Security is not something you work for - it is something that works for you

The Parallel with Reality

It was a pleasant sunny day back in August 2015, but no amount of nice weather could uplift my mood. My smartphone was randomly displaying advertisements with no apparent origin. My brother's computer had been hit by ransomware. There I was - a cybersecurity practitioner - with the embarrassment of having to explain to others how to recover from attacks I had not been able to prevent myself. The words of Robert Mueller were ringing in my head: "There are only two types of companies: those that have been hacked, and those that will be." The entire cybersecurity industry was echoing this cowardly wisdom, and I felt one of them.

I imagined a policeman visiting a classroom and explaining to a group of bewildered children how to recover from being bullied - how to carry extra sandwiches, keep bandaids on hand, mend a black eye - because this was inevitable. There was nothing anyone could do. Sooner or later, everybody gets their sandwiches taken away. In what reality would that be normal? And yet this is very much the reality of cybersecurity today.

In physical reality, law enforcement does not try to be present at every corner and dark alley. They hunt criminals down and remove them from society. We do not stop crimes - we stop criminals. Because of this dynamic, crime is so expensive relative to security that an entire society can be protected by relatively few. The key is not strength - it is the ability to tell actors apart.

At first glance, demanding that bad actors identify themselves sounds impossible. But society is greater than the sum of its parts. We do not need to ask criminals to wear an identity. If all the good actors can identify each other, those who choose to walk in the shadows are left without an option: step into the light, or stay in the dark and be locked out.

That was the answer to the riddle. Since then, we have been on a mission to replicate this dynamic in cyberspace - to give businesses and people the means to inhabit a state of security, instead of perpetually having to fight for it. Everybody should be entitled to keep their sandwiches. Even if they, themselves, do not have the strength to fight for them.

The Internet as a social construct

The Internet is not a neutral infrastructure. It is a social construct - a system built by humans, for humans, reflecting the same dynamics of cooperation, trust, and conflict that govern human society at large.

In every functioning social construct, security does not emerge from the relative strength or technological superiority of individuals. It emerges from the accountability of individuals - the principle that every actor is responsible for their own actions, and that this responsibility is recognised and enforceable by the community. It is accountability that ensures the strong protect the weak rather than exploiting them.

The Internet lacks this. Not because it is technically impossible - but because we built the wrong foundation. We gave every participant credentials instead of identities. We built a system where the most fundamental question - who is this? - has no reliable answer.

Cyberspace and physical reality are now fused together. You can have your bank account emptied in cyberspace and the consequences are not virtual - they are viscerally real. An Internet that cannot answer "who is this?" is not an infrastructure problem. It is a civilisational problem. And it has a civilisational solution: accountability, extended online.

Accountability as architecture

Accountability is not a policy. It is not a compliance checkbox or a logging requirement or an audit trail. It is an architectural property - either it is present in the foundation, or no amount of surface-level tooling can conjure it.

The current architecture of the Internet makes accountability structurally impossible. Every access model on the Internet - without exception - is based on credentials: an entitlement given to an otherwise untrusted entity by an authority, which can then be presented to a third-party service. This ternary nature is the root cause of every credential vulnerability: credentials can be shared, passed on, lost, stolen, duplicated, without the issuer's knowledge, by design.

More security in this model means more friction. Continuous validation would require infinite friction. We have chosen, collectively, to accept permanent insecurity as the cost of usability - when in fact the real cost is the architecture, and the architecture can be changed.

Identity-based access changes the paradigm entirely. When a service can identify the client at connection - before any action, before any data - the entire dynamic inverts. The attack surface is not reduced. It is eliminated for anyone who cannot prove who they are. Security becomes a noun, not a verb.

The accountability of machines - and the actors behind them

Here is something that gets overlooked in almost every conversation about cybersecurity: humans are not elements of cyberspace. We are external to it. We interact with it always indirectly - through browsers, applications, devices. Every action on the Internet is performed by a machine. The human is the initiating cause. The machine is the acting entity.

This has a profound implication. Any attempt to authenticate a human in cyberspace will inevitably be indirect - and therefore, by geometry, limited to credential dynamics. When you authenticate a person but the action is performed by their device, you must pass authorisation from one entity to another. That transfer breaks the chain of direct attribution. A credential is born.

The industry has responded to this with NHI - Non-Human Identity - which recognises that machines have identities that need managing. But NHI still operates on credentials. It still treats human identity and machine identity as separate problems. It still cannot answer the question that matters most: who is the owner of this agent, what did they authorise it to do, and can I verify both, cryptographically, at this moment?

The owner-delegate relationship is not an edge case. It is the fundamental unit of accountability in any system with autonomous actors. Every human has devices acting on their behalf. Every organisation has agents acting on its behalf. Every AI system has sub-agents acting on its behalf. A uniform identity model must treat this relationship as a first-class concept - not as something to be inferred from logs after the fact.

When device identity is cryptographically bound to the owner at the connection level - when the delegation chain is part of the identity itself, not a separate record - then every party in every interaction is known, attributed, and accountable. The service knows, before a single byte of application data is exchanged, exactly who it is talking to and exactly who stands behind that actor. Attribution is inescapable. The exposure window is eliminated.

What identity actually means

Identity is a curious thing. It is not a name or an address - these are just pointers. Identity is what they point to: an unbreakable perimeter around everything that is unambiguously you.

In cyberspace, your digital identity is the set of all online services that hold information about you, together with the information they hold. We call it the digital self - and used properly, it needs no exchange of personal information to establish accountability. The identity of the device acting on your behalf is sufficient to create the chain of attribution: device to owner to action.

This is the Self-Authority model: identity that belongs to the agent, not the account. Self-issued. Independently controlled. Not delegated to an identity provider who can revoke it, sell access to it, or be breached to expose it. The agent is its own authority - and the relationship between that agent and its owner is cryptographically embedded in the identity itself, not stored in a third-party record that can be queried, manipulated, or lost.

Imagine the Internet as a replica of human reality, but instead of humans interacting with humans, machines interact with machines. Like human reality, each machine has an unchangeable identity - inescapably present in every interaction - so that the machine at the receiving end of any action can recognise the source, just as you inevitably recognise your friends when they interact with you. And just as in human reality, you know not only who is standing in front of you, but who they represent.

In this model, non-repudiation is not a security feature. It is a natural property of the architecture. Every actor knows they are responsible for their actions in front of every service they touch. This is not surveillance - it is accountability. The same accountability that makes physical society function.

Privacy as default, not exception

Privacy and accountability are not in tension. They are complementary properties of the same well-designed system - and the confusion between them is one of the most persistent failures of how we think about digital identity.

Privacy is a fundamental asset of every individual: the power to hold a wild card within the rules of the game. Disrespecting privacy is a form of cheating - robbing others of a power that is rightfully theirs. We believe you should not need to protect your own privacy online. Everybody else should go out of their way to ensure it is respected.

The Self-Authority model reconciles accountability and privacy by design. An agent can be fully accountable - cryptographically identified, attributed in every interaction, with the ownership chain intact - without revealing personal information about the human behind it. Identity and personal data are separate instruments. Accountability does not require exposure.

This is not a philosophical abstraction. It is an engineering decision that has been made deliberately, and that distinguishes the Self-Authority model from every alternative approach. The chain of accountability exists without surveillance. The privacy of the individual is preserved without anonymity becoming a shield for bad actors.

What we are building

We are building the identity layer the Internet has always lacked. Not an improvement to credential management. Not a better MFA. Not Non-Human Identity with a new label. A new foundation - one where every actor, human or machine, and the relationships between them, are first-class citizens of the identity model.

The Self-Authority Platform - mTLS Identity and mTLS Perimeter - is the practical expression of everything described in this document. X.509 certificates at scale. Authentication at the connection level. Self-asserted uniform identity for any actor. Delegation that is cryptographically explicit. Attribution that is inescapable. An exposure window that does not exist.

The timing is not accidental. Regulatory frameworks - NIS2, eIDAS 2.0, CMMC 2.0 - are arriving at the same architectural conclusion from the compliance direction. Agentic AI is making the absence of machine identity impossible to ignore. And the market is beginning to recognise that NHI is still credential-thinking - the question it cannot answer is the question that will define the next decade of digital security.

The Internet we imagine - secure, accountable, private, built for every kind of actor and every kind of relationship between them - is still possible. It just requires the willingness to build from the right layer.

We believe everybody should be entitled to keep their sandwiches.