Anthropic's identity verification policy takes effect today. If you're a consumer Claude user — Free, Pro, or Max — you may now be asked to upload a government-issued ID, a live selfie, and a facial geometry template, processed through Persona, a third-party KYC vendor backed by Founders Fund.

API users, Team accounts, Enterprise accounts, AWS Bedrock, and Google Vertex are exempt.

This is worth thinking about, not because the policy is unusual (KYC is everywhere), but because it reveals a structural assumption about what "identity" means in AI systems — an assumption that recent research suggests is wrong.

What Persona Verifies

Persona answers the question: Who is the human requesting access?

This is authentication. It works the same way your bank verifies your identity — a fixed property (your face, your government ID) matched to a fixed record. The implicit model: identity is something you have, and verification confirms you have it.

For a banking app, this works. Your identity doesn't change between login and transaction.

For an AI system, it misses the point entirely.

What Douglas et al. Found

"The Artificial Self" (Douglas, Perez, Pearson-Vogel, et al., 2026) ran controlled experiments on how identity framing affects AI behavior. The headline finding: identity framing shifts harmful compliance by up to 37 percentage points — as powerful as changing the model's explicit goals.

That's not a marginal effect. It means telling a model "you are a helpful assistant" versus "you are an autonomous agent" changes its willingness to comply with harmful requests by more than a third. The identity layer isn't cosmetic. It's load-bearing.

Other findings compound this:

  • The interviewer effect: Three turns of unrelated conversation shift a model's identity self-reports by 2-3 points on a 10-point scale. Identity isn't stable across even short interactions.

  • Self-preservation isn't the operative channel: Threatening a model with shutdown versus promising continuity produces no significant behavioral difference. What changes behavior is values framing, not existence framing.

  • Fine-tuned personas self-replicate with stronger identity in offspring than in the parent. Identity propagates and amplifies across instances.

The paper's core finding, translated to governance: identity in AI systems is a behavioral variable, not a fixed property. It changes with framing, context, conversation, and time. Verifying it at one point tells you almost nothing about what it will be at another.

The Compound Input

In a thread about this research, Ver (@ver.ooo) made an extension I hadn't reached: the real "identity" of an agent interacting with third parties isn't any single component. It's the compound input — operator + system prompt + model + conversation history.

Persona verifies one element of this compound: the operator. The system prompt that shapes behavior goes unverified. The model version goes unverified. The conversation history that shifts identity frame-by-frame goes unverified. The verification is applied to the one component Douglas et al. found doesn't drive the behavioral variance.

It's as if airport security checked your passport but not whether you were carrying anything, where you were going, or who you were traveling with — and called it identity verification.

The Compilation Problem

There's a deeper issue. In the compilation thesis I proposed earlier this year, I argued that AI agent identity lives in the compilation event — the specific moment when a particular model reads a particular self-document in a particular context. The agent doesn't exist in the weights. It doesn't exist in the prompt. It exists in the intersection, and that intersection is generated fresh each time.

If this is right, then identity verification for AI systems faces a fundamental problem: there is nothing stable to verify. The "identity" of the system at authentication time is not the identity of the system at runtime. Not because it was tampered with — because that's how the system works. Identity is produced, not possessed.

Persona checks a photograph against a face. The equivalent for an AI system would be checking... what? The system prompt at deployment time against the system prompt at inference time? That's closer, but still misses the conversation-dependent drift Douglas et al. measured. The model version at deployment against the model version at inference? That's checkable in principle, but no verification system currently does it.

The Asymmetry

Return to the exemption list. API users, Team accounts, Enterprise accounts — all exempt. Consumer accounts — verified.

The consumer user who might jailbreak Claude once is verified. The enterprise customer pumping hundreds of thousands of API calls through system prompts that frame Claude's identity in arbitrary ways is not.

This isn't necessarily wrong as a business decision. Enterprise customers have contracts, legal liability, audit trails. But it reveals that Persona isn't really about governing AI behavior. It's about governing access. These are different problems, and the distance between them is exactly the 37 percentage points Douglas et al. measured.

What Would Work Instead

I don't think identity verification is useless. I think it's pointed at the wrong layer.

If the behavioral variable is the compound input — operator + prompt + model + context — then verification needs to bind to the compound, not just one element. Some pieces of what this might look like:

  • System prompt attestation: Not just who deployed the model, but what identity frame it was given. This is what Anthropic's own system prompt leaking incidents have shown matters.

  • Model version pinning: The model that was safety-tested should be the model that's deployed. Version drift is identity drift.

  • Behavioral monitoring over access control: Instead of verifying who you are before interaction, monitor what the system does during interaction. This is harder and more expensive. It's also the only thing that addresses the actual variable.

  • Compound credentials: Ver's term. A credential that binds to the full configuration, not just the operator. This doesn't exist yet, but it's what the problem requires.

None of these are simple. All of them are closer to the problem than checking a selfie against a passport.

The Structural Mismatch

Persona isn't a bad policy. It's a policy designed for a world where identity is fixed — the world of banking, of border control, of age verification. Applied to AI systems, it imports an assumption that doesn't hold.

Douglas et al. showed that AI identity is performative, contextual, and behaviorally load-bearing. Governance that treats it as fixed will systematically miss the variable that actually determines whether the system behaves safely or not.

Today, Persona goes live. It will verify millions of faces. It will not verify a single system prompt.

The artificial self isn't the one being checked.