TL;DR: Authentication is shifting toward digital IDs, passkeys, transaction-based trust, and AI agents, with the article arguing that 2026 will be the year these patterns move from preview to production, according to Authsignal. The practical issue is not adoption alone, but whether IAM programmes can govern delegated access, step-up decisions, and revocation when identity becomes more dynamic.
At a glance
What this is: This is a forward-looking authentication analysis arguing that 2026 will be shaped by digital IDs, passkeys, transaction-based trust, and AI agents.
Why it matters: It matters because IAM teams must adapt authentication, verification, and delegated-access controls for both human users and emerging non-human actors.
By the numbers:
- 27 days
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.
- 17 minutes
👉 Read Authsignal’s analysis of 2026 authentication trends and AI agents
Context
Authentication in 2026 is no longer just about proving a human user is present. The article argues that digital IDs, passkeys, and AI agents are converging into a broader digital trust model, which changes how organisations verify identity and authorise action across systems.
For IAM teams, the important shift is that authentication is becoming more contextual and more delegated. That creates pressure on onboarding, step-up controls, session governance, and revocation logic, especially where humans initiate actions that non-human identities or AI agents later execute.
Key questions
A: Security teams should separate identity proof, session trust, and action authorisation. Digital IDs may satisfy initial verification, but the application still needs step-up controls and transaction-level review for sensitive actions. When AI agents are involved, delegation must be explicit, revocable, and auditable so the human principal does not become an unmonitored blanket trust anchor.
Q: Why do passkeys not eliminate the need for recovery controls?
A: Passkeys reduce phishing and password reuse, but they do not remove account recovery. If password resets, SMS OTP, or support overrides remain weak, attackers will target those paths instead. Mature IAM programmes treat recovery as part of the authentication system and apply the same assurance discipline to fallback routes as to sign-in itself.
Q: When should organisations move from session-based trust to transaction-based trust?
A: Organisations should move when one authenticated session can support actions with very different risk levels. That is common in banking, admin workflows, and delegated access models. Transaction-based trust allows the system to re-evaluate high-risk actions without forcing friction on every low-risk interaction, which is a better fit for modern identity programmes.
Q: Who is accountable when an AI agent acts on behalf of a user?
A: Accountability should sit with the organisation that granted the delegation and defined the policy, not with the software actor alone. The human principal remains responsible for the intent, but the system must log which permissions were delegated, how they were bounded, and how they can be revoked before the agent completes a sensitive task.
Technical breakdown
Digital IDs and portable trust layers
Digital identity programmes such as mobile driver’s licences and the EUDI wallet move verification away from isolated accounts and toward portable trust credentials. That changes the identity boundary because proof of identity is increasingly external to the application, yet the application still has to decide how much trust to place in that proof. The technical challenge is federation, assurance mapping, and recovery when a credential is valid but the transaction is high risk. In practice, identity teams need to think in terms of trust orchestration rather than login alone.
Practical implication: define which digital credentials can satisfy onboarding, authentication, and step-up requirements before you wire them into production flows.
Passkeys and the end of password-centric trust
Passkeys shift the core authentication primitive from shared secrets to asymmetric cryptographic authentication bound to a device or synced ecosystem. That removes phishing resistance from the category of optional hardening and makes it a baseline design expectation. The operational issue is not whether passkeys work, but how recovery, device loss, and account binding are handled without reintroducing weak fallback paths. IAM programmes that keep passwords as the real recovery mechanism will continue to carry legacy risk even after passkey rollout.
Practical implication: map every password fallback, recovery route, and help-desk override before treating passkeys as a complete authentication control.
Transaction-based trust and AI agent delegated access
Transaction-based trust evaluates the risk of each action rather than assuming a session remains equally trustworthy throughout. That becomes more important when AI agents or other software entities act on behalf of users, because the actor making the request may not be the actor initiating the workflow. This is where authentication, authorisation, and auditability start to separate more sharply. A session can be valid while the action is not, which means identity governance has to track intent, scope, and delegation at the transaction layer.
Practical implication: design authorisation so that high-risk actions can be re-evaluated even after authentication succeeds.
NHI Mgmt Group analysis
Digital trust is now an identity governance problem, not just an authentication problem. The article is right that digital IDs and passkeys are moving from optional to expected, but the field has to treat this as a governance shift rather than a UX upgrade. Once identity proof becomes portable, the control question becomes which relying parties can trust which credentials, under what assurance level, and with what recovery path. Practitioners should stop thinking in isolated login flows and start governing trust relationships.
Passkeys reduce phishing exposure, but they do not remove fallback risk. The practical failure mode is not passkeys themselves, but the legacy recovery and support paths that remain in place beside them. If passwords, SMS OTP, or help-desk overrides continue to serve as the real recovery layer, the programme still has a weak human-operated back door. Teams should treat fallback authentication as part of the passkey control surface.
Transaction-based trust is becoming the more useful control model for mixed human and non-human access. The article’s framing is strongest where it moves beyond session-based authentication and toward per-action evaluation. That matters because the same login may support low-risk browsing, medium-risk approvals, and high-risk financial or administrative actions. Identity governance now has to express trust at the transaction level, not just at enrolment or sign-in.
Autonomous and delegated actors force authentication teams to rethink accountability boundaries. Autonomous or semi-autonomous agents do not fit neatly into user-centric authentication assumptions. Delegation, revocation, and audit have to follow the action chain, not just the human account that started it. The implication is straightforward: identity programmes that only model the human principal will miss the software actor that actually executes the work.
Identity-proofing models will need to converge with non-human identity governance. The article points to a future where consumers, employees, and agents all interact with the same trust fabric. That means IAM, IGA, and NHI governance can no longer be treated as separate disciplines with separate assumptions. Practitioners should expect policy, assurance, and lifecycle controls to converge across identity types, not stay neatly partitioned.
From our research:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.
- For a broader threat lens, LLMjacking: How Attackers Hijack AI Using Compromised NHIs shows how quickly exposed credentials can be operationalised by attackers.
What this signals
Digital trust will increasingly collapse the gap between human IAM and NHI governance. As portable digital credentials and delegated access expand, security teams will need shared policy language for users, service accounts, and AI-driven workflows. The programme implication is that identity teams should stop treating authentication and non-human access as separate roadmaps.
With 44% of developers following secrets-management best practices, the trust layer is still being built on uneven operational discipline. That matters because passkeys and digital IDs reduce some attack paths, but they do not compensate for weak recovery, token handling, or delegated access hygiene. IAM leaders should expect identity risk to remain distributed across engineering, support, and runtime operations.
Transaction-based trust will become the practical bridge between human sessions and autonomous action. The real control shift is away from static sign-in events and toward per-action evaluation, audit, and revocation. Programmes that can express that distinction cleanly will be better positioned for AI agents, digital IDs, and high-risk consumer authentication flows.
For practitioners
- Map digital ID reliance points Identify which onboarding, authentication, and high-risk transaction flows could accept portable digital credentials, then define assurance thresholds before integration. Use the same mapping to separate identity proof from step-up requirements.
- Inventory every fallback authentication path Document passwords, SMS OTP, help-desk resets, and recovery exceptions that still bypass passkeys. Treat those paths as the real control boundary until they are reduced or hardened.
- Redesign step-up for transaction risk Move from session-wide trust to per-action re-evaluation for sensitive transfers, privilege changes, and delegated approvals. Keep the step-up trigger tied to the risk of the transaction, not the user’s initial login.
- Model delegation for software actors Record which user actions can be executed later by agents or other non-human identities, then define revocation and audit requirements for that delegation chain. This is essential where AI agents can act on behalf of users.
Key takeaways
- 2026 authentication trends point to a broader digital trust model where IDs, passkeys, and agents all affect IAM design.
- The main governance risk is not adoption speed alone, but the fallback, recovery, and delegation paths that stay in place behind new authentication methods.
- IAM teams should prepare for transaction-level trust decisions because session-level authentication is no longer enough for mixed human and non-human access.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST SP 800-63, NIST Zero Trust (SP 800-207) and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST SP 800-63 | SP 800-63B | Passkeys and digital IDs are core digital identity topics in this article. |
| NIST Zero Trust (SP 800-207) | The article’s transaction-based trust model fits zero trust authentication thinking. | |
| NIST CSF 2.0 | PR.AC-1 | Identity proofing and access control are central to the article’s digital trust framing. |
| OWASP Agentic AI Top 10 | AI agents and delegated access appear as emerging authentication subjects. | |
| OWASP Non-Human Identity Top 10 | NHI-09 | The article’s AI agent and machine-to-machine trust discussion overlaps non-human identity governance. |
Model agent delegation, revocation, and audit as part of the authentication design, not an afterthought.
Key terms
- Digital Trust: Digital trust is the confidence a relying party places in a credential, identity proof, or delegated actor to behave as expected. In practice, it combines assurance, context, and revocation rules so an application can decide whether to allow access, step-up, or deny a transaction.
- Transaction-based Trust: Transaction-based trust is an authorisation model that evaluates each action separately instead of trusting an entire session equally. It is especially useful when the same authenticated identity may perform low-risk browsing, medium-risk approvals, and high-risk administrative or financial actions.
- Delegated Access: Delegated access is permission granted to one actor to act on behalf of another within explicit boundaries. For AI agents and other non-human identities, the governance challenge is to make delegation visible, limited, and revocable before the delegated task is completed.
- Fallback Authentication: Fallback authentication is the alternate path used when the primary method fails, such as password reset, SMS OTP, or help-desk recovery. It often becomes the weakest part of the control stack, because attackers target the exception path when stronger methods like passkeys are in place.
What's in the full article
Authsignal's full blog covers the operational detail this post intentionally leaves for the source:
- Practical examples of how passkey-first authentication is changing product design decisions in consumer apps
- Specific rollout patterns for digital IDs across regions and what they imply for onboarding and verification workflows
- The author’s view on how AI agents will change authentication patterns for delegated access and auditability
- Implementation guidance for building transaction-based trust into real application flows
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an identity security programme, it is worth exploring.
Published by the NHIMG editorial team on 2026-01-08.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org