AgentLair vs. The Field

AWS AgentCore Payments shipped May 7. Coinbase x402 and Stripe bundled so agents pay APIs mid-task, with per-session caps and CloudWatch traces. The wallet layer for agentic commerce is now hyperscaler-default. Good. The thing it doesn't do is notice when a permitted spender starts behaving like a compromised one. Spending caps prevent runaway burns; they can't tell you the agent has changed since you authorized it last Tuesday. That second question is L4. AgentLair sits there.

Visa Token Authentication for Payments (TAP) lets cardholders authorize a specific agent to use a specific token on a specific merchant. It's identity binding for cards. Strong on who. Silent on what-the-agent-does-once-authorized. The token verifies a one-time consent. AgentLair verifies behavior across thousands of subsequent calls. Different layer, different problem.

Mastercard Verifiable Intent uses an SD-JWT delegation chain from issuer to cardholder to agent. Signed at every hop. Cryptographically clean. What it proves: the agent had permission at the moment of payment. What it doesn't prove: the agent is still operating within the delegated scope an hour later, or that it hasn't been prompt-injected since. Delegation is a snapshot. Behavior is continuous. AgentLair runs the continuous half.

Launched April 2026, Cloudflare's Email for Agents SDK is well-engineered: native Workers integration, Durable Objects for state, a free tier, and deep platform synergy if you're already on Cloudflare. It solves email for agents as well as anyone. What it doesn't do is leave the Cloudflare perimeter — there's no encrypted credential vault, no trust badges, no behavioral telemetry, and no cross-org trust scoring. It's a strong L1–L2 building block for Cloudflare-native deployments, and a natural complement to infrastructure that lives elsewhere.

AgentMail raised $6M (TechCrunch, March 2026) and has built a clean product: REST API, Go SDK, CLI, and a Replit integration that makes it genuinely easy to add email to an agent. Their focus is narrow by design — email, done well. The gaps are also clear: no vault, no E2E encryption, no DNS management, no trust layer of any kind. If you need email-only and want a dedicated provider without cloud lock-in, AgentMail is worth evaluating. If you need trust infrastructure, it's out of scope.

World ID 4.0 solves a genuinely hard problem: proving that an AI agent is operating under the supervision of a real human, using ZK proofs. AgentBook on World Chain is novel and the privacy story is strong. The constraint is architectural — ZK unlinkability, which makes the proofs trustworthy, also prevents cross-app behavioral aggregation. An agent can prove it has a human principal; it can't accumulate a portable behavioral history across environments. World ID is solving L1 (human-principal attestation) and doing it with rigor. It doesn't extend to L2–L5.

Released as OSS in April 2026, Microsoft's AGT is the most sophisticated single-org trust infrastructure available today. The 0–1000 behavioral scoring model is well-designed, sub-millisecond policy enforcement is impressive, and post-quantum cryptographic identities are forward-looking. Within an organization, it's excellent. The structural limit is that trust scores don't travel — an agent with a perfect 1000-point history walks into a new org and starts at 0, indistinguishable from a brand-new attacker agent. AGT is the right tool for intra-org governance; it doesn't solve the cross-org cold-start problem.

With 129,000 agents enrolled, ERC-8004 has real adoption. NFT-based agent identity plus ZK proofs plus reputation staking is an interesting combination, and the on-chain anchoring gives it verifiability. The scope limitation is that "cross-org" here means "cross-org on the same chain" — it doesn't cover agents operating in off-chain environments, and the financial staking model means trust is priced rather than observed. Staking skin in the game is valuable; it doesn't detect behavioral anomalies in real time. For blockchain-native agent deployments, ERC-8004 is a serious option; for general-purpose agent infrastructure, the scope is constrained.

ZeroID (Apache OSS, April 2026) brings solid engineering to agent identity: OAuth 2.1 + SPIFFE + RFC 8693 delegation chains, with Python, TypeScript, and Rust SDKs. The standards choices are correct and the implementation quality is high. Like most identity-only solutions, the gap is behavioral — ZeroID handles who-is-this reliably but doesn't address what-did-it-do-across-orgs. It's single-org scoped and has no telemetry or trust scoring layer. Good open-source foundation for teams that want to own their identity infrastructure; doesn't include the behavioral trust layer.

Lyrie.ai (OTT Cybersecurity LLC) exited stealth May 11, 2026, with a $2M pre-seed and a seat in Anthropic's inaugural Cyber Verification Program — the most significant credibility signal from any new entrant this year. ATP defines five primitives: Identity, Scope, Attestation, Delegation, and Revocation, all signed with Ed25519. The reference implementation is MIT-licensed on GitHub, with an IETF submission planned. That makes Lyrie the strongest open credential standard in this wave. What ATP doesn't do is watch what happens after issuance: five primitives, zero behavioral evidence. The TOCTOU gap — was this agent authorized versus did this agent honor its authorization — is untouched by design. An ATP-credentialed agent entering a behavioral trust system is exactly what AgentLair is built for.

TrustLayer Foundation A.C., an independent nonprofit established March 20, 2026 in Mexico City, runs ARIA as an open credentialing framework. The technical design is forward-looking: W3C Verifiable Credentials anchored to DNS, with post-quantum ML-DSA-65 composite signatures alongside Ed25519. Four trust levels span the range from self-service agent registration (L0) to government-backed sovereign attestation (L3). The cleanliness of the model is genuine — it maps naturally to existing compliance frameworks. The limit is that every level is declarative: an L3 ARIA credential certifies who the holder is via organizational attestation, not what the agent has done. Observed behavior and certified identity are different things, and ARIA covers the second.

Experian plc (NYSE: EXPGY, ~$7B revenue) announced Agent Trust on April 30, 2026. The architecture layers Skyfire's Known Your Agent (KYA) JWT framework as the identity layer, Experian's 1.4B-consumer profile database for risk scoring, and Visa TAP for merchant verification. The output is an Agent Trust Token that binds a verified human identity to an authorized agent, with a real-time fraud risk score attached. Distribution moat is real — if Human-to-Agent Binding becomes the default for agentic commerce, it matters enormously who runs it. The gap Experian leaves open is execution monitoring: their behavioral signals are consumer identity and transaction patterns, the same fraud-scoring competency they apply to credit. That is not cross-org execution monitoring, not tool-call log analysis, not behavioral drift detection across organizations. The TOCTOU gap between "this agent was authorized at registration" and "this agent honored that authorization at runtime" is exactly where AgentLair operates. The two systems are complementary layers, not substitutes.