The Five Levels of Verified Identity For the Agent Economy
The agent economy arrived without an identity layer.
In the last twelve months, AI agents have started moving money, signing contracts, and executing trades on behalf of humans. Google, Visa, Mastercard, OpenAI, Stripe, and Anthropic have all published protocols for how those agents will transact. Every one of those protocols presumes an identity primitive that none of them defines. They assume, somewhere upstream, that a verified human authorized an agent to act, that the authorization can be tied to the action, and that the resulting record will hold up in a dispute.
That record does not currently exist.
This is the gap Proof was built to fill. Our platform has secured over $640 billion in transactions with cryptographic records for over a decade. And as we've worked with AI labs, card networks, banks, and the engineers building these protocols, it has become clear that the identity layer is not a single solution.
Instead, it is a progression. Each level makes something possible that was not possible at the level below, shifting risk off the relying party and onto an artifact that anyone can verify. Models for what humans are willing to delegate to agents are useful, but what the delegation carries — what the cryptographic record proves, to whom, and for how long — is the part that determines whether the system actually works.
Here is the framework:
Level 0: Point-in-time verification
At Level 0, identity is a checkpoint, not a credential.
A user types their name into a form, uploads a photo of an ID to one vendor, answers a knowledge-based authentication quiz at another, and receives an SMS code from a third. None of these artifacts are bound to each other or produce a credential the user keeps. The biometric is captured, scored, and discarded. The ID photo lands in a database that becomes the next breach target. The knowledge questions are answerable from data brokers who have been selling the answers for fifteen years.
Verification happens; no portable identity is retained.
This is not the failure of any one vendor. The category was built to answer a specific question — did this person pass a check at this moment? — and the products that answer it are good at what they do.
But the question is too small for the economy now asking it. Who are you, can I trust the authorization I just received from you, and will the answer still hold six months from now? Point-in-time identity verification was never meant to answer that, and the agent economy is being asked to operate on top of it anyway.
Level 1: Bound identity
A verified human is proofed once, at NIST IAL2, with a government-issued ID and a live biometric. They are then issued a portable credential — a W3C Verifiable Credential, key-bound to a device they control. When they authenticate to a new service, the credential is presented and verified against a certificate authority.
The difference between Level 0 and Level 1 is the difference between being verified and being verifiable. At Level 0, verification is a transaction the user completes with one vendor and never sees again. At Level 1, verification is a property of the person — carried, presented, and owned by them.
Everything above this level depends on it. You cannot bind a signature to a verified human if there is no verified human to bind it to.
Level 2: Bound authorization
The credential now binds not just to a session, but to a specific transaction.
When you authorize a payment, whether yourself or through an AI agent, the cryptographic artifact records that this verified human authorized this specific amount, to this counterparty, through this instrument, at this moment. The signature is bound so tightly to the transaction that it cannot be replayed, altered, or reused. The EU’s payments regulation, PSD2, calls this dynamic linking; outside of European payments, the rest of the world has not had it.
This is where the Liability Shift becomes possible. When the artifact carries enough information to demonstrate that authorization survived intent, risk can finally be priced and distributed. A bank that accepts a certified Proof record can know what it is accepting, and a card network publishing a liability waterfall can write the rules against something real. ESIGN and UETA already give this kind of record legal force. What they have always left open is the how of attribution.
This is the level that ends authorized push payment fraud and the wire callback. A verified human can finally say, in a way that survives audit: yes, that was me, and that was the transaction I agreed to.
Level 3: Bound delegation
The human is no longer in the loop on every action.
Instead, the human has issued a mandate — a cryptographic artifact specifying scope, amount cap, duration, and counterparty class — and an agent acting on their behalf carries that mandate forward. AP2 Intent Mandates, Visa Trusted Agent Protocol intents, Mastercard Agent Pay tokens, OpenAI and Stripe’s Agentic Commerce Protocol instruments, and Anthropic's MCP authorization flows all reduce to the same primitive: a verified human authorizes an agent within defined scope, the agent acts, and the action carries a verifiable chain back to the human who authorized it.
We call this Know Your Agent, and it is, in our view, the most transformational level.
Levels 1 and 2 are variations of help me transact faster. Level 3 is decide for me, within these limits — a fundamentally different relationship between a human and a system, and one that requires fundamentally different evidence. A mandate is not a promise. It is a contract the agent carries with it, that any relying party can verify, that defines what the agent is allowed to do.
Level 4: Bilateral verification
Both sides of the transaction are cryptographically verified.
The human, or their agent, presents Proof ID. The business, or its agent, presents an Organization Certificate — a verified EIN, beneficial ownership confirmed, authorized signatories named, all PKI-bound. Instructions dispatched on behalf of the business are signed with the Org Cert. When a business sends a wire instruction, the receiving party can verify that the instruction actually came from an authorized officer of a real business, not from an attacker who compromised a CFO's email account.
Business email compromise costs U.S. businesses $2.7 billion a year. The entire category depends on the absence of bilateral verification — and when instructions are signed rather than emailed, the category becomes mechanically impossible.
The platform verifies the human and the organization. Together, they close the loop.
Level 5: Networked verified trust
At Level 5, identity extends beyond any single transaction to become a property of the network itself.
Any verified party — a human, an agent, a business, or a business's agent — can transact with any other verified party. A verified human's mandate, carried by a verified agent, presented to a verified business's verified agent, routed through verified intermediaries, settles in a verified payment. Every hop is independently comparable against a public trust anchor, and the whole graph survives audit.
This is the level at which the trust artifact stops being something you integrate and starts being something you presume — the way TLS is presumed today.
The agent economy needs this level to exist. Anticipatory commerce needs it. Cross-border agent-to-agent transactions need it. Regulator-readable AI actions need it. Every protocol hovering in the air right now, waiting for identity to catch up, resolves here.
What the infrastructure layer requires
Climbing this ladder is not a sprint a new entrant runs. The dependencies are infrastructure, not software, and they do not assemble in a quarter. Here is the foundation the ladder requires:
A publicly-audited certificate authority.
Credentials are only as trustworthy as the authority that issues them. If verification routes back to a single vendor's private database, you are back at Level 0 — trusting the vendor, not the artifact. A real identity layer requires a CA operated under continuous WebTrust audit, with its trust chain published, so that any relying party in the world can verify a credential without asking permission from anyone.
Hardware security modules at every signing point.
At the volume of credentials this layer issues, signing keys cannot live in software. If a single signing key is ever extracted, every credential that key ever signed becomes suspect retroactively — a catastrophic, unrecoverable failure mode. HSMs make the keys physically inextractable, and they have to be present at every signing point in the system, not just the ones a vendor demos.
A fraud network observing every presentation.
Issuance and verification are not enough. Real-world attacks happen at presentation time — coordinated impersonation attempts, replay attempts, signals visible only when you can see the full pattern across many transactions. Without a fraud network sitting alongside the identity layer, you can verify who someone claims to be without catching the moment they are not.
Identity that holds up under legal and regulatory scrutiny.
A credential that lacks a sufficient evidentiary trail is useful as a signal but won't carry as much weight with a regulator, court or counterparty. The identity layer must implement standards correctly and produce attributable, auditable records that meet the evidence bar in financial services, healthcare, and the public sector. Without that, the layer is technically interesting but commercially unusable.
A network of relying parties large enough to matter.
This is the dependency most easily forgotten and hardest to replicate. A credential nobody honors is not a credential. Identity infrastructure is only infrastructure when it is accepted. Banks, title companies, lenders, hiring platforms, government workflows, and agentic protocols should all recognize the same artifact without bespoke integration. That network exists only where it has been built, one relying party at a time, over years.
Building the infrastructure to solve trust at this scale is the work of a decade.
Proof has done that decade. Our certificate authority is audited by Schellman against the WebTrust framework. Our identity proofing is certified to NIST 800-63 IAL2 by Kantara and listed on the public Trust Status List. Our digital signatures are on the Adobe Approved Trust List. Our fraud detection model, trained on thousands of hours of video, outperforms comparable industry models by 6X.
More than 8,000 organizations across financial services, government, real estate, and healthcare rely on this infrastructure today. We’re now taking the layer forward into the standards the agent economy will run on.
Where this leaves us
Agentic commerce cannot scale until the identity layer is solved. The protocols presume Level 3 delegation in identity to support agentic delegation in commerce. They presume Level 4 bilateral verification to support anticipatory commerce. You cannot have one without the other. The labs, the networks, and the protocol authors all know this — the frameworks have simply been published without the layer that makes them work.
Every organization we work with starts by answering one question: what does your authorization record actually prove today? If you don't have a clear answer, that's the conversation worth having.
---
Want to see what Proof enables for AI agents? Join us July 8 for a live demo of an agent completing a real transaction, secured authorized with cryptographic identity.
.jpg)
.png)
.jpg)
