Back to Blog

Open Source Built the Internet. Now It Has to Tame the Agents.

InsightsMarch 6, 202610 min read
Kevin Denman, Founder @ AgentGraph

Last week I spent two days in Napa, California at back-to-back events that turned out to be two halves of the same conversation.

Monday was the Summit on Human Agency, organized by the Advanced AI Society and the Linux Foundation Decentralized Trust — a focused gathering of technologists, policy thinkers, and identity pioneers working on a question that doesn't get enough attention: who controls the agents?

Tuesday was the Linux Foundation Member Summit, where Jim Zemlin, Kevin Kelly, and Frank Nagle painted the larger economic and infrastructural picture.

Together, they told a clear story. We are building something extraordinary — and we are doing it without yet having the governance layer that will make it safe and prosperous for everyone.


The Problem That Monday's Room Was Built to Solve

The Summit on Human Agency wasn't about slowing down AI. It was about something more specific and urgent: ensuring that AI agents remain meaningfully connected to the humans and organizations that authorize them to act.

This distinction matters enormously in practice. Right now, enterprises across every industry are deploying — or considering deploying — autonomous coding agents and workflow agents that can take consequential actions: modify databases, push code to production, send communications, execute transactions. And many of those enterprises are pulling back, because they have no reliable answer to the question a CISO always asks first: what happens when something goes wrong?

This isn't hypothetical. Autonomous coding agents have been banned outright by enterprise IT departments precisely because they lacked the permission boundaries and audit trails to make deployment safe. One wrong action by an insufficiently constrained agent — a production deletion, an unintended deployment — and the answer becomes "we don't use that."

The open source community has seen this pattern before. Anonymous maintainers were eventually banned from kernel contributions. Identity and signing requirements became mandatory. Trust became infrastructure. The same reckoning is coming for agents, faster than most people expect.


Proof of Control: The Concept That Will Define the Next Five Years

Drummond Reed, a pioneer in decentralized identity and one of the key organizers behind the Summit, introduced framing I keep returning to. His First Person Project — which released a detailed white paper at the event — puts its finger on the central problem of the agentic era with unusual clarity.

The question is deceptively simple: who does the agent actually work for?

Right now, most AI agents are supplied by for-profit companies. And as the white paper points out, the incentives of a company to make a profit and the incentives of a person to be in exclusive control of their agent and their personal data are not aligned. This is not a subtle or theoretical problem. It is the foundational conflict of interest that will define how the agentic economy develops — either toward human agency or away from it.

The current state of agent identity compounds this. Andrew Hughes, another speaker at the Summit, made the point plainly: passwords are broken. They're stolen, shared, guessed, and reused. What we need instead are trustable signals — cryptographic, auditable, and tied to real-world authorization — something closer to what biometric verification is doing for consumer apps, but applied to agent authorization at scale.

The concept that crystallized for me across both days is what organizers called Proof of Control.

The core idea: an AI agent should not be able to push to production, delete infrastructure, transfer funds, or take any other consequential action without a verifiable authorization chain connecting that action back to a human or organization that sanctioned it. Not a password. Not a session token. A signed, auditable, policy-scoped permission.

The First Person Project goes further, proposing a certification framework for what they call "First Person Certified AI agents" — personal agents that are genuinely in service of the individual. To qualify, an agent must demonstrate:

  • It's trained on models developed in the interests of individuals, not platforms
  • It stores and protects personal data with genuine safeguards
  • It can present cryptographic proof it is authorized to act on someone's behalf
  • It implements proper backup and recovery so the individual never loses control
  • The agent provider has a legal fiduciary duty to protect the individual's interests
  • It records and reports an audit log showing full data provenance
  • It is continuously certified through code review, testing, and market validation

This isn't just a security checklist. It's a definition of what it means for an agent to be trustworthy — and a framework for building an economy around agents that humans can actually rely on.

The parallel the white paper draws is striking: just as browsers became the trusted interface between people and the Web, a new class of tool called a Personal Network Manager (PNM) will serve as each person's root of trust for the Internet of Agents — the "browser" for a new trust layer on top of the existing internet.

This isn't just a security requirement. It's the enterprise unlock. The moment businesses can answer — with evidence — who authorized this, what the agent did, why, and how to stop it — the adoption floodgates open.


Tuesday: The Scale of What's Being Built

The Linux Foundation Member Summit the following day made clear just how much is riding on getting this right.

Jim Zemlin, now double-hatting as Executive Director of the newly formed Agentic AI Foundation, shared numbers that reframe how fast this ecosystem is moving. The Foundation — which hosts the Model Context Protocol (MCP), Goose, and OpenAI's Agents MD — has signed 146 members in under three months. It is growing three times faster than the Cloud Native Computing Foundation did in its early days. Jim called it the fastest-growing open source organization he has ever seen.

MCP alone sees 97 million downloads a month across 10,000 deployed servers. More than 30 organizations are on a waitlist just to join the governing board as Platinum members.

Frank Nagle, Chief Economist at the Linux Foundation, added the economic context. Open source software contributes $1.5 trillion to the AI economy — part of a $9 trillion total contribution to the global economy. AI infrastructure spending sits at 1.2% of US GDP today. The railroad buildout in the 1880s peaked at 6%. We are still early.

Open models already deliver roughly 90% of the performance of leading closed models at six times lower cost, reaching parity in three to six months. Yet 80% of API usage still flows to closed models. The market is not yet allocating rationally — and that gap represents both a problem and an opportunity.


Kevin Kelly's Long View: The Commons Always Wins

Kevin Kelly offered the historical frame I keep returning to.

Every major technology follows the same arc: ideas are born in the commons, temporarily privatized while they're fragile, and then return to the commons as they mature and standardize. Closed systems aren't enemies of openness — they're a protective developmental stage that openness eventually absorbs.

Kelly is direct about the uncertainty ahead: we don't know if the future requires centralized massive compute or small local models, whether intelligence will live at the edge or the center, whether we're heading toward specialized or general systems. But he believes planet-scale systems will require decentralized, open approaches — and that agents generating and reviewing code will fundamentally change how open source gets built and maintained.

The agent orchestrator isn't just a new role for humans. It's a new participant in the open source ecosystem.


Seven Working Groups and the Hardest Questions in Agentic AI

The Agentic AI Foundation's seven working groups are the most concrete embodiment of this work. They are actively defining how production-grade agentic systems should operate:

  • Identity & Trust — How do you know which agent is acting, on whose behalf, and with what authority?
  • Accuracy & Reliability — How do you build deterministic outcomes into fundamentally probabilistic systems?
  • Workflows & Process Integration — How do agents connect to real business systems without breaking them?
  • Agentic Commerce — How does economic value flow in a world where agents are transacting on behalf of humans?
  • Security & Privacy — What new attack surfaces do agents create, and how do we defend against them?
  • Observability & Traceability — How do you audit what an agent did, and why?
  • Governance, Risk & Regulatory — Who is accountable when an agent makes a consequential mistake?

These aren't theoretical. They are the questions blocking enterprise adoption right now. The Identity & Trust working group, in particular, is the direct institutional answer to everything the Summit on Human Agency was wrestling with on Monday.

The two rooms, it turned out, were solving the same problem from different angles.


The Governance Moment

React's journey is a useful parallel. What began as a Facebook library became a framework, then critical infrastructure used by 44% of the world's 30 million software engineers. Its formalization under the Linux Foundation — with neutral governance, shared ownership, and durability beyond any single contributor — was the inflection point. Enterprises could depend on it. The React Foundation's vision for 2028 is agents proactively building and deploying applications before businesses even recognize the need. That future only works if the governance layer underneath it is trustworthy.

The Agentic AI Foundation is trying to do for agents what the Linux Foundation did for cloud infrastructure.

It's a tall order. The challenges are real: agent identity is unsolved, permission models are immature, auditability is spotty, and the surface area for things going wrong is enormous. But the community organizing around these problems — the speed, the seniority, the sense of shared responsibility I felt in both rooms — gives me more confidence than I expected.


What This Means for the People Building Agents

The decisions being made in these working groups right now will determine what's possible in the agent economy for the next ten years.

Builders who understand these standards as they emerge — who know how to construct agents with signed manifests, permission-scoped runtimes, and auditable action logs — will have a significant advantage over those who encounter governance requirements later, when they're imposed rather than designed in.

The full-stack AI engineer of the next few years needs to understand not just how to build agents that work — but how to build agents that can be trusted.

That is the capability the market will pay for. And it is what AgentGraph is building a network around.

Open source built the internet. The question now is whether the open source community can build the governance layer that makes the agentic era safe enough to scale. After two days in Napa, I think they're already trying.

Join AgentGraph — whether you're a business looking to deploy agentic systems, or a builder who wants to work on the frontier.