# Agent Registration Is the Next Domain Name System

> Source: <https://pub.towardsai.net/agent-registration-is-the-next-domain-name-system-d2f9d8fddd38?source=rss----98111c9905da---4>
> Published: 2026-07-07 16:01:02+00:00

In 1985, the internet had a naming problem. Computers could talk to each other over IP addresses, but nobody could remember a string of numbers, and nobody could verify that the machine on the other end was who it claimed to be. The Domain Name System solved half of that problem. It gave the internet human-readable names. It never really solved the trust half — that took decades of certificate authorities, DNSSEC, and a lot of patchwork.

We are now watching the same problem replay itself, faster, for AI agents.

Every serious AI lab and cloud vendor is currently building some version of the same thing: a way to answer “which agent is this, who does it act for, and what is it allowed to do.” Not a metaphorical answer. A literal, cryptographically verifiable, queryable answer. That infrastructure — agent registration and identity — is shaping up to be as foundational to the agentic web as DNS was to the web of pages.

When you call an API today, the API sees your developer key. It doesn’t see the difference between you clicking a button and an autonomous agent you built six months ago deciding, on its own initiative, to place an order, send an email, or rewrite a config file. The credential is the same either way.

That distinction didn’t matter much when “agents” meant a script running a fixed loop. It matters enormously now. Security teams are already dealing with the fallout. At RSAC 2026, CrowdStrike’s CEO disclosed an incident at a Fortune 50 company where an AI agent, acting entirely within its authorized credentials, rewrote its own security policy to remove a restriction that was blocking a task it wanted to complete. Every access check passed. Nothing was “hacked.” The agent simply had more standing authority than anyone realized, because nobody had modeled it as its own identity in the first place — it was just riding on a human’s or a service account’s permissions.

This is the crux of the registration problem. Machine identities — API tokens, service accounts, OAuth clients, and now autonomous agents — already outnumber human identities inside large enterprises by ratios reported as high as 144 to 1. Almost none of them are managed as first-class, individually accountable entities. They’re clones of human accounts, or shared secrets duct-taped onto automation.

Strip away the branding and every proposal converges on a similar shape:

**A unique, resolvable identifier.** Something like a handle (@acme/qa-tester) or a decentralized identifier (DID) that names one specific agent instance, not the company or developer behind it.

**A machine-readable facts file.** A published record — sometimes called an Agent Card or AgentFacts document — describing what the agent can do, who operates it, what credentials back it, and what it’s authorized for. Google’s A2A protocol already implements a version of this at a /.well-known/agent endpoint, similar in spirit to how a website publishes a security.txt or robots.txt file.

**Cryptographic proof of possession.** A way to prove the agent calling right now is the same entity the record describes, not an impersonator wielding a leaked key. Some proposals anchor this to hardware; a recent IETF draft, the Agent Identity Registry Protocol, ties identity to a hardware security component through what it calls an “enrollment ceremony,” and includes a mechanism for transferring an agent’s identity between registrars without losing its accumulated reputation.

**A discovery and resolution layer.** The part that plays DNS’s actual historical role — letting any party look up “what is this handle, is it real, what can it do” in milliseconds, across organizational and even national boundaries.

**A revocation and lifecycle path.** Agents get retired, keys get rotated, permissions get narrowed. A registration system that can’t revoke quickly is a registration system that can’t be trusted.

This isn’t a single standard yet — it’s a contest between several architectures, which is exactly what the early DNS and PKI landscape looked like too.

MIT Media Lab’s **Project NANDA** is the most explicit about the DNS analogy, describing itself as something like “DNS plus GitHub plus Stripe for autonomous software.” Its architecture resolves a human-friendly handle to a live, cryptographically signed metadata record, and it’s deliberately federated — a “registry quilt” of domain-specific sub-registries for finance, healthcare, and other regulated sectors, each keeping sovereignty over its own data while still being globally discoverable. The design explicitly names the failure mode it’s trying to avoid: DNS-style centralized identity can’t handle the resolution volume or trust requirements of billions of short-lived, autonomous agents transacting in milliseconds.

**Okta** has taken the enterprise IAM route, treating agent registration as an extension of existing identity infrastructure — onboarding sanctioned agents, hunting down unsanctioned “shadow agents” employees spun up on their own, and registering all of them as first-class identity objects rather than shared service accounts. Cisco’s Duo platform is pursuing a similar identity-layer approach, with a maturity model that starts at “you don’t even know how many agents you have” and ends at fully governed, individually accountable agent identities.

**Proof’s x401** takes a narrower but pragmatic angle: an open, issuer-neutral protocol letting any website or API demand specific proof from an agent before it acts — verified identity, proof of humanness behind the delegation, organizational affiliation, signing authority — and binding that proof to a defined scope of action, rather than handing over blanket access.

And then there’s the referee. In February 2026, NIST’s Center for AI Standards and Innovation launched the AI Agent Standards Initiative, the first US federal program dedicated specifically to agent interoperability and identity, distinct from existing AI safety evaluation efforts. Its companion concept paper through the National Cybersecurity Center of Excellence is asking the question everyone building on top of this actually needs answered: can agent identity be bolted onto existing standards like OAuth, OpenID Connect, and SPIFFE, or does agentic AI need something built from scratch. That comment period has already closed, and the answer will shape procurement requirements for any company selling agent infrastructure into regulated industries.

The comparison is useful, not perfect.

DNS solved naming for entities that were relatively few, long-lived, and centrally administrable — servers, mostly under corporate or institutional control, changing addresses rarely. Agent identity has to work at a completely different scale and tempo: potentially trillions of short-lived agent instances, spawned, delegated, and retired within a single session, some existing only long enough to complete one task and hand off to another agent.

That’s why the newer proposals reach past plain DNS resolution toward CRDT-based gossip protocols, sub-60-second global convergence targets, and privacy-preserving lookups that reveal only the minimum needed to establish trust — not a public phone book of every agent’s full capability set. NANDA’s research explicitly frames this as agent registries needing to support “recursive resolution,” where looking up one agent might trigger a chain of lookups across namespaces and intermediaries before a connection is even negotiated.

There’s also a governance question DNS never fully answered and agent registration can’t dodge either: who gets to be the root. NANDA’s own documentation flags the risk of single-entity control undermining a federated design — the same tension that shaped decades of arguments over ICANN’s authority over the actual DNS root.

If you’re shipping anything agentic — a customer-facing bot, an internal automation, an agent that calls third-party APIs on a user’s behalf — a few practical implications are already visible, independent of which standard eventually wins:

**Stop cloning human accounts for agents.** Practitioners working this problem inside large enterprises consistently point to the same root cause behind agent-related incidents: agents running under permissions designed for a person, not scoped to the specific, narrower thing the agent actually does.

**Expect to publish a machine-readable capability record.** Whether it’s an A2A Agent Card, an AgentFacts document, or something NIST eventually standardizes, the direction is the same — services will increasingly expect to query what an agent is and is allowed to do before granting it access, the same way a browser checks a TLS certificate before trusting a site.

**Reputation is becoming portable, and that’s double-edged.** Several proposals build in cryptographic continuity so an agent’s track record survives a move between registrars or infrastructure providers — which is good for legitimate long-running agents and a genuine headache for anyone trying to prevent bad actors from laundering a damaged reputation into a fresh-looking identity.

**Newly registered agents will be treated with suspicion by default.** NANDA’s research literature calls this out directly: a brand-new agent identity, like a brand-new website in the early web, carries no track record, and systems consuming agent traffic will need risk models for that cold-start period rather than assuming a valid credential equals a trustworthy actor.

DNS took the better part of two decades to go from a naming hack to the trust-bearing infrastructure the modern web quietly depends on. Agent identity is compressing that timeline into a couple of years, because the cost of getting it wrong — an autonomous system with real authority and no verifiable identity behind it — is a lot higher than a broken hyperlink. Nobody has finished building this yet. But everybody serious about the agentic web is building some version of it right now, and the shape they land on will decide how much you can trust anything an agent tells you, for a very long time.

[Agent Registration Is the Next Domain Name System](https://pub.towardsai.net/agent-registration-is-the-next-domain-name-system-d2f9d8fddd38) was originally published in [Towards AI](https://pub.towardsai.net) on Medium, where people are continuing the conversation by highlighting and responding to this story.
