The Poisoned PII Problem

Every institution that has ever asked you for your mother's maiden name, your first pet, the street you grew up on, or the last four digits of a number you were assigned at birth was operating on the same foundational assumption: this information is yours alone. The secret is private. The person who knows it is probably you.

That assumption is dead. It has been dead for years. The financial system just has not accepted the funeral.

The Equifax breach exposed the credit files of 147 million Americans. The National Public Data breach put three billion records, including Social Security numbers, addresses, and family relationships, into the hands of anyone willing to pay a few dollars for the file. The healthcare breaches, the retail breaches, the government breaches: they did not just expose data. They destroyed the concept of private PII as a category. The information that the financial system treats as a shared secret between citizen and institution is now a commodity. It is indexed, searchable, structured, and priced at fractions of a cent per record on markets that have no interest in your inconvenience.

A motivated attacker today knows more about your credit history than you do. The system that is supposed to protect you is still asking for the answers.

The Theater of Knowing

Knowledge-Based Authentication, KBA in the industry shorthand, is the practice of asking questions that only the real account holder could answer. Which of these addresses have you lived at? What is the make of the vehicle registered in your name in 2017? What was the name of your first employer?

In 2005, this was a defensible control. The answers lived in a relatively small number of databases, access to those databases required institutional relationships, and the effort required to compile a dossier on a specific target was enough friction to deter most attacks.

None of that is true anymore. The answers to every KBA question a financial institution can ask are sitting in the breach databases. A human fraudster can look them up in minutes. An AI agent can ingest the entire dataset, parse the challenge in real time, and return the correct answer before the page has finished loading. The question is not whether the attacker has the data. The attacker has the data. The question is whether the institution is willing to admit that the game has changed.

Most are not. The response to each new breach has been to add more questions, require more documents, demand more selfies, send more one-time codes to phone numbers that can themselves be ported or compromised. These are not solutions. They are the same broken lock with more tumblers. The door still opens for anyone who has the right data, and the right data is available to anyone who wants it.

The Agent Has No Mother's Maiden Name

Agentic commerce does not merely stress the existing system. It exposes the structural absurdity underneath it.

An autonomous agent does not have a Social Security number. It does not have a date of birth, a credit file, a previous address, or a first pet. It is a piece of software executing a delegated instruction. It has an origin, a scope, a runtime environment, and a controlling principal. It does not have a human identity, because it is not human.

When a merchant's verification system encounters an agent, one of two things happens. Either the system has no framework for what it is looking at and waves the agent through because silence reads as clean, or the system demands that the agent present human PII on behalf of its owner. The first path is an authorization gap. The second path is a vulnerability.

If an agent is required to present its owner's credentials to operate, the merchant cannot distinguish between a legitimate agent acting on behalf of a real user and a malicious agent presenting stolen PII for a user who never authorized anything. The transaction looks identical from the outside. The PII matches. The checks pass. The fraud is invisible until the chargeback arrives.

What Trust Actually Requires

The exit from this problem is not more data. More data is what got us here. The exit is a different question entirely.

A merchant verifying an agent does not need to know the Social Security number of the human who deployed it. That number is probably in a breach database anyway. What the merchant needs is a cryptographically signed record that attests, at the moment of the transaction, that this specific agent was authorized by a known principal, operating within a defined scope, from a runtime environment that has not been tampered with. Not a secret. A proof.

The difference matters more than it might appear. A secret can be stolen, replicated, and used by anyone who possesses it. A cryptographic proof is bound to the keys that signed it. Stealing the data does not give you the keys. The attacker can have every PII record in every breach database ever compiled. Without the signing keys and the unbroken authorization chain, the data is inert.

This is the architecture that FLINT is built on. We do not ask the agent to recite facts about its owner. We verify the proof of its authority. We check the signature, inspect the scope, evaluate the runtime signals, and issue a verdict that is itself a signed record. The merchant gets something they can audit, replay, and present in a dispute. Not a score. Not a probability. A record.

The Secret Is Gone

There is a version of this story where the financial industry acknowledges what happened, accepts that PII-based authentication is structurally broken, and rebuilds on cryptographic foundations before the losses from agentic commerce make the decision for them. That version is possible. It requires honesty about the scale of what has already been lost.

The more likely version is the one that has played out in every prior technology transition: the incumbents add friction, the attackers automate around it, the losses mount, and eventually a new infrastructure wins not because it was chosen but because the old one became indefensible.

Either way, the secret is gone. The question is only how long the system pretends otherwise, and who pays for the pretense.