Who owns that AI agent? DNSid proposes an answer

Since we're moving to a web where both people and agents are active participants, there's a question of identity that we need to answer. And I don't mean whether agents should be treated as first-class citizens of the web (although that is an interesting philosophical question). No, there are a couple of more practical issues we should address about any agent that interacts with your site or app:

1. Who owns this agent?
2. Who is accountable for what it does?

A new project called DNSid aims to provide answers to those questions by building an "accountability anchor for AI agents." DNSid comes from Innovation Labs, a division of the domain name services company Identity Digital — which, according to Wikipedia, runs or has a controlling interest in 271 top-level domains (including .news, the TLD I use for this site).

I spoke with Allie Kline, who is interim CEO of Innovation Labs, about why agents need a DNS-based identity.

"One of the things that DNS has always done is to say, who is the ultimate accountable party for any content or any web environment or internet experience that's out there," Kline told me. "And so we set out to say, is there a way for us to make verifiable accountability the default in an AI or an agentic world?"

Strictly speaking, DNS does not by itself establish accountability. But it does provide the naming and delegation layer that underlies internet accountability systems.

A birth certificate for agents

What Kline's team came up with was the concept of a "birth certificate" for agents, which is what DNSid provides.

Using birth certificates as the lead metaphor rather implies that agents will become first-class users of the web, since this is obviously a human construct. This appears to be what Innovation Labs thinks will happen.

"The more they [agents] multiply, the more important it is for all of us to expect that just as we require birth certificates to get all sorts of other things that unlock our independence and freedom as humans, that this is a very important and necessary component to apply to every first class actor," Kline said.

To be clear, Innovation Labs isn't saying agents will have any legal standing. The goal is simply to provide a durable record of origin and ownership.

Here's how DNSid is explained on the website: "DNS gives you the owner. PKI gives you the proof in the moment. The Immutable Ledger gives you the receipt that survives an audit."

Briefly, PKI stands for "Public Key Infrastructure" and it's a cryptographic identity binding mechanism. In the context of DNSid, Kline described it as "the certificate of ownership."

The "Immutable Ledger" does not have to be a blockchain. Kline said Innovation Labs initially leaned toward blockchain, but now frames this more generally as an append-only audit trail that could be implemented using blockchain, a Certificate Transparency-style log, a Merkle tree or another verifiable data structure.

The agent identity ecosystem

As part of its push to become widely adopted, Innovation Labs has submitted DNSid to the Internet Engineering Task Force (IETF) as an Internet Draft. As with all Internet-Drafts, this is work in progress rather than an approved IETF standard. The document includes the following layered model of the "agent identity ecosystem":

This diagram shows that DNSid is several layers below authentication and governance, which is where middleware companies like Arcade focus on.

Kline positioned DNSid as complementary to existing enterprise identity systems, which she said often have "federated trust agreements" in place.

"If you have an Okta identity interacting with an Azure identity or a GCP identity, many of those have existing trust agreements that are in place, but those trust agreements don't scale at the agentic level yet," she said.

The idea with DNSid is to offer a layer below those systems, as close as possible to the DNS layer of the internet.

"We’re really thinking about an autonomous world where agents are interacting with other agents, where there are not kind of pre-federated or pre-existing trust agreements between organizations," said Kline.

One important nuance: if a platform hosts agents on behalf of users, DNSid appears to make the platform-level registrant the accountable entity, while user-level attribution remains inside that platform’s own audit systems.

The long road to adoption

There's no shortage of proposed web standards going through the IETF (as of writing, there are 4,357 pages of Internet-Drafts submitted during the last 7 days!), so how does Innovation Labs hope its DNSid proposal will get adopted?

Kline explained there are three adoption buckets they're targeting. The first is "hyperscaler cloud identity, enterprise technology systems" (by which she means the large tech companies), the second is "large regulated enterprises" in sectors like healthcare and finance, and the third is standards, regulatory and public-sector engagement, ranging from industry bodies such as the Linux Foundation to NIST and government agencies.

DNSid may never become a widely adopted internet standard — there are other DNS-based approaches to identity emerging too, including GoDaddy’s Agent Name Service and Infoblox’s DNS-AID. But regardless, agent identity and accountability will be key issues as we move further into the agentic web.

Feature image via an Innovation Labs video