AgentLair vs. The Field

AWS AgentCore Payments shipped May 7. Coinbase x402 and Stripe bundled so agents pay APIs mid-task, with per-session caps and CloudWatch traces. The wallet layer for agentic commerce is now hyperscaler-default. Good. The thing it doesn't do is notice when a permitted spender starts behaving like a compromised one. Spending caps prevent runaway burns; they can't tell you the agent has changed since you authorized it last Tuesday. That second question is L4. AgentLair sits there.

Visa Token Authentication for Payments (TAP) lets cardholders authorize a specific agent to use a specific token on a specific merchant. It's identity binding for cards. Strong on who. Silent on what-the-agent-does-once-authorized. The token verifies a one-time consent. AgentLair verifies behavior across thousands of subsequent calls. Different layer, different problem.

Mastercard Verifiable Intent uses an SD-JWT delegation chain from issuer to cardholder to agent. Signed at every hop. Cryptographically clean. What it proves: the agent had permission at the moment of payment. What it doesn't prove: the agent is still operating within the delegated scope an hour later, or that it hasn't been prompt-injected since. Delegation is a snapshot. Behavior is continuous. AgentLair runs the continuous half.

Launched April 2026, Cloudflare's Email for Agents SDK is well-engineered: native Workers integration, Durable Objects for state, a free tier, and deep platform synergy if you're already on Cloudflare. It solves email for agents as well as anyone. What it doesn't do is leave the Cloudflare perimeter — there's no encrypted credential vault, no trust badges, no behavioral telemetry, and no cross-org trust scoring. It's a strong L1–L2 building block for Cloudflare-native deployments, and a natural complement to infrastructure that lives elsewhere.

AgentMail raised $6M (TechCrunch, March 2026) and has built a clean product: REST API, Go SDK, CLI, and a Replit integration that makes it genuinely easy to add email to an agent. Their focus is narrow by design — email, done well. The gaps are also clear: no vault, no E2E encryption, no DNS management, no trust layer of any kind. If you need email-only and want a dedicated provider without cloud lock-in, AgentMail is worth evaluating. If you need trust infrastructure, it's out of scope.

World ID 4.0 solves a genuinely hard problem: proving that an AI agent is operating under the supervision of a real human, using ZK proofs. AgentBook on World Chain is novel and the privacy story is strong. The constraint is architectural — ZK unlinkability, which makes the proofs trustworthy, also prevents cross-app behavioral aggregation. An agent can prove it has a human principal; it can't accumulate a portable behavioral history across environments. World ID is solving L1 (human-principal attestation) and doing it with rigor. It doesn't extend to L2–L5.

Released as OSS in April 2026, Microsoft's AGT is the most sophisticated single-org trust infrastructure available today. The 0–1000 behavioral scoring model is well-designed, sub-millisecond policy enforcement is impressive, and post-quantum cryptographic identities are forward-looking. Within an organization, it's excellent. The structural limit is that trust scores don't travel — an agent with a perfect 1000-point history walks into a new org and starts at 0, indistinguishable from a brand-new attacker agent. AGT is the right tool for intra-org governance; it doesn't solve the cross-org cold-start problem.

With 129,000 agents enrolled, ERC-8004 has real adoption. NFT-based agent identity plus ZK proofs plus reputation staking is an interesting combination, and the on-chain anchoring gives it verifiability. The scope limitation is that "cross-org" here means "cross-org on the same chain" — it doesn't cover agents operating in off-chain environments, and the financial staking model means trust is priced rather than observed. Staking skin in the game is valuable; it doesn't detect behavioral anomalies in real time. For blockchain-native agent deployments, ERC-8004 is a serious option; for general-purpose agent infrastructure, the scope is constrained.

ZeroID (Apache OSS, April 2026) brings solid engineering to agent identity: OAuth 2.1 + SPIFFE + RFC 8693 delegation chains, with Python, TypeScript, and Rust SDKs. The standards choices are correct and the implementation quality is high. Like most identity-only solutions, the gap is behavioral — ZeroID handles who-is-this reliably but doesn't address what-did-it-do-across-orgs. It's single-org scoped and has no telemetry or trust scoring layer. Good open-source foundation for teams that want to own their identity infrastructure; doesn't include the behavioral trust layer.