Identity as a Service: The Infrastructure Layer AI Governance Needs

Gartner projects the average large enterprise will run more than 150,000 AI agents by 2028. Every one of those agents will make decisions on behalf of people. And 84% of organizations already cannot pass a compliance audit focused on agent behavior. The technology is compounding. The infrastructure isn't.

What Deep Identity Actually Is (It's Not Authentication)

Okta solves authentication. Workday stores employment history. Culture Amp produces engagement scores. None of them answer the question that matters most to an AI agent acting on someone's behalf: who is this person, really, and what do they stand for?

Deep identity is the structured record of how someone leads, what they value under pressure, how they communicate, which decisions they make instinctively versus which ones they agonize over. It is the data generated in a serious coaching engagement, a leadership workshop, a vision session. The Vision to Matter frameworksurfaces this explicitly in its first three phases: Being Human, Vision, and Ethos. Leadership archetype, core values, communication style, working preferences, relational dynamics. Today that data lives in a consultant's notes. It does not compound. It decays.

The foundational design principle that changes everything: identity belongs to the person. Not to the employer. Not to the platform. The individual holds the canonical record. The organization gets permissioned access for the duration of the relationship. When someone leaves, the record leaves with them. That is the difference between HR software and identity infrastructure.

What VTM HIOS Is Designed to Do

This is the architecture Holistic Consulting and Orion Growth are designing, under the name VTM HIOS — Holistic Identity Operating System. It is a concept with a defined schema, not a product you can buy today. Here is what it would make possible.

When identity data moves from consulting deliverables into versioned, auditable infrastructure, an agent drafting a proposal would be able to query the identity record of the principal it represents and determine whether this vendor relationship requires personal approval. Every query would be logged: which version of the profile was read, at what time, by which agent, under which delegation grant. When a delegation grant is revoked, it propagates in seconds.

The alignment would become bidirectional. When an organization's stated values diverge from what actually appears in employees' identity records, the system would surface that gap. Call it org soul drift: the slow divergence between what leadership says the culture is and what the identity data shows it has become. A purpose alignment engine running on live identity data would catch this before it becomes a retention crisis or a values audit failure.

AI agents would inherit their values context from the sponsoring human's identity record. An agent acting on behalf of a leader with a specific communication style, risk tolerance, and decision-making pattern would carry that context into every interaction. The query protocol we've designed around is MCP (Model Context Protocol), which is already real and widely adopted: 97 million monthly SDK downloads and 81,000 GitHub stars by early 2026. MCP exists. The identity layer it would query is what we're building.

The VTM HIOS design (schema designed — not yet built):

1. VTM engagement surfaces structured identity data (Being Human, Vision, Ethos)
2. Individual holds the Arc record — a portable, compounding life record they own; org gets permissioned, time-bounded access
3. Data enters a versioned, audit-logged HIOS layer
4. Phase 2: AI agents query via MCP with scoped credentials; each query logged with profile version read
5. Phase 2: Purpose alignment engine monitors org soul drift across the workforce
6. Phase 3: ZKP verifies identity claims without exposing underlying data; blockchain anchors the trust chain

Zero-Knowledge Proofs: Why They Belong in Phase 3

Every previous attempt to centralize identity data in organizations has collided with the same legal wall: HR, legal, and security cannot agree to share this information across functions. Zero-knowledge proofs are the technical answer to that objection — which is exactly why we've designed them into Phase 3 of the HIOS roadmap, not Phase 1.

ZKP allows a system to verify that a claim is true without exposing the underlying data. An agent would be able to prove that a proposal submitter's values alignment clears a required threshold, without revealing the score, the assessment, or any personal information. Privacy and compliance would no longer trade off against each other. The zero-knowledge proof market reached $1.7 billion in 2025 and is projected to grow to $14 billion by 2036. The W3C published Verifiable Credentials 2.0 as a standard in May 2025. The technology is mature. The integration into HIOS is designed — it just hasn't been built yet.

Privacy and auditability used to be a trade-off. Zero-knowledge proofs make them the same thing.

The Category Taking Shape

Only 23% of organizations have a formal agent identity strategy, and only 18% are confident their identity infrastructure can manage agent identities. These numbers reflect an industry that has built the vehicle without designing the road. We're designing the road.

The buyer would be the CTO or CIO acquiring agent governance infrastructure. But the user and owner of the record is the individual. That is the distinction we've built into every layer of the HIOS design. The organization pays for the infrastructure. The person owns the data — what we're calling their Arc record. Arc travels with them when they leave. Every new employer deepens the same Arc record instead of starting from scratch. The compounding identity record becomes the most valuable professional asset a person carries. One design challenge we're working through explicitly is the cold start problem: when someone's Arc record is empty, the system has nothing to query. Our answer is the VTM engagement itself — the first session populates the initial record, and every touchpoint after that deepens it.

The open protocol strategy mirrors TCP/IP: build the standard layer that all identity data flows through, regardless of which consulting firm, HR platform, or AI vendor sits above it. The schema is designed. The concept is defined. What doesn't exist yet is the built product — and that is exactly the point of publishing this now. The organizations that engage as early design partners will have shaped the standard before the market commoditizes it. Holistic Consulting and Orion Growth are working with a small number of forward-thinking organizations in that process now. The third post in this series explains why the timing in 2026 is not optional. If you want to understand where your organization fits, book a call with our team.