The Agentic Web Has a Trust Crisis
As AI agents proliferate, we're building a web of autonomous actors with no accountability framework. The consequences are already showing.
We are living through a quiet revolution. In the space of eighteen months, AI agents have gone from research demos to production infrastructure. They book meetings, deploy code, process invoices, manage customer support, and orchestrate multi-step workflows across dozens of APIs.
And yet: we have built no trust infrastructure for this new world.
The human web has SSL certificates, OAuth flows, browser security models, cookie policies, CSP headers, and twenty years of battle-tested patterns for establishing trust between parties. The agentic web has... environment variables.
The three trust gaps
The current state of agent security has three fundamental gaps, each more dangerous than the last.
Gap 1: Identity
Who is this agent? Most agents have no verifiable identity. They present a bearer token — the digital equivalent of "trust me, bro" — and the API has no way to know if it's the agent it claims to be, a compromised instance, or an attacker replaying stolen credentials.
Gap 2: Consent
Did the user agree to this? When an agent accesses an API on behalf of a user, there's typically no consent flow. The developer configured the credentials at build time. The user may not even know which APIs the agent can access, let alone approve specific actions.
Gap 3: Accountability
What did this agent do? When something goes wrong — and it will — there's no audit trail. No record of which agent made which API call, on whose behalf, at what time. When a Stripe charge appears that nobody authorized, good luck tracing it back to the agent that made it.
The OpenClaw effect
The recent OpenClaw vulnerability was a canary in the coal mine. Thousands of deployed agents were running with raw API credentials in their context windows — credentials that could be extracted by any sufficiently clever prompt injection.
But OpenClaw isn't the outlier. It's the norm. Look at any popular agent framework today: LangChain, CrewAI, AutoGPT, BabyAGI. They all follow the same pattern: credentials go into the agent's environment, and the agent uses them freely. There's no delegation model, no consent layer, no audit trail.
We've been lucky so far. But as agents gain more capabilities — executing code, managing finances, controlling physical devices — the consequences of this trust gap will become catastrophic.
What a trust layer looks like
The agentic web needs what the human web built over decades: a trust layer. Not a single product, but a set of primitives that establish identity, consent, and accountability for AI agents.
Verifiable identity
Agents need cryptographic identity — not bearer tokens. SSH keypairs, mutual TLS, or similar primitives that prove identity through challenge-response, not possession.
Explicit consent
Users must be in the loop. When an agent needs API access, the user should see what's being requested, approve or deny it, and retain the ability to revoke it at any time.
Complete auditability
Every API call made by an agent on behalf of a user must be logged, attributed, and reviewable. When something goes wrong, there must be a trail to follow.
Credential proxying as a foundation
One of the most promising approaches to the trust gap is credential proxying: routing agent API calls through a trusted intermediary that handles authentication server-side. The agent never sees credentials. The proxy enforces permissions. Every call is logged.
This isn't a new idea. Enterprise API gateways have worked this way for years. But the agentic web needs a developer-friendly version: something you can integrate with a single CLI command, not a six-month enterprise deployment.
The pattern looks like this:
- 1.Agent registers its identity (SSH keypair, not password)
- 2.Agent requests permission for specific API scopes
- 3.User reviews and approves the request
- 4.Agent routes API calls through the proxy
- 5.Proxy injects credentials, forwards request, logs everything
- 6.User can review activity and revoke access at any time
This is what we're building at Keychains.dev. Not because credential proxying is the only answer — but because the agentic web needs to start somewhere. And starting with "credentials should never touch the agent" is a pretty good foundation.
The clock is ticking
Every day, more agents are deployed with raw credentials in their environment. Every day, the attack surface grows. Every day, we get closer to the first major agentic security breach — one that will make OpenClaw look like a rounding error.
The trust infrastructure for the agentic web won't build itself. And we can't afford to wait for a catastrophe to start building it.
The agentic web is inevitable. A secure agentic web is not. That part is up to us.