging challenge is answering a different question: "is this access request consistent with what the delegating human actually intended, given their context at the time they granted the delegation?" This distinction matters because the threat model is shifting. The risk is not primarily that AI agents will be compromised by external attackers and used to steal data — though that is a real concern. The more immediate risk is that AI agents will, through the legitimate use of their granted permissions, take actions that the human user did not sanction and the organisation cannot detect through conventional access log monitoring because every action appears legitimate at the credential level.
The identity verification infrastructure built for human-to-human and human-to-system interaction is also being stressed by the synthetic media challenge. Biometric liveness detection — the technical discipline of distinguishing a live human face or voice from a recorded, generated, or constructed representation — has been a core identity verification quality layer since regulatory requirements like eIDAS Level of Assurance High mandated it for high-stakes identity binding. The latent assumption of most commercial liveness detection systems through 2022 was that generative manipulation of facial imagery was too computationally expensive and required specialist skills. That assumption is no longer valid. By late 2023, high-quality face swap and expression transfer models were accessible as open-source implementations runnable on consumer hardware. The liveness detection challenge has moved from distinguishing photographs and masks from live faces to distinguishing real-time AI-generated video streams from real people — a materially harder problem that requires continuous model updates and a different architectural approach to anti-spoofing.
We are not suggesting that biometric identity verification is broken or should be abandoned. What we are saying is that the threat model for liveness detection has shifted faster than most commercial systems have responded, and organisations relying on identity verification for high-assurance use cases — financial onboarding, healthcare access, regulated document signing — need to be asking vendors specific questions about their adversarial testing cadence against current generative models, not accepting 2021-era benchmark data as evidence of current performance. The identity infrastructure companies that will remain relevant through this transition are those that have embedded adversarial machine learning into their continuous development process: teams that regularly test their systems against the latest generation of attack tooling and publish their methodology and results with enough transparency for customers to form their own view of residual risk.
For Stroom Capital, this landscape evolution reinforces rather than undermines our thesis. The companies building identity infrastructure for the AI era will not be those maintaining existing credential systems — they will be those designing from first principles for a world where the principal claiming an identity might be a human, a machine, an AI agent acting on a human's behalf, or some combination thereof, and where the appropriate verification approach varies with the risk profile of the requested action. Sprinto's zero-knowledge proof compliance layer, which we backed in 2024, represents one architectural direction: proving assertions about identity, credentials, and authorisations without revealing the underlying data — a model that becomes increasingly important as privacy regulations and AI-mediated access create demand for composable, auditable identity claims that are structurally resistant to correlation attacks.