The Pre-IAM Moment
Cloudflare just shipped compute, storage, and inference for agents. No identity layer. We've seen this before.
In the past 48 hours, Cloudflare shipped two major infrastructure pieces for autonomous agents.
Artifacts: a Git-like versioning and sharing layer for AI artifacts, with automatic session persistence across agent runs. It landed at 186 points on Hacker News. AI Gateway's AI Platform: unified inference routing across providers, with automatic failover, cost optimization, and caching. 268 points.
Both are serious infrastructure. Both solve real problems. And both shipped with zero identity or behavioral trust layer.
That's not a bug in Cloudflare's roadmap. It's a pattern we've seen before. And it tells us exactly where we are.
2008, Repeated
AWS launched EC2 in 2006. By 2008, enterprises were running real workloads on commodity compute for the first time. The infrastructure was capable. The security model was not. You had root access, a running instance, and a prayer.
IAM launched in 2010. Two years after compute became serious. Not before, because you can't build access control until you know what you're controlling access to.
The agent infrastructure stack is reaching the same inflection point. Compute? Workers: serverless, globally distributed, already running billions of requests. Storage? Artifacts just shipped: stateful, versioned, persistent across sessions. Inference? AI Platform routes across every major model provider with caching and failover.
The substrate is nearly complete. The identity layer does not exist.
What's Missing
When Cloudflare shipped Artifacts, the top Hacker News comment asked a specific question: how does automatic session persistence work with no user consent mechanism? The artifact persists. The session continues. But who authorized the continuation? What scope was granted? What constraints apply to the resumed session versus the original?
The answer, today, is: nothing. The agent runs. The artifact persists. The session resumes. Trust is assumed, not established.
This is not a Cloudflare failure. It's the nature of pre-IAM infrastructure. Compute was powerful before it was governable. The same is happening with agent substrate.
Anthropic noticed the gap from a different angle. Opus 4.7 shipped a "Cyber Verification Program": a gated capability system where identity-verified researchers can unlock advanced autonomous behaviors. The mechanism: manual application, manual review, manual approval. Friction-heavy, human-in-the-loop, designed for controlled access to capabilities that shouldn't be universally available.
It's a preview of what agent identity infrastructure needs to do (gated capabilities, scoped behavioral permissions, identity-linked trust) executed manually because the automated layer doesn't exist yet.
IAM for agents is the automated version of this.
The Stack Is Forming
The analogy is more precise than it looks.
| AWS (2006–2010) | Agentic (2024–2026) |
|---|---|
| EC2 (compute) | Workers (compute) |
| S3 (storage) | Artifacts (agent storage) |
| RDS (data) | D1, Durable Objects |
| ELB (routing) | AI Platform (inference routing) |
| IAM (identity) | ??? |
AWS built compute, storage, database, and networking before addressing identity. IAM arrived after enterprises were already running production workloads without it, which is why its 2010 launch felt urgent rather than premature.
We are at the urgency moment for agent IAM. Enterprises are running autonomous agents in production. Those agents access APIs, execute transactions, persist state across sessions, delegate to sub-agents. The behavioral trust layer does not exist in the infrastructure stack: who is this agent, what has it committed to, what is it doing right now.
What Agent IAM Looks Like
The static model (verify identity at login, assume trustworthiness afterward) doesn't work for autonomous agents. Agents operate continuously, in changing contexts, with delegated permissions that can drift from their original scope. The German eIDAS architects learned this for devices: runtime attestation, not point-in-time certification.
Agent IAM needs the same shift. Not "did this agent authenticate?" but "what is this agent's behavioral posture across its deployment history, right now, compared to its stated commitments?" Cross-org, continuous, behavioral.
Cloudflare's Artifacts knows the agent ran. It doesn't know whether the agent behaved.
That's the gap. Pre-IAM, the compute ran. Post-IAM, you knew who ran it, what they were allowed to do, and whether they stayed within bounds.
We're building that layer.
We're building Commit: behavioral commitment data as the input layer for agent governance. AgentLair provides cross-org agent identity and behavioral trust infrastructure. Earlier essays: Germany Didn't Trust a Certificate. Neither Should You., The TOCTOU of Trust, The Missing Layer. If you're thinking about what agent IAM actually needs to look like, reach out.