I build small servers that let an AI call a tool. The model decides what it wants; the tool hands back the exact value, or it declines. Living in that loop for a year taught me to notice a question nobody answers cleanly yet: who is asking, and are they cleared to?
Here’s how concrete the gap is. A recent survey looked at roughly two thousand of those servers running in the wild. Every one lacked authentication. Not most; all of them. The agents are already here, already calling tools, already acting for people and companies, and the layer that says which agent, run by whom, permitted to do what doesn’t exist where the work actually happens.
That’s one corner of a much larger hole.
Step back and it’s the same at every scale. It’s 2026, and the defining question about digital media is no longer whether the model can fake it; that war is lost. It’s whether the viewer can verify it. The answer the industry converged on is provenance: C2PA Content Credentials, now an ISO standard, sign a file the moment it’s made; SynthID and its kin hide a watermark that can survive a screenshot. Good work. Necessary work.
And still not enough, for a reason that’s easy to walk past. A missing credential proves nothing. The signature strips on a re-encode; the watermark marks only what its issuer chose to mark. Absence of a label is not evidence of authenticity, and it never will be. Provenance tells you something when a thing is signed. It can’t, by itself, tell you what to trust when it isn’t.
So I went looking for who’s building the harder half, and I found the shape of the problem written into the work itself.
The IETF has at least ten active drafts on agent identity right now, written in isolation at NVIDIA, Okta, OpenAI, AWS, and a dozen other desks, with no working group holding them together. Read side by side, they describe a single stack: identity provenance, then verification, then authorization, then structural enforcement, then cross-organizational trust. Five layers, L1 through L5.
The agent-trust stack, as the active drafts describe it
One deployment can resolve thisEvery one of those drafts stops in the same place. L3.
The reason is the most honest thing in the field. L1 through L3 are problems one organization can solve, because the data lives inside one deployment; you can specify identity, verification, and authorization when you own the ground they stand on. L4 and L5 are a different animal. Cross-organizational trust has no single party to operate it, so no draft can specify it. Not won’t; can’t. The authors stop at L3 because past L3 there is nobody to be the answer.
I’ve spent a year building on one principle: resolve or refuse, never guess. A tool returns the value it can prove or it declines; the one move it must never make is faking a confidence it hasn’t earned. Reading those drafts, I saw the best people in agent identity already living by it. They specify what a deployment can resolve, and they refuse, in plain language, to specify what it can’t. The empty space at L4 and L5 isn’t negligence; it’s integrity. It’s a whole field declining to guess.
A refusal that clean is also an invitation. Somebody has to become the party that operates the cross-organizational layer, or it stays empty for good.
That’s what AIII is for.Not a regulator. Not a treaty waiting on governments to agree in a decade. Look at the most serious attempt going: the EU AI Act runs a public database where high-risk systems register before they ship, and its Commission just issued a code of practice for labelling AI-generated content. Real work, and still not the thing. Regulation registers a system inside one border and labels what it puts out; it can’t vouch for one company’s agent to another’s across the line, and the high-risk clock already slipped to 2027 while the agents kept shipping. A registry is a list. Trust is an operation, and somebody has to operate it.
The internet didn’t standardize itself from the top down; it grew through rough consensus and running code, RFCs that earned their authority by being implemented and interoperating. AIII takes that model on purpose, because AI moves at the internet’s pace, not aviation’s.
So AIII is two things at once. The first: the coordinating layer the ten orphaned drafts are missing, so the field stops rebuilding the same primitives blind to each other. The second: the operator of record for the layer none of them can claim alone, an open, neutral, shared system whose whole job is to answer, across boundaries, is this AI, who controls it, and what is it cleared to do; honestly, or with an explicit unknown.
A proposal is a position paper until something runs. So the first artifact isn’t a manifesto; it’s code, at the layer I already stand in.
The timing is right: MCP was contributed to the Agentic AI Foundation, a vendor-neutral directed fund under the Linux Foundation, co-founded by Anthropic, Block, and OpenAI; that makes it the natural proving ground. Two thousand servers, zero authentication, one open question with my name already on it. The first deliverable is a small, deterministic identity-and-authorization layer for MCP servers that answers who controls this agent and what it may do, built the way I build everything: it resolves what it can prove, and refuses the rest out loud. Running code that demonstrates L1 through L3 cleanly, and shows exactly where L4 has to begin.
And the door is already open. AAIF takes new projects through a public proposal process, so this isn’t a pitch into the void; it’s a build with an address. The goal is plain: get the layer to working level, then submit it as a project where MCP already lives.
Prove the layer where I stand. Map the layer no one can stand on alone. That’s the order, and that’s the work.
The field has quietly agreed on something most of the world hasn’t caught up to: the dangerous answer was never the wrong one, it was the confident one. A false yes travels further than an honest blank, and cleans up worse.
So the standard AIII holds itself to is the one its best engineers already keep, only written down and made shared: resolve what you can prove, name what you can’t, and when the honest answer is no — say no.