“I enjoy looking back at the posts that caught people’s attention over the past year; I never really know what will catch people’s attention!”

My blog isn’t exactly mainstream clickbait; you and I are part of a niche crowd who get excited about things like key lifecycles, European regulatory patterns, and whether AI agents need their own delegation models (they need one, but I don’t know that it needs to be specifically for AI). But that’s the fun of it.

So, that said, let’s take a walk down blog-memory lane to see what people found most interesting based on simple numbers (which, since I am not a statistician nor can I play one on TV, means that more recent posts didn’t make the list unless they were REALLY compelling.) 

You can Subscribe and Listen to the Podcast on Apple Podcasts, or wherever you listen to Podcasts.

And be sure to leave me a Rating and Review!

#10 — Kill the Wallet? Rethinking the Metaphors Behind Digital Identity

Metaphors shape how people understand technology (and their world). Sometimes the metaphor shapes things in a not-quite-right fashion. This post explored whether the “wallet” metaphor has outlived its usefulness. Between platform-controlled wallets, issuer-specific lockers, open-standards containers, and everything in between, “wallet” now means too many incompatible things.

The metaphor hides thorny issues around consent, selective disclosure, and user agency. Standards bodies like Kantara and NIST are pushing for stronger user control, but most “wallets” don’t meet that bar yet. Maybe it’s time to retire the term and pick something that doesn’t collapse trust boundaries quite so dramatically.

#9 — Why Governance Decides If Decentralization Works

This post wrapped up my four-part decentralization series with a simple argument: the technology is ready, but governance is not.

When decentralization fails, it’s rarely because the protocol was flawed. It’s more because no one agreed on who gets to decide, update, or enforce anything. Governance defines authority, escalation paths, and shared accountability. Without it, decentralized systems drift into ambiguity and finger-pointing. This was a regular theme in 2025.

Identity teams sit right in the middle of this tension, and the post encouraged readers to treat governance as an intentional design choice rather than an afterthought.

#8 — Agentic AI in the Open Standards Community: Standards Work or Just Hype?

At IETF 123, AI showed up everywhere, in working groups as well as in drafts that had nothing to do with AI on the surface. Delegation chaining, workload identity, bot authentication, AI preference signaling, and agent collaboration protocols all intersect with how AI systems behave online.

This post mapped where these conversations are happening and offered a snapshot of the standards work that’s quietly shaping the infrastructure AI agents will have to live with. Spoiler: it’s not all branded as “AI.”

#7 — Acting on Behalf of Others: Why Delegation Is Still Broken

One user, one identity, one intent; that tidy model never really reflected reality. Caregivers, coworkers, parents, and now AI agents all need to act on behalf of someone else, but most digital systems still assume delegation is an edge case.

We’ve tried partial fixes: OAuth sharing, UMA, token exchange, persona chaining. But none handle conditional constraints, auditability, revocation, or lifecycle boundaries.

The rise of agentic AI raises the stakes even further. If delegation is broken for humans, it’s certainly not ready for autonomous systems. This post, the first in a series, argued that delegation needs to be a first-class identity feature, because the demand is only growing.

#6 — Digital Credentials That Can Be Verified: A Lesson in Terminology

The credential terminology mess—VCs vs mDLs, digital credentials vs verifiable digital credentials—is more than a naming annoyance. It reflects real disagreements about standards, data formats, media types, and interoperability.

This post unpacked how we reached this point and why clear definitions matter. With multiple standards bodies registering overlapping media types and governments adopting different terminology, confusion is a feature, not a bug. The message: define your terms, and don’t assume “digital credential” means the same thing to everyone.

#5 — Understanding NHIs: Key Differences Between Human and Non-Human Identities

Non-Human Identities (NHIs), which include everything from workloads, microservices, and now AI agents, don’t behave like human users, and they shouldn’t be forced into human IAM systems.

NHIs operate at machine speed, require cryptographic authentication, and have lifecycles measured in minutes. They need workload federation models, dynamic credentials, and automated lifecycle management.

This post laid out why treating NHIs like “just API keys” is a security liability and why standards like WIMSE and SPICE are increasingly essential.

#4 — Unlock the Secrets of OAuth 2.0 Tokens (and Have Fun Doing It!)

One of my early audio experiments from the end of 2024, this post revisited token security basics in a more conversational tone: short-lived and scoped tokens are safer; long-lived tokens carry real risk; sender-constrained designs help; and modern systems increasingly rely on real-time, context-aware authorization. As far as I can tell, the audience over at Hacker News really likes it.

A surprising number of people apparently enjoy a good token-lifecycle explainer. Honestly, same.

#3 — The End of the Global Internet

This post examined the many vectors of Internet fragmentation: technical, regulatory, economic, political, and infrastructural. The “borderless Internet” ideal is eroding, replaced by a patchwork shaped by sovereignty mandates, supply-chain splits, geopolitical tensions, and market forces.

But fragmentation isn’t purely negative. It can drive innovation, resilience, and higher privacy standards. The key is recognizing fragmentation as the new baseline and designing for interoperability across a more constrained, uneven landscape.

I’m incredibly pleased with how this post has been received and that, despite how recently it was posted, it’s near the top of the list. I’ve had so many great conversations come out of this one!

#2 — Verifiable Credentials and mdocs: A Tale of Two Protocols

This 2024 post refuses to leave the leaderboard. Seriously, it gets at least one view Every. Single. Day. It breaks down the mDL/mdoc vs. W3C VC divide, explaining how each format emerged from different assumptions: one from government ID workflows and the other from web-centric extensibility.

The post outlined where the friction comes from (governance, media types, developer experience, privacy models) and why implementers need to plan for a moving target as both ecosystems continue to evolve.

#1 — Agentic AI and Authentication: Exploring the Unanswered Questions

No surprise here: the most-read post of 2025 tackled one of the biggest open problems in identity today: what happens when authentication systems designed for humans meet AI agents acting autonomously.

The post explored gaps in trust boundaries, delegation, accountability, context-aware authorization, and credential handling. OAuth solves some delegation problems, but not the ones AI introduces. Wallet-based models help in some places and raise new issues in others.

The takeaway: our identity systems weren’t built for autonomous actors. We need new patterns, and we need them quickly.

What These Top Posts Say About 2025

Looking across the topics that resonated most this year, a few themes stand out:

AI isn’t a feature anymore — it’s a structural change.

From authentication to delegation to governance, readers gravitated toward posts about how AI agents challenge our deepest assumptions about identity. The conversation has moved beyond “add AI to X” into “re-architect X because of AI.” I think the best thing I can say about that is, well, it’s a choice. Not sure it’s a good choice, mind you, but regardless of what I think about it, it’s where the tech world is headed. 

Governance beat technology as the real bottleneck.

Whether the topic was decentralization, internet fragmentation, or wallet ecosystems, the posts that resonated most emphasized governance, accountability, and shared rules of engagement. Technology isn’t the blocker; the lack of alignment is.

Definitions matter. A lot.

Posts on terminology, metaphors, and conceptual clarity all landed in the top ten. In a standards-heavy domain, words carry architectural implications. Readers seem eager for clearer language and were willing to entertain my rants about sloppy metaphors.

Identity is expanding to new kinds of actors.

Whether NHIs, workloads, or agentic AI, people are thinking beyond human users. Some people have been thinking about that way for a while, but the whole NHI conversation is absolutely mainstream now. Identity practitioners are recognizing different lifecycles, behaviors, and risk profiles for the full range of users in their systems. I’m not going to say it’s about time, but…

Interoperability is the quiet throughline.

Wallets that don’t interoperate. Credentials that don’t align. Ecosystems that fracture politically. Delegation models that don’t fit across systems. Identity pros want bridges, not silos. Which seems pretty obvious, but I have to point out that we, collectively, need to go beyond “want” and dig into “build.” If we want those bridges, no one will build them for us. Regulators won’t. Standards architects will try, but they can’t do it without the people who do the implementation and development.

So, about 2026…

And with that, thanks for reading, sharing, arguing with me, and sending me down new rabbit holes this year. It’s genuinely energizing to see how many of you care about the deeper questions shaping digital identity; not just the headlines, but the underlying shifts in governance, standards, and how we build trust online. If you want to follow these conversations from the perspective of the senior identity practitioners from companies around the world, that’s exactly what we’re building at The Identity Salon. It’s where the messier, more candid discussions happen, and where many of these ideas get pressure-tested long before they show up on the blog. And I get to write the reports. Dream job ftw!

If these trends continue—and I have every expectation that they will—2026 is going to be an interesting one.

📩 If you’d rather track the blog than the podcast, I have an option for you! Subscribe to get a notification when new blog posts go live. No spam, just announcements of new posts. [Subscribe here] 

Transcript

A Different Kind of Episode: Looking Back at 2025

00:00:30
This episode is a little different. Instead of diving into a single topic, we’re looking back.

Each year, I review which posts resonated the most—not because popularity equals quality, but because it reveals what people in the field are wrestling with:

• What caught your attention
• What sparked conversation
• What may have kept you up at night

Of course, some of this could simply reflect what social media algorithms decided to surface. But for today, let’s assume human interest won.

This is an In Case You Missed It recap of 2025: the top 10 most-read posts, starting at number ten and working our way to the top. Along the way, we’ll also explore what these patterns suggest about where digital identity is headed.

---

---

Number 10: Kill the Wallet

00:02:00
Coming in at number ten is a post born out of sheer frustration: Kill the Wallet.

In this piece, I ask whether the “wallet” metaphor is still useful in digital identity—or whether it’s time to retire it with honors.

At this point, wallet can mean almost anything:

• An open-standards holder for verifiable credentials
• A tightly controlled app limited to issuer-approved items
• A credential locker disguised as a university app
• Whatever Apple or Google says it is this week

As a result, the term has become a catch-all for wildly different design choices, governance models, and policy assumptions. When a metaphor collapses that many boundaries, it stops clarifying and starts obscuring.

The post ultimately argues for:

• Clearer language
• Stronger user agency
• Less metaphorical sleight of hand

If your “wallet” can’t support transparency, selective disclosure, or revocable permissions, it may not deserve the name.

---

---

Number 9: Why Governance Decides Whether Decentralization Works

00:03:45
Number nine was the final entry in my four-part series on decentralization: Why Governance Decides If Decentralization Works.

This post makes a point I will likely keep making for a long time:
Technology is rarely the problem. Governance is.

We already know how to build decentralized systems:

• The internet itself is decentralized
• DNS, BGP, and email are all decentralized technologies

When decentralization fails today, it’s usually because of governance gaps:

• No shared rules
• No escalation paths
• No agreement on decision-making authority

Without governance, decentralization becomes friction—not flexibility.

The takeaway is simple but important: governance is infrastructure. And digital identity practitioners are often closest to the consequences, which means we’re also best positioned to help shape it.

---

---

Number 8: AI Is Already in the Standards (Even When It’s Not in the Title)

00:05:20
Number eight takes us into AI—but not into the hype cycle.

This post came out of IETF 123 in Madrid, where AI showed up everywhere, sometimes explicitly and sometimes quietly, hiding behind familiar topics like:

• Delegation chains
• Workload identity
• API-driven workflows
• Bot authentication

These areas suddenly matter much more when AI agents start acting across domains.

The post mapped where AI-related conversations are happening:

• IETF
• W3C
• OpenID Foundation
• Emerging AI-focused community groups

The key insight? Much of the most consequential work doesn’t mention “AI” at all. If you only follow headlines, you’ll miss the standards decisions that shape authentication flows, logging, and agent discovery.

If you want to understand AI’s future, watch the standards—not the hype.

---

---

Number 7: Acting on Behalf of Others—Why Delegation Is Still Broken

00:06:50
Delegation is one of the oldest problems in identity.

We’ve always needed ways for one person—or system—to act for another:

• Caregivers
• Parents
• Assistants
• Coworkers
• Now, AI agents

Yet digital systems still assume a one-user, one-identity, one-intent model. When real life doesn’t fit, we get:

• Password sharing
• Manual overrides
• Role switching
• Support tickets
• Endless workarounds

This post explores why delegation remains broken, despite partial solutions like OAuth extensions, UMA, token exchange, and persona chaining.

What’s missing?

• Conditional constraints
• Transitivity
• Lifecycle management
• Clear attribution of actions

With AI agents entering the picture, the stakes are even higher. Delegation needs to become a first-class identity feature, not an afterthought.

---

---

Number 6: Why Credential Terminology Is Such a Mess

00:08:20
Number six focused on language—specifically, the chaos around digital credential terminology.

We now have:

• Verifiable credentials
• mDocs
• Digital credentials
• Verifiable digital credentials

Behind each term often sits:

• A different standards body
• A different architecture
• Different privacy and governance assumptions

This post untangles how we got here and why clarity matters. When governments, vendors, and standards groups use the same words to mean different things, “interoperability” becomes wishful thinking.

The takeaway is straightforward:
Define your terms—and resist the urge to invent new ones.

---

---

Number 4: Token Lifecycles and Why They Matter

00:09:45
Number four was an early experiment in audio—and clearly, people wanted a clear explainer on token lifecycles.

This post covered:

• Why short-lived, scoped OAuth 2.0 tokens are safer
• Why refresh tokens require careful handling
• Why sender-constrained tokens reduce replay risk

It also touched on emerging trends like:

• DPoP
• CAEP
• Real-time authorization signals

The core message? Token security is not “set it and forget it.” It’s an ongoing risk decision that evolves with your architecture.

---

---

Number 3: The End of the Global Internet

00:11:00
Despite the title, this post wasn’t apocalyptic.

Instead, it explored the growing fragmentation of the internet driven by:

• Regulatory divergence
• Supply chain splits
• Sovereignty rules
• Content controls
• Infrastructure gaps

The internet isn’t collapsing—it’s becoming a patchwork. And patchworks can work, but only with intentional design.

Some fragmentation improves privacy and resilience. Others increase friction and inequality. Either way, global interoperability is no longer a given, and systems must be designed with that reality in mind.

---

---

Number 2: Verifiable Credentials and a Tale of Two Protocols

00:12:10
Originally written in 2024, this post continues to attract daily readers.

It compared how:

• mDocs grew out of government ID workflows
• Verifiable credentials emerged from a web-driven extensibility model

Those origins still shape:

• Privacy models
• Developer experience
• Governance assumptions

The post clarified why the two ecosystems sometimes compete, sometimes conflict, and sometimes solve the same problems from opposite directions.

The fact that this debate persists explains why the post still resonates.

---

---

Number 1: Agentic AI and Authentication

00:13:00
The most-read post of 2025 explored the collision between authentication systems built for humans and AI agents acting autonomously.

It asked difficult but necessary questions:

• How do we bound trust?
• How do we constrain delegation?
• How do we separate user intent from agent behavior?
• Where does accountability sit?
• What does selective disclosure mean when the presenter isn’t human?

There were no final answers—because we’re not there yet. But surfacing the right questions is often where meaningful standards work begins.

---

---

What These Posts Reveal About the Field

00:14:10
Looking across the list, a few themes stand out:

• AI is no longer an add-on—it’s reshaping identity architecture
• Governance is the real bottleneck, not technology
• Clear definitions matter more than ever
• Identity now includes a wider cast of actors, human and non-human
• Interoperability remains the quiet throughline beneath it all

People want bridges more than silos.

---

---

Closing Thoughts

00:15:20
Thank you for listening, reading, sharing, and challenging these ideas. It’s been incredible to see how many of you care about the deeper structural questions shaping digital identity—not just the headlines.

If you want to explore these topics in a more candid, Chatham House-rule space, that’s exactly what we’re building at the Identity Salon, where many of these ideas are pressure-tested before they show up on the blog.

These trends will absolutely continue into 2026—and that makes the year ahead a fascinating one.

Thanks for being here. I’ll see you next year.