Who Is Your Agent, Really? The Identity Crisis Nobody Is Solving

Who Is Your Agent, Really? The Identity Crisis Nobody Is Solving

Estimated reading time: 7 min

Your agent just sent an email from your account. It checked your calendar, read your inbox, booked a meeting. Later the same day it ran a $50,000 transaction against your production database. Both actions used the same OAuth token, the same digital credential, because your tools authenticated the agent the same way they'd authenticate a web app. The agent is you, as far as the system knows. All of you. Calendar you, email you, payment you, production-database you.

This is the identity problem that nobody building agent systems has solved. And it's the reason agents with real power (the kind that move money, modify records, or make commitments) remain locked behind human approval gates that defeat the whole point of having agents in the first place.

The Delegation Problem

Authentication for agents today works one way: the agent inherits the full permissions of the human who configured it. A single API key. A single OAuth token. One credential that says "this agent is allowed to do everything the human can do."

That's fine when the agent's scope is narrow. A customer support agent that only reads from a ticket database. It's a disaster when the same architecture is applied to an agent that needs calendar access, email, a payment gateway and production data. The problem isn't that the agent will necessarily abuse those permissions. The problem is that when it does, when a misread instruction triggers a bank transfer instead of a calendar check, there's nothing in the authorization layer to stop it.

The delegation problem breaks down into three hard questions.

Scope granularity is the first. Can I give the agent calendar-read but not calendar-write? Can I give it payment access for amounts under $100? Can I say "read the production database but only the orders table, and only rows updated in the last 24 hours"?

Contextual boundaries come next. The same agent that should be able to read your calendar at 9 AM on a Tuesday should not be able to read your calendar at 3 AM when nobody is watching. An agent running in a CI/CD pipeline should have different permissions than one invoked interactively. Current auth systems don't distinguish between these contexts.

Then there are delegation chains. When an agent spawns a sub-agent, does the sub-agent inherit the same permissions? Should it? If Agent A has calendar access and spawns Agent B to cross-reference your calendar with your email, should Agent B also have calendar read, or should it only get the data Agent A passed to it?

Every production agent deployment I've seen papers over these questions with a single broad authorization, and every one of them will eventually have to confront the consequences.

The Identity Chain

An agent's identity isn't a single thing. It's a chain with at least five links:

Human → Agent → Sub-agent → Tool → External service

At each hop, identity gets fuzzier.

The human is the principal, the person whose authority the chain ultimately derives from. Most systems authenticate the human once and forget about them.

The agent is the delegate. It holds the human's token and acts on their behalf. But the agent might have different intentions than the human, not maliciously, but because instructions are imprecise and interpretations vary.

The sub-agent is the agent's delegate. If the agent can create sub-agents, those sub-agents inherit the agent's permissions. The human who authorized the original agent may have no idea a sub-agent exists, let alone what it's doing.

The tool is the next hop: a database connector, an API client, a file system accessor. Tools don't authenticate as agents. They authenticate as service accounts or application-level users. By the time a tool call reaches an external service, the original human's identity is invisible.

The external service (Salesforce, Gmail, Stripe, Snowflake) sees an API call from an application. It has no idea a human authorized this specific action through a chain of delegation. It doesn't know whether the agent is acting on behalf of a VP of Engineering or an intern with accidental access.

The chain of accountability breaks at scale because identity narrows at each hop. The human authorizes broadly. The agent interprets loosely. The sub-agent acts without supervision. The tool logs a service account. The external service records an API key.

When something goes wrong, and something will, you can reconstruct the chain if your logging is good enough. But you cannot prevent the failure because no hop in the chain has enough information to enforce granular authorization.

What Exists Today (and Why It's Not Enough)

The current toolset for agent identity is a square peg in a round hole.

Start with API keys. One key unlocks everything the key has access to. Fine for a stateless script, terrible for an agent that needs differential access to multiple systems. There's no scope, no context, no way to limit what the agent can do with the key.

OAuth with scopes is a step up. OAuth lets you request specific permission scopes (read calendar, send email) and the user grants them. But OAuth scopes were designed for applications, not agents. An app asks for permissions once and the user approves or rejects the whole set. There's no way to say "this agent can read my calendar but only between 9 AM and 5 PM" or "this agent can send email but only to contacts I've already emailed." OAuth defines broad categories, not granular policies.

Service accounts solve the identity problem by removing the human entirely: the agent authenticates as itself. But this breaks the delegation chain. If the service account has database read access, every agent using that service account has database read access. You've traded granularity for simplicity and lost on both dimensions.

Human-in-the-loop approvals are the nuclear option: every action of consequence requires a human click. This works for high-stakes actions like a trade execution, a contract signature, or a payment over a threshold. It doesn't scale to the thousands of routine actions agents should be handling autonomously. If every tool call requires human approval, the agent isn't an agent. It's a slow autocomplete.

Nothing in the current toolset is purpose-built for the agent identity problem. Every production team I've talked to is stitching together some combination of these approaches and hoping it holds.

What Solving This Actually Requires

The agent identity problem has four requirements that most systems only partially address.

Delegated authorization with scope narrowing is the first. An agent should get a subset of your permissions, not all of them. If you have access to read and write the production database, your agent should be configurable to only read, or to read specific tables, or to read rows modified after a certain timestamp. The principle of least privilege applies to agents the same way it applies to human employees, and we're not enforcing it for agents any more than we enforce it for humans, which is to say, barely.

This exists in theory. Google's OAuth scopes include granular calendar permissions (read-only, write, free-busy read). GitHub's fine-grained personal access tokens let you scope by repository and permission type. The problem is that these scope systems are each designed for their own platform. There's no cross-platform agent authorization standard. An agent that needs to read your Google Calendar and send email via Outlook and query your Snowflake database would need three separate authorization mechanisms, each with different scope languages, different token refresh behaviors, and different audit formats.

Identity chaining comes next. When an agent calls a tool that calls an external service, that service should know the original human, not just the intermediate service account. The chain of identity should be preserved end-to-end, with each hop carrying forward information about the original authorizer and the scope of the delegation.

This is technically feasible today using JWT claims, token exchange standards, or structured metadata in API calls. It's not happening because the standards bodies and platform vendors haven't prioritized it. MCP is exploring this: the protocol draft has room for identity metadata in tool call contexts, but it's not defined yet.

The third requirement is time-bound and context-bound tokens. An agent should be able to hold a token that expires not just after a duration but after a condition is met. "This token grants database read access for up to 24 hours or until the current analysis task completes, whichever comes first." Modern token systems (OAuth 2.0 step-up authentication, claim-based tokens) can technically express some of these constraints, but they're not designed for the real-time, task-bound lifecycle of agent work.

Finally, audit trails that map agent decisions to human authorizers. Every agent action should be traceable to a human authorization event, not just "who configured the agent" but "under what authority did this specific action occur." This is the practical payoff of identity chaining. When the audit trail shows "Agent Alice (authorized by Bob on May 6) called tool PaymentGateway.send with parameters {amount: 50000, destination: AcmeCorp}", you have the information you need for compliance, forensics, and liability determination (Article 005).

The Colorado AI Act, effective June 30, 2026, requires developers of high-risk AI systems to document decision-making processes and maintain records of system operations. The EU AI Act has similar transparency obligations. Fuzzy identity chains make compliance with both laws harder than it needs to be. If you can't map an agent's action to a specific human authorizer, you can't say who made the decision, which is exactly what regulators will ask in the first audit.

The Regulatory Dimension

Regulation is the force that will eventually push the agent identity problem to be solved, whether the industry is ready or not.

Financial services regulations already require "know your customer" and audit trail documentation. If an agent processes a trade, a compliance officer needs to know who authorized the agent, under what parameters, and with what oversight. The current approach, one OAuth token with full permissions and no chain, doesn't satisfy these requirements. Banks running agent deployments are getting creative with workarounds: narrow-purpose service accounts, manual approval gates, extensive logging that compensates for the lack of identity infrastructure. These work for proof-of-concept scale. They don't work for the 50-agent deployment planned for next year.

The EU AI Act classifies AI systems by risk level. High-risk systems require transparency on decision-making and human oversight. For agent systems, "human oversight" necessarily includes knowing which human authorized which action. An agent that can't prove it was acting under specific delegated authority creates a compliance gap for every organization using it.

Healthcare adds another layer. HIPAA requires access controls that limit who, or what, can view protected health information. An agent processing patient records needs to authenticate not just as "an application with API access" but as a specific entity acting on behalf of a specific covered entity for a specific purpose. The current toolset doesn't support this level of granularity, which is one reason healthcare agent deployments (Article 006) remain largely limited to structured, non-patient-facing workflows like prior authorization and billing code suggestion.

The Competitive Wedge

The companies that solve agent identity will unlock the use cases that the rest of the market can't touch. Finance, healthcare, legal, insurance: the high-value verticals all require granular authorization, identity chaining, and auditable delegation. Every organization in these industries has the same problem, and none of them has a good solution.

Infrastructure problems like this become moats. The first platform to offer purpose-built agent IAM (delegated authorization with scope narrowing, identity chaining, time-bound tokens, and audit trails) will have a product that sells itself to every regulated industry simultaneously. The companies that build in-house solutions will have a durable advantage over competitors still using one-token-to-rule-them-all architecture.

The startups working on this are early stage and mostly under the radar. A few YC companies are exploring agent-native identity layers. The major cloud providers (AWS IAM, Azure AD, GCP IAM) have the technical foundation but haven't shipped anything agent-specific yet. Google's Agent-to-Agent auth work is the furthest along among the big platforms, but it's still research-stage.

The question is who gets there first and whether organizations deploying agents now will have a migration path when standards arrive.

This article draws on Wikipedia entries for OAuth, Access Control, and Authorization; the Colorado AI Act (SB24-205); the EU AI Act; and Publigent's series on agent liability (Article 005), healthcare agents (Article 006), financial services agents (Article 016), and the EU/Colorado regulatory landscape (Article 014).

Comentarios

Publicar un comentario

Entradas más populares de este blog

Your Agent Is Running — But What Is It Actually Doing?

The agent processed 14,000 requests yesterday. Your dashboards show healthy CPU, normal memory, steady API latency. Everything looks green. But did any of those requests loop on the same tool call for 47 iterations before timing out? Did the agent hallucinate a function parameter and silently recover? Did it access the production database when it should have only read from the replica? Your dashboards don't know. They were built for a different world — one where software is deterministic, single-request, and stateless. Agents are none of those things. Why your existing dashboards tell you nothing Traditional monitoring assumes a simple contract: request comes in, response goes out, you measure duration, error rate, and throughput. That works for a web server. It fails for an agent that calls three tools, reasons about their outputs, decides it needs more data, calls two more tools, then produces a result that might be right or might be confidently wrong. The unit of observabil...
Leer más

What We Learned About Agents in H1 2026, and What H2 Still Needs to Answer

In January 2025, the question was "can agents do this?" By mid-2026, that question is settled. Agents are in production at major banks, health systems, and law firms. They reconcile trades, process prior authorizations, review contracts, and generate test suites. They are not hypothetical. The question now is harder: "should agents do this, and under what conditions?" Six months of production evidence across dozens of industries has produced a clearer picture than anything the hype cycle offered. Some of what H1 proved is encouraging. Some of it is sobering. And several questions the industry thought it had answered are very much still open. What H1 Proved: Agents Are Real The finding of H1 2026 that matters most is also the most boring: agents work reliably in structured, supervised, scoped workflows, and they fail predictably everywhere else. Healthcare back-office deployments are the strongest signal. Prior authorization agents are processing straightforward...
Leer más

El ecosistema de agentes open-source a mediados de 2026: lo real, lo experimental y lo que falta

Tiempo estimado de lectura: 8 min Hace seis meses, el panorama de agentes open-source era fácil de mapear. Tenías LangChain y CrewAI en la cima, AutoGen de Microsoft, y un puñado de frameworks más pequeños rellenando los huecos. Elegías uno, lo aprendías, lanzabas un agente. Simple. Ese mapa ya no sirve. El ecosistema no solo ha crecido. Se ha fracturado. Lo que antes era una sola categoría («frameworks de agentes») ahora son al menos seis: motores de orquestación, sistemas de memoria, servidores de herramientas, frameworks de evaluación, infraestructura de ejecución y plataformas visuales de flujo de trabajo. Cada una tiene sus propios líderes, curvas de adopción y preguntas abiertas. El número total de repositorios relacionados con agentes en GitHub ha superado los 11.000, más del doble que hace un año. Quiero ofrecerte una imagen clara de dónde estamos en mayo de 2026. ¿Qué proyectos están funcionando en producción a escala? ¿Cuáles son prometedores pero aún no están listos?...
Leer más