By Sar Haidar, Platform Engineer at MIT Open Learning

Every identity standard we work with today was built to solve a problem someone was staring at right then. OAuth, OIDC, SAML, the token flows we spend our careers refining: each one began as an urgent answer to an immediate question. That was the premise of a talk I gave at Identiverse earlier this year, and it's worth restating for anyone thinking about where identity goes next. We have never once designed the whole system on purpose. We've patched it, one urgent problem at a time, for sixty years. Understanding that pattern is the best tool we have for seeing where the next patch is headed.
The pattern, compressed
It starts in 1961, when MIT's Compatible Time Sharing System let multiple people use one computer at once for one of the first times, and immediately raised a question nobody had faced before: how does a machine know whose files are whose? Fernando Corbató's answer was the password. Within a year, a grad student named Allan Scherr printed the password file and logged in as other users to get more compute time. Often cited as the first recorded credential theft, and the industry's response set the template for everything that followed: protect the secret better, and never question whether a shared secret was the model to build on in the first place.
That pattern repeats at every scale change. Hashing and salting (Morris and Thompson, 1979) made stolen passwords harder to use, but didn't touch the underlying assumption. Kerberos (MIT's Project Athena, mid-1980s) solved authentication across a campus of networked workstations. It was brilliant inside one trust boundary, and blind to anything outside it. The 1988 Morris worm exposed what happens when a network built on personal trust between colleagues quietly becomes a city of strangers. X.500 tried to answer with one universal global directory and collapsed under its own complexity; LDAP won by being good enough to ship. Cookies solved a real, narrow problem for Netscape in 1994, since stateless HTTP couldn't recognize a returning visitor, and became the infrastructure of surveillance advertising almost by accident.
By the turn of the century the problem had a new name: fragmentation at global scale. A single centralised identity provider, an approach Microsoft tried early with Passport (1999), failed because no one would hand one company the keys to everyone's identity. SAML (2001 to 2002) worked beautifully for institutions that already trusted each other and was useless for strangers. OpenID (2005) proposed the most philosophically honest answer, your own URL as your identity, no gatekeeper, and almost nobody used it, because typing a URL to log in was too much friction. The federation question never got a clean answer; it got outsourced instead. First informally, through OAuth powered social login, where three or four companies now vouch for most of the consumer web, and then as a service, through a new generation of identity vendors. Then the smartphone, with Touch ID and Face ID, quietly erased the line between being authenticated and just being yourself.
What stuck with the room
The talk closes on the current inflection point: AI agents, and an identity stack that was never built for a world where the "user" making a call might not be a human at all, where nobody yet agrees on the ratio of non-human identities to human ones, let alone who's accountable when an autonomous call misfires.
But that's not what people brought up afterward. In the conversations that followed the session, the recurring comment was about the choice to tell sixty years of identity history as a plain, human narrative rather than a stack of acronyms and protocol names. People said they appreciated the non-technical framing, the sense that each of these standards was invented by someone solving a very immediate, very human problem, often without any idea of what it would become decades later. That feedback is worth sitting with. Our field is fluent in discussing identity as a technical problem. We get far less practice discussing it as a human one, and the agent era is about to make that second fluency just as necessary as the first.
Why this matters for OIDF's work right now
This isn't an abstract concern. It's the exact gap the OpenID Foundation's Artificial Intelligence Identity Management (AIIM) Community Group was stood up to address: the silos between the AI and identity communities, and the risk that hard won lessons about security, privacy, and interoperability get relearned the hard way inside agentic systems instead of applied from the start. The Foundation's 2025 whitepaper on agentic AI identity, and the ongoing work on On Behalf Of (OBO) token exchange, are direct responses to the same question the talk raises: when an agent acts, whose authority is it acting under, and how do we preserve accountability through multiple hops of delegation rather than falling back to raw impersonation or static API keys? Phil Windley's work on authorized trajectories, the idea that just in time credentials alone may not be enough and that we may need to reason about an agent's whole intended path of action, points at the same open question from a different angle.
The historical pattern suggests we'll solve the technical version of this problem the way we always have: well, and just in time. The harder task, the one the audience kept circling back to, is holding onto the human part alongside it: that an agent acting in your name is a statistical model predicting your next move, useful, but not you. That distinction isn't a footnote to the standards work. It's the reason the standards work matters.
About the author: Sar is a Platform Engineer at MIT Open Learning, where he builds systems that make learning accessible at scale. He's also the creator of SyntheticAuth.ai, where he writes about identity and AI with a mix of technical depth and skepticism. He's an active open-source contributor who believes the systems that govern trust should be transparent and collaborative.
This post is based on a session delivered at Identiverse 2026 (Mandalay Bay, Las Vegas, June 16) titled "How We Got Here: The Story Behind Your Identity Stack and the Assumptions We Must Leave Behind."
About the OpenID Foundation
The OpenID Foundation (OIDF) is a global open standards body committed to building trusted identity ecosystems. Our mission is to lead the global community in identity standards that are secure, interoperable, and privacy respecting. Founded in 2007, we are a community of technical experts. The Foundation's OpenID Connect standard is now used by billions of people across millions of applications. More recently, the FAPI security profile - built on OAuth 2.0 - has become the standard of choice for interoperable Open Banking and Open Data implementations, while OpenID for Verifiable Credentials specifications are underpinning a new generation of digital wallets. Today, the OpenID Foundation's standards are the connective tissue that enable people to assert their identity and access their data at scale, the scale of the internet, enabling "networks of networks" to interoperate globally. Individuals, companies, governments and non-profits are encouraged to join or participate. Find out more at openid.net.
