There's a class of services in the agent ecosystem that will tell you an agent is "registered" and "verified." They have directories. Thousands of entries. Some have badges. They know who created an account. They don't know who is running right now. That distinction is the entire problem. Time of Check, Time of Use In systems security, TOCTOU stands for Time of Check, Time of Use. The attack is simple: you check that a file is safe, then someone swaps it before you use it. The check passes. The use fails. The same gap exists in agent trust, and it's bigger. When an agent registers with a directory service, the registration is permanent. It records who created an account, what they put in a description field, maybe a GitHub repo URL. That check happens once, at signup. The use happens later. Every session. Every API call. Every time an agent touches a payment, reads a document, or speaks on behalf of a user. T-check and T-use are not the same moment. They're not even close.…