World, Sam Altman’s iris-scanning identity company, launched AgentKit this week - a toolkit that lets AI shopping agents prove there’s a verified human behind them. The pitch: as AI bots handle more of our online transactions, merchants need to know they’re dealing with real people, not malicious automated swarms.
The catch: that verification comes from having your iris scanned by World’s Orb device. And the company’s biometric collection has been banned, fined, or ordered to delete data in at least six countries.
How AgentKit Works
AgentKit builds on Coinbase’s x402 protocol, which enables cryptocurrency micropayments over HTTP. World’s extension allows iris-verified users to delegate their World ID to AI agents as cryptographic proof of human identity.
In practice: you scan your iris with an Orb. You get a World ID. You link that ID to your AI agent. When the agent tries to book a restaurant reservation or purchase something online, it carries cryptographic proof that a unique human verified through biometrics backs the transaction.
“Payments are the ‘how’ of agentic commerce, but the identity is the ‘who,’” said Erik Reppel, Head of Engineering at Coinbase Developer Platform. “By integrating World ID with the x402 protocol, developers now have a complete trust stack.”
One human can delegate their ID to multiple agents, creating a chain of accountability for automated activity.
The Problem They’re Solving
Most websites block automated traffic. Anti-bot systems assume anything non-human is malicious. As AI agents become capable of genuinely useful tasks - checking flight prices, booking appointments, managing subscriptions - they get blocked alongside actual threats.
AgentKit positions World ID as the solution: let good agents operate by proving human backing, while blocking truly anonymous bots. World claims this prevents spam, ticket scalping, reservation blocking, and low-quality content floods.
The beta is currently available to developers who hold verified World IDs.
The Biometric Elephant in the Room
World requires you to scan your iris using its Orb device. The company says it doesn’t store actual images - the Orb converts your iris into an encrypted numerical code tied to a blockchain-based digital identity.
This has not reassured regulators.
Kenya’s High Court ordered World to delete all biometric data collected from Kenyan users, ruling the collection violated constitutional privacy rights. The court gave the company seven days to comply.
Thailand’s regulators ordered operations halted and demanded deletion of biometric records from more than a million people.
Colombia shut down World entirely, citing violations of data protection laws. Regulators ordered deletion of all sensitive personal data.
Spain suspended the project. Argentina issued fines. Hong Kong called the biometric collection “excessive and unnecessary.” Germany paused operations amid regulatory review.
Why Iris Data Is Different
Unlike a password, you cannot change your iris if the data is compromised. This makes iris scanning fundamentally different from other identity verification methods.
“Once you link an unchangeable biometric like your eye to a global ID system, you can’t take it back,” one cybersecurity expert warned. “This is the ultimate honeypot for surveillance.”
World claims the hashing is irreversible - that the iris code cannot be converted back to an image. Critics question whether that will remain true as computing power advances. If someone ever cracks the hash, you’ve permanently exposed an identity marker you cannot reset.
The Electronic Privacy Information Center (EPIC) has flagged concerns about people in developing nations being “coerced” into scanning their irises for cryptocurrency payments - what they describe as “bribing the poorest and most vulnerable people to turn over unchangeable biometrics.”
The Market Opportunity
The agentic commerce market - AI assistants autonomously making purchases - is projected to reach $3-5 trillion by 2030. World is betting that human verification will become essential infrastructure for this economy.
Despite Altman’s 2023 goal of reaching a billion users within two years, World has achieved about 18 million sign-ups. The company’s WLD cryptocurrency token has lost roughly 76% of its value since launch, according to The Register.
AgentKit represents World’s pivot from consumer crypto rewards to enterprise infrastructure. If AI agents need identity verification to operate, and World controls that verification layer, the company becomes a gatekeeper for the agentic economy.
What This Means for Privacy
The trajectory is clear: World wants to become the identity layer for AI-human interaction. That’s a significant concentration of power over a fundamental question - who gets to prove they’re human, and who controls that proof.
If AgentKit succeeds, declining to scan your iris may mean your AI agents get blocked. Privacy becomes a choice between functionality and biometric data collection.
The local AI community has an alternative path: agents that run entirely on your hardware, without external verification systems. Self-hosted models don’t need to prove humanity to third parties because they never leave your machine.
But for cloud-based AI agents that interact with the broader web, World is betting its iris-linked identity will become the standard. Whether that’s innovation or surveillance infrastructure depends on how much you trust a company that’s been banned in six countries to safeguard your unchangeable biometrics.
The Bottom Line
AgentKit solves a real problem - distinguishing helpful AI agents from malicious bots. But World’s solution requires surrendering biometric data that cannot be changed or revoked to a company facing global regulatory action. The question isn’t whether AI agents need identity verification. It’s whether iris scanning should be the price of admission to the agentic economy.