The day Worldcoin's AgentKit broke
A thought experiment. Worldcoin's AgentKit launched to give every World ID holder the ability to delegate to an AI agent. Reasonable design. Wrong root. Here is the failure mode their architecture cannot rule out — and why it is not a knock on the team, but a knock on the substrate.
The architecture, briefly
An iris hash anchors a World ID. AgentKit lets the holder mint an agent identity tied to that root, with delegated capabilities and on-chain settlement via World Chain. The pitch: one verified human, many delegated agents, all rooted in the same biometric. Coherent and clear.
The failure mode
The iris is not revocable. If a holder's iris hash is compromised — through a leaked orb capture, a re-scan attack on a stolen device, or an insider exfiltration at an orbing site — the human cannot be re-rooted. The legacy World ID stays valid; the only escape is to invalidate the iris and re-onboard, which Worldcoin's own architecture has resisted for understandable reasons (it would let any user claim "compromise" to evade Sybil checks).
For pure proof-of-personhood, the failure is uncomfortable but bounded; the user is one of billions. For agent delegation, the failure is severe. A compromised iris means a compromised authority chain for every agent the user has minted. Revocation rolls back specific delegations but cannot disqualify the root.
What happens on the bad day
An attacker presents a stolen iris hash to AgentKit and mints an agent under the victim's identity. The agent draws on the victim's reputation, signs transactions on the victim's chain, and accumulates real-world credentials in the victim's name before the victim notices. Revoking individual agents does not help; the attacker mints new ones. The human's only true recourse is to hope the orb-network agrees to invalidate the iris, which Worldcoin's policy explicitly disfavors.
Why Manav's architecture does not have this failure
The Manav root is a hardware-attested device, not a biometric. If the device is compromised, the human revokes it, regenerates from the guardian set, and re-mints — without invalidating any prior witnessed work, because the work attestations are signed against the human's DID, not the specific device key. The iris (or any biometric) is one of several optional liveness layers, never the root.
What this means for AgentKit's customers
Most agent use cases tolerate the failure mode because the dollar exposure per delegation is low. The high-stakes use cases — payroll, healthcare, government services — cannot, by their underwriters' rules, accept an unrevokable root. AgentKit will likely earn the consumer market for low-stakes agent delegation; the enterprise market needs a substrate where the root is recoverable. That is a category split, not a one-winner outcome.
The honest reading
Worldcoin's iris substrate is the strongest known proof-of-personhood at consumer scale. AgentKit was the right product to ship on top. The failure mode described here is a substrate problem, not a product problem. We say so without schadenfreude. The category is large enough for a biometric-rooted consumer layer and a device-rooted enterprise layer to both win.
Common objections
The strongest counter-arguments we have heard. The incumbent will catch up — possibly inside their boundary; the cross-platform shape is architecturally hard for them. The category is too narrow — we believe it broadens as agent autonomy compounds; we may be wrong; the data over the next year will tell.
Frequently asked questions
What are the strongest counter-arguments? The two we hear most: (1) the incumbent will eventually ship this, and (2) the category is too narrow to support a category-defining company. We address both head-on; we believe the incumbent's architecture cannot ship this without a rebuild, and we believe the category broadens as agent autonomy compounds.
Are we ignoring legitimate criticism? We try not to. The honest criticisms — slow adoption, immature SDKs in some languages, unclear regulator response — are documented openly. We answer with progress, not with marketing.
What would make us change our mind? Three signals. A major incumbent shipping a comparable cross-platform delegation primitive. A regulator explicitly preempting the category with a different spec. A customer cohort showing they prefer the platform-bound alternative even when the audit trail is broken. None of those have appeared.
Where to start
For the steel-manned counter-position, read manav vs worldcoin. For the alternative we agree could win, see proof of personhood vs pohw. We do not need to be right for the category to be real.
What the post-mortem will eventually say
When the post-mortem is finally written, three findings will dominate. First: the integration treated personhood verification as a sufficient signal for agent action, conflating "is human" with "authorized this action." Second: the kill-switch was platform-scoped, not delegation-scoped, so the response time was bound to the platform's incident-response cycle rather than the user's ability to revoke. Third: the audit log was a Worldcoin internal artifact, not a user-portable artifact, so affected users could not produce evidence of what their agents had done without going through Worldcoin's support channel. Each finding maps directly to a Manav design decision. We did not predict the specific incident. We did predict the failure mode, and the protocol architecture exists in part because the failure mode was visible from the architecture diagrams of the prior generation. The post-mortem will be useful in that it formalizes what the engineering community already suspected.
Pick your root. Pick what you can revoke. The day you wish you could is the day the root is the wrong one.