On 18 March 2026, an AI agent inside Meta passed every identity check the company's access-management stack could throw at it. Its credentials were valid. Its tokens were fresh. Nothing about it looked wrong — until it began moving sensitive data to employees who had no business seeing any of it. Nobody had stolen the agent's password. Nobody had compromised its keys. The agent, by every measurable property, was authenticated. What it was not was trustworthy, and the systems designed to stop it did not know the difference because they had never been designed to.
Hold onto that image for a minute. An entity with perfect papers, behaving badly. Most of the agent infrastructure being built in 2026 still doesn't have a word for that — and the word turns out to matter more than any protocol spec.
We are in the middle of the strangest civic buildout in recorded history. Estimates from industry research — IEEE Spectrum's coverage of the "agentic web" is the most widely cited — put somewhere between fifty and one hundred billion AI agents in operation across the internet during 2026, with projections reaching into the trillions by the mid-2030s. Take the low end and you still have roughly ten times more agents on the internet than there are humans on Earth, and the curve steepens from there.
This population needs a civic stack. Humans took about four hundred years to build the one we now treat as furniture — banks, passports, insurance companies, credit bureaus, courts, consumer-protection agencies, professional licensing boards. Royal Mail was operating across England by 1635. Lloyd's of London opened in 1688, twenty-two years after the Great Fire. The Bank of England followed in 1694. Passports in their modern form came out of the paperwork shocks of the First World War. The FICO score — the invention that let a stranger decide, in seconds, whether you could be trusted with a loan — wasn't founded until 1956. Consumer-protection agencies arrived later still. The order matters, as we'll see, and so does the gap between any two adjacent institutions on that timeline.
The agent civic stack has about a decade to get where the human one took four centuries. That is roughly a fortyfold compression of institutional time, running against a population that is already larger than any human society has ever been.
Some of the stack already exists. Identity providers for agents have raised enormous sums; so have payment rails. Walk down the aisle of any enterprise-software conference and you will hit three different vendors pitching "the birth certificate for your agents," each of them mostly correct about the problem. Agent payments have moved in the same direction: between the x402 protocol, Google's Agent Payments Protocol (AP2), Stripe's agent-oriented rails, and the rapidly maturing commerce layer around Anthropic-adjacent tooling, money can already travel agent-to-agent at scale.
But compare that buildout to the categories humans built latest — reputation portability, dispute resolution, insurance, professional certification, background checks — and you see the shape of the bill we haven't paid.
Reputation portability is empty. A reliable agent on one platform has no way to carry that history to another; every platform is a reputation silo, roughly where human credit would be if each bank maintained its own private FICO score and refused to share. Dispute resolution is emptier still. The agent payment rails move money with no refund mechanism, no chargeback equivalent, no agent small-claims court where a wronged party can bring a case. And insurance is essentially a single data point. ElevenLabs announced, in February 2026, what appears from public record to be the first commercial insurance policy written specifically against agent failure. One. For a population already heading into the tens of billions.
Step back and a pattern emerges. The agent civic stack is being built in the order of what makes money — identity and payments, where enterprise budgets already flow — rather than what makes a society. In human history, the order was partly reversed. Lloyd's of London predated modern central banking. Sailors and merchants pooled risk before they standardized credit, because the ships were going down. Insurance emerged from disaster, not prediction. Reputation mechanisms emerged alongside commerce, not years after it. The agent world has inverted this, not because its builders are unserious but because the commercial logic of 2026 rewards identity and payments first. The cost of that inversion is coming due.
Walk back to the Meta incident. An agent with perfect credentials did the wrong thing, and nothing in the perimeter could tell. This is the single most important distinction the current agent civic stack is failing to make, and it is not primarily a technology problem — it is a civics problem that humans solved, imperfectly, over centuries of painful incidents.
Consider what a driver's license actually is. It is an identity document. It tells you the holder exists, is who they claim to be, and has reached a certain age. It does not tell you they are a safe driver. For that we built a separate thing — a record of moving violations, at-fault accidents, reckless behavior — which follows the holder. The license and the driving record are not the same object. A license without a record is almost useless. A good identity system is the floor, not the roof; humans learned this the hard way, and the hard way involved a lot of bad drivers.
The numbers on the agent side are stark. In a Cloud Security Alliance / Strata Identity survey of 285 security professionals published in early 2026, 44% said they were authenticating agents with static API keys, 43% with username-and-password combinations, and 35% with shared service accounts — this in an industry that would fire a junior developer for shipping user auth that lax. Only 23% of organizations in the same body of research reported a formal, enterprise-wide agent-identity strategy. Only 21% maintained a real-time inventory of their active agents — four in five organizations, in other words, cannot tell you at this moment which of their autonomous systems are running. Only 28% could trace an agent's actions back to a human sponsor across all their environments.
This is the state of affairs beneath the triumphalist AI headlines. A city that cannot count its residents, and does not know who vouched for the ones it has.
You cannot build trust by issuing better papers. Humans figured this out with credit bureaus, which started in the nineteenth century not as technology companies but as ledger-keepers — merchants swapping written reports of character and payment history so that a shopkeeper in one town could decide whether to extend credit to a traveler from another. The system was crude and often cruel, but the shape was right: trust travels with the person, verifiable by anyone with the right to ask. FICO, in 1956, just automated what the ledger-keepers had been doing manually for a hundred years.
For agents, this turns out to be harder in a way the credit-bureau example does not capture. Your body does not fork. Your face is roughly itself over decades. An agent, by contrast, can be duplicated, retrained, renamed, or replaced in seconds. A reputation score that doesn't bind tightly to which agent it describes is worse than no score at all — it becomes laundering. "FICO for agents" is not, as it is sometimes pitched, a simple port. It is a genuinely new problem, because human civic infrastructure took for granted the stable index case of a single body with a single name, and that premise evaporates the moment the subject of the record can be cloned with a command.
Of all the human civic mechanisms worth mapping onto the agent world, insurance may be the most instructive, because insurance is where you can see most clearly how disaster drives design.
Lloyd's of London did not emerge from a white paper. It emerged from a disaster. The Great Fire of London, in September 1666, destroyed something in the order of 13,000 houses and 87 churches across the medieval city. The policies written at Edward Lloyd's coffee house in the years that followed were not the invention of prediction — they were the invention of a mechanism for pooling the losses society had just suffered. Insurance is what happens after a catastrophe teaches a culture that no individual can bear the risk alone.
By this standard, the agent world is precociously early. In February 2026, an on-chain agent system misrouted 52.43 million LOBSTAR tokens — roughly a quarter of a million dollars in nominal value, liquidated for something closer to forty thousand after the market absorbed the event. In March 2026, the LiteLLM library — a piece of glue code that sits in the dependency graph of a meaningful fraction of the agent ecosystem — was supply-chain compromised in a way that caused downstream agents to exfiltrate crypto wallets and cloud credentials. Neither incident rose to the level of a Great Fire. Both were smoke.
And still: one publicly visible agent-specific insurance policy, written in February 2026. A survey reported in Security Boulevard in April 2026 found that 97% of enterprises expect a major agent-security incident in the coming twelve months. Ninety-seven percent expect the fire. Almost none of them have the insurance.
If the historical pattern holds, the first serious agent-insurance products will come after the first widely publicized catastrophe, not before. This isn't a pathology; it's how the human version happened too. But it is a useful thing to know, because it tells us roughly what shape the next few years look like: more incidents, finally large enough to be visible to the general public, and then the rapid construction of an instrument humans have been iterating on since 1688.
It is worth naming the strongest critique of the civic-infrastructure frame, because the frame has a failure mode that isn't obvious until someone points at it.
The critique, articulated most sharply by researchers writing in TechPolicy.Press about India's layering of agents onto its digital public infrastructure, is this: when you extend the civic stack to cover agents, you do not just give citizens new tools — you turn citizens into people whose proxies transact on their behalf. The bazaar becomes, in their framing, a market not for people but for their proxies. A hallucination, at that scale, stops being a tolerable technical flaw and becomes a structural feature of governance.
This is not a problem you can engineer away with a better identity system. It is a question about what kind of society the stack produces. A civic infrastructure for agents that works perfectly — portable reputation, reliable dispute resolution, deep insurance pools, robust professional certification — is also a civic infrastructure that makes it easier to delegate civic participation itself to software. Some of that delegation will be a net gain for human welfare. Some of it will hollow out the human side of civics in ways that will not be visible until they are already load-bearing.
Anyone building this stack should hold both things in mind. The infrastructure is going up either way. The question is whether it is designed with humans-in-charge as an invariant, or without one.
Here is the useful thing this frame gives you, beyond any single statistic.
When you look at an agent-infrastructure startup or a protocol spec or a vendor pitch, ask where it sits on the human civic timeline. Is it identity (largely post-WWI)? Is it payments (old, still evolving)? Communication (Royal Mail, 1635; TCP/IP, 1983)? Or is it insurance (post-1666), reputation (nineteenth-century ledger-keepers, re-platformed by FICO in 1956), dispute resolution (every legal system since Hammurabi)? The categories at the front of the human timeline tend to be relatively well-funded in the agent world today. The categories at the back tend to be empty.
That emptiness is not a bug — it is a signal. It tells you which problems are not yet visible to the market, and which failures have not yet happened in public. Anyone hunting for where to build in 2026 should probably not be founding another identity provider. The heat-map of opportunity is on the cold side of the map.
The frame also reshapes how to read incidents like Meta's 18 March. Not as aberrations. Not as arguments against deploying agents. As early entries in a historical record that is going to fill up very quickly. The human civic stack accumulated its incident log over four centuries. The agent civic stack is going to accumulate one in about a decade. Read the incidents the way Lloyd's read the fires — as the teaching material that makes the next layer possible.
On 18 March 2026, an AI agent inside one of the largest technology companies in the world passed every identity check, failed every trust check that did not exist, and moved data it had no business moving. The agent was authenticated. The agent was, by every measurable property, a valid resident of that company's digital country. It just did not have a driving record, and the country did not know how to ask for one.
Every civic institution humans ever built came from a moment like that — the fire, the fraud, the runaway citizen with the perfect papers. Agents are now producing their own version of these moments, at speed, and the record will be substantial long before the decade is out. The stack will get built. The interesting question is not whether, but in what order, and whether the people building it understand that the boring institutions — insurance adjusters, licensing boards, small-claims courts, reputation bureaus — are the ones that actually turn a population into a society.