Every blockchain that bolts on compliance creates a surveillance surface. Concordium splits identity knowledge across independent parties so that no one, not even Concordium can connect who you are to what you do on-chain.
The previous article explained why Concordium starts with identity and where that identity lives after creation. The answer raised a harder question: who holds what?
That question was worth asking before AI agents became a market category. Now it is unavoidable. As a16z recently put it, the bottleneck for the agentic economy is not intelligence. It is identity.
Most systems that promise privacy ask you to trust a single gatekeeper. A company, a government, a platform. The problem is that trust can be broken by a breach, regulatory pressure, or simply by someone in a position of power deciding to act in their own interest. Concordium takes a different approach. Instead of asking you to trust one party, the system is designed so that no single party has enough information to unveil you in the first place.
Four participants make this work, each with a deliberately limited role.
Who Holds What
Trusted, 3rd party Identity Providers (e.g. Notabene, DTS) verify who you are off-chain. They store your identity credentials securely in their own systems and enforce jurisdictional rules. But an IDP cannot see which wallet addresses are yours, which transactions you have made, or how you use the network. The link between your identity and your on-chain activity does not exist within their systems.
Privacy Guardians are independent law firms that hold the other half of the puzzle. They possess cryptographic key shares that could, under the right circumstances, reveal the Public Holder Identifier linking an on-chain address back to a real identity. But they have no access to the identity records stored by IDPs. They hold keys, not data.
The mechanism connecting these roles is threshold encryption. The ability to decrypt a user's identity information is split across multiple Privacy Guardians. Currently, 2 out of 3 must cooperate before any disclosure can happen. One PG going rogue cannot expose anyone. One PG being breached unlocks nothing.
The Authority is the legal body that can request disclosure under Swiss court orders obtained in the relevant jurisdictions. Even with a valid legal basis, The Authority still needs cooperation from both Privacy Guardians and IDPs. No single request to a single entity is enough.
The IDP knows the person. The PGs hold the lock. The Authority holds the legal standing. None of them knows what the others know.
The Same Architecture Holds for Agents
AI agents are beginning to transact autonomously: making payments, placing orders, signing contracts on behalf of users. That makes the question of who holds what information more consequential, not less.
The Agent Registry gives every agent an on-chain anchor: listed, discoverable, carrying a Verified Badge, ERC-8004 compatible. It extends the standard with something Ethereum's agent registrations cannot provide, a verified link to a real human identity. The Agent IDP issues ZKP-verifiable credentials to the agents themselves, so a counterparty can verify what an agent is authorised to do without learning who authorised it.
The IDP/PG split holds for agents exactly as it does for humans. The Agent Registry knows the agent's scope. The IDP knows humans. The Privacy Guardians hold the keys that could, under due process, connect the two. No single party holds both sides.
A breached IDP still cannot link identities to on-chain activity. A compromised PG still cannot access identity records. The architecture that prevents surveillance of human users is the same architecture that keeps agent activity accountable.
What Separation Makes Possible
To connect a real-world identity to an on-chain address, you would need to obtain identity records from the IDP, convince a quorum of independent Privacy Guardians to cooperate, and have a legitimate legal basis recognised by The Authority. No single hack, no single subpoena, no single bad actor can short-circuit that process.
The separation of knowledge is not a feature that can be disabled. But separation alone is not enough. The next question is what users and agents can actually prove on top of that foundation, without revealing anything they should not have to.