AI agent passports may be coming. Who gets to issue them?
The ITU is exploring AI agent identity standards. Learn how credentials, authorization, revocation, privacy, and local agents could be affected.

An AI agent that can spend money, access private files, negotiate contracts, edit production code, or operate business systems cannot safely remain an unidentified process holding someone’s master password.
That security problem is real. The proposed solution could create a second problem by deciding which software is allowed to act.
On July 9, 2026, the International Telecommunication Union announced a new effort to develop international frameworks for the identity and trustworthiness of autonomous AI agents. The initiative could help a bank, platform, government service, or company distinguish an authorized agent from an impersonator. It could also influence which agents those institutions permit to operate.
The central question therefore goes beyond whether agents need better credentials. They do. The harder questions are who gets to issue those credentials, which organizations must recognize them, how much information they reveal, and who can revoke them.
A good identity standard would let an agent prove that it has narrow authority for a specific action. A bad one could become a universal admission system for software, with a small group of platforms, governments, or identity vendors deciding which agents count as trustworthy.
More on agentic AI:
AI agent digital passports: quick verdict and key takeaways
The ITU has launched a pre-standardization project. It has not created a mandatory global passport or registration system for AI agents.
Agent identity and agent authorization solve different problems. Identifying an agent does not prove that it has permission to perform a particular action.
Credential recognition may become the most powerful control point. An open technical standard can still produce a closed ecosystem when major services accept credentials from only a small list of issuers.
A workable system should support multiple issuers, pseudonymous identities, selective disclosure, short-lived permissions, transparent revocation, local agents, and offline validation.
Developers should stop giving agents reusable human credentials. Each production agent should receive limited authority for a defined task, resource, and duration.
What the ITU actually launched
The ITU announced its Focus Group on Trust and Identity for Humans and Agentic AI on July 9, 2026. The group is expected to study common terminology, identity and trust architectures, agent discovery, credential interoperability, lifecycle models, security criteria, benchmarks, and a roadmap for future standards.
Its first meeting is scheduled for Paris in November 2026, followed by a second meeting in Geneva in January 2027. The group will report to ITU-T Study Group 17, the part of the organization responsible for security standardization.
The initiative responds to a straightforward shift in computing. AI agents are moving beyond text generation. They can invoke APIs, use tools, access accounts, operate across company boundaries, and complete tasks that create real financial, legal, or operational consequences.
The ITU says that identity systems will be needed to reduce impersonation and unauthorized activity while preserving meaningful human control. Reuters characterized the effort as a push to keep autonomous agents identifiable, trustworthy, and subject to human control, especially around financial transactions and critical infrastructure.
That description can sound more settled than the initiative really is. No global passport has been designed, adopted, or made compulsory.
The group’s terms of reference describe coordinated pre-standardization work. They place AI governance and the contents of national digital identity systems outside the group’s stated scope. The document focuses on technical foundations, interoperability, trust management, lifecycle controls, and possible future standardization.
As of July 16, 2026, the initiative does not require developers to register an agent, connect it to a government identity, or seek approval before running it locally. “Digital passport” is therefore a useful metaphor for the direction of the work, rather than the official name of a finished credential system.
That distinction is important because early standards discussions often shape later infrastructure. Technical choices made before a system becomes mandatory can determine which identities are portable, which issuers are trusted, and which users face friction when institutions begin adopting the framework.
The ITU effort is part of a broader standards push. In February 2026, NIST launched an AI Agent Standards Initiative focused on interoperable agent protocols, open-source implementations, security, and identity.
These parallel initiatives show that agent identity is moving from an enterprise security concern into a broader standards debate.
What an AI agent passport would need to prove
A useful agent credential would need to answer several related questions without collapsing them into one broad identity check:
Which agent is making the request?
Who or what controls the agent?
On whose behalf is it acting?
What action has it been authorized to perform?
Which resources, tools, accounts, or destinations are within scope?
How long does the authorization remain valid?
Has the credential or delegated authority been revoked?
Which software, workload, or runtime is presenting the credential?
What evidence should be retained for an audit?
Which party accepted the risk and approved the action?
These questions describe different layers of trust.
An agent might prove that it belongs to Acme Corporation without proving that Acme authorized a $50,000 transfer. It might prove that it is acting for a particular employee without showing that the employee approved today’s purchase. It might hold a valid credential while operating outside the task, time window, account, or spending limit for which the credential was issued.
Current technical work already reflects this separation. A July 2026 IETF Internet-Draft on AI agent authentication and authorization treats agents as software actors that need stable identifiers, their own credentials, delegated authorization, revocation handling, and durable audit records. When an agent acts for a person or system, the user context and delegated authority are meant to inform authorization decisions.
The draft builds on familiar mechanisms such as OAuth. It describes ways to grant an agent limited access without exposing the user’s credentials, and it recommends avoiding static, long-lived secrets. It remains an Internet-Draft, so it is working material rather than an adopted IETF standard.
The important layers can be summarized this way:
Identity states which agent is present.
Authentication tests whether the agent controls the identity it claims.
Authorization determines whether the authenticated agent may perform the requested action.
Delegation records who granted that authority and under which conditions.
Provenance records where the request, data, software, and authority came from.
Audit evidence records what happened, which policy allowed it, and how the decision changed over time.
A credential that proves identity while granting broad standing access would solve the easier half of the problem.
It could even make a dangerous system feel safer because every action appears attributable, despite the underlying permissions remaining excessive.
The OpenID Foundation’s agentic AI identity whitepaper reaches a similar conclusion. Existing identity standards can secure many bounded agent use cases, but more autonomous systems introduce unresolved questions about delegated authority, agent-specific identities, lifecycle management, governance, and accountability.
Why AI agents need better credentials
The case for agent identity is stronger than the case for ordinary chatbot identity.
A chatbot usually returns information for a person to review. An agent can make a payment, delete a file, merge code, publish a statement, alter a database, or contact another service before the user sees the result. Its mistakes can escape the chat window and become events in the world.
Agent security is therefore shaped by delegated authority, persistent state, tool access, and trust boundaries. A reusable login token does little to limit what happens after a model follows a malicious instruction or makes a flawed plan.
A June 2026 survey synthesizing 247 agent-security papers found that prompt injection and tool-mediated control-flow hijacking remain dominant risks. It also identified persistent state corruption and attacks that spread between agents as growing concerns.
The researchers argue that secure agents require explicit trust boundaries, principled privilege control, provenance-aware state management, and evaluations that reflect realistic deployments. Those protections demand more than a label attached to an agent. They require enforceable limits around the agent’s tools, data, memory, and authority.
The issue is already relevant at organizational scale. A Microsoft study of tens of thousands of engineers examined an early-2026 rollout of Claude Code and GitHub Copilot CLI. The researchers found that adopters merged roughly 24 percent more pull requests than they estimated those engineers otherwise would have merged. The authors appropriately note that merged pull requests are a proxy for output, not a direct measure of value.
The exact productivity figure is less important here than the deployment context. Large organizations are already giving command-line agents the ability to inspect repositories, edit files, invoke tools, and interact with development infrastructure.
An unidentified process using a shared API key is inadequate for that environment. The organization needs to know which agent acted, which employee or system delegated authority, what the agent was allowed to do, and whether an external control approved the action.
Credential recognition is the real control lever
The greatest power in an agent identity system may not belong to the party that creates the identifier.
It may belong to the service that decides whether the identifier is accepted.
A developer can generate a cryptographically valid identity for a local agent. That identity has little practical value if a bank, cloud provider, marketplace, payment network, or government portal accepts credentials from only a small approved list of issuers.
The control lever is credential recognition.
A relying service might choose to trust credentials issued by its own identity provider, the agent’s employer, a cloud platform, a certificate authority, a bank, a payment network, a government identity system, an industry consortium, a decentralized identity network, or the user directly.
Each model can be reasonable in the right context. Each also distributes power differently.
An enterprise should be free to decide which agents may access its internal systems. A bank should demand stronger evidence before allowing an agent to transfer money. A public website does not necessarily need the legal identity of every person running a research, accessibility, or moderation bot.
Problems emerge when one high-assurance model becomes the default for every kind of interaction.
A credential requirement designed for bank transfers could spread into shopping, communications, publishing, search, software development, and routine web access. Services could begin refusing agents that are local, pseudonymous, self-issued, open source, or connected to a model provider outside an approved group.
At that point, identity becomes admission control. The protocol might remain open on paper while practical participation depends on institutional recognition.
This is why interoperability alone is insufficient. A credential can be technically compatible with a standard and still be rejected by every major service. The design of trust lists, issuer policies, assurance levels, and appeal mechanisms may matter as much as cryptography.

Five ways AI agent identity could become a permission system
1. Identity could be tied unnecessarily to a legal person
Some actions need a clear connection to an accountable person or company. Signing a commercial agreement, withdrawing money, changing a medical record, or operating critical infrastructure are obvious examples.
That requirement does not need to extend to every agent action.
A local research agent should be able to query public information without disclosing its owner’s legal identity across the web. A pseudonymous developer should be able to operate an open-source maintenance bot. A whistleblower should be able to use software to organize public records without turning every request into a legal-name disclosure.
The W3C Verifiable Credentials Data Model warns that persistent identifiers and machine-readable credentials can create correlation risks across services. A universal agent identifier could become a cross-site tracking number, especially when the same identifier is presented to unrelated verifiers.
A better system would let the agent disclose only the attributes needed for the current transaction. A service may need proof that an agent is authorized to spend up to $200. It may have no legitimate need for the owner’s full identity, employer history, location, or unrelated activity.
2. Approved issuers could become gatekeepers
A platform may accept only credentials from partners it already knows. Governments may prefer nationally approved identity systems. Enterprises may require a specific cloud provider’s agent identity product. Banks may recognize only credentials issued through their existing compliance networks.
This would be convenient for large organizations with established identity vendors. It would create more friction for local developers, independent software projects, small businesses, researchers, and users running agents on their own hardware.
The standard could remain publicly documented while the accepted trust list becomes commercially closed.
Similar patterns already exist in app stores, payment processing, certificate systems, and enterprise login. The protocol can be open while practical access depends on a few intermediaries. Agent credentials could reproduce that structure at a broader layer of the internet.
3. Revocation could disable an agent everywhere
Revocation is necessary. A compromised credential must be stoppable, and an owner must be able to withdraw delegated authority.
The question is how far the stop button reaches.
A task-specific credential should stop working when the task ends, the owner withdraws permission, the key is stolen, or the relevant employment relationship changes. A central identity revocation should not automatically disable unrelated local workflows, erase audit evidence, or prevent an owner from moving the agent to another provider.
The ITU’s proposed work includes lifecycle management, revocation, and trust evaluation. Those details will determine whether revocation behaves like rotating a narrow key or losing a broad digital license.
A resilient system would allow separate credentials for separate purposes. Revoking payment authority should not disable a local research workflow. Revoking access to one employer’s systems should not destroy a pseudonymous publishing identity. Compromise in one trust domain should not automatically spread into every other domain.
4. Credential theft could create false accountability
Identity does not prevent impersonation when the credential itself is stolen.
The W3C credential specification describes data theft, device theft, and impersonation risks. Agents add another layer because credentials may be stored in unattended runtimes, containers, automation servers, browser sessions, development machines, or cloud workloads.
An attacker using a stolen agent credential could appear to be the legitimate agent and owner. A system designed around attribution might then create confident but incorrect evidence about who acted.
Agent credentials therefore need short validity periods, secure key storage, workload binding where appropriate, rapid rotation, clear incident procedures, and logs that capture more than an identifier. Useful evidence may include the runtime, transaction, authorization chain, policy decision, and signs of compromise.
Accountability depends on the quality of that evidence. A signature proves that a key was used. It does not automatically prove that the intended owner controlled the key at the time.
5. Trust ratings could become behavior licenses
The ITU is studying identity alongside continuous trust evaluation and behavioral trust signals.
Those signals can help detect a compromised or malfunctioning agent. They can also create a system in which an agent remains correctly authenticated but loses access because a platform dislikes its behavior, software origin, model, owner, or operating environment.
A security signal should answer concrete questions. Is the credential valid? Is the runtime compromised? Is this action within scope? Did the owner approve it? Has the agent exceeded an access, spending, or rate limit? Is the request consistent with the delegated task?
A vague global trust score asks a more political question: Is this agent the kind of actor institutions want to permit?
Standards should avoid turning reputational scoring into a hidden licensing layer. Trust decisions should be explainable, scoped to the relying service and action, and open to correction when data is wrong.
Can agent identity work without a central passport office?
Technically, yes.
The W3C’s Decentralized Identifiers specification describes identifiers that can be generated and controlled through systems chosen by the relevant entity. A controller can prove control through cryptographic methods without depending on one universal authority to guarantee the identifier’s continued existence.
DIDs do not eliminate trust decisions. A service still chooses which identifiers, methods, keys, credentials, and issuers it recognizes. Decentralized identifiers also do not automatically produce privacy, security, or fair access.
They do make a plural architecture possible.
One agent could hold separate credentials for separate purposes:
A self-controlled identifier for public interactions
An employer-issued credential for company systems
A bank-issued credential for payment actions
A temporary user delegation for one purchase
A pseudonymous credential for research or publishing
A local credential that never leaves a private network
A short-lived credential for one automated maintenance task
A hardware-bound credential for a high-risk production workload
One active IETF proposal for decentralized agent identity and capability-based delegation combines decentralized identifiers, limited authorization, delegation chains, and deterministic validation without requiring one central identity provider.
W3C Verifiable Credentials can express signed claims from different issuers, along with validity and status information. The data model does not inherently require a government identity or one central registry. Verifiers still apply their own policies when deciding whether a claim is suitable for a particular use.
That is a healthier starting point than one universal agent number permanently linked to an owner. It allows stronger evidence for high-risk actions and lighter, privacy-preserving credentials for public or low-risk interactions.
The crucial policy question is whether major relying services will accept that pluralism. A decentralized format can still produce centralized enforcement when banks, platforms, and cloud providers trust only a small set of credential issuers.
Local agents must remain first-class agents
Local AI creates a useful test for any identity standard.
A person should be able to run an agent on owned hardware, give it limited permissions, and prove those permissions without routing every action through a cloud vendor. The architecture should not assume that every agent has a commercial platform account, runs in a hyperscale cloud, uses a legally verified owner identity, contacts a central service for every check, or comes from an approved model provider.
Popular AI has previously covered how AI agents are becoming platforms with their own execution environments and control points. An identity standard that requires one of those platforms would deepen the same dependency.
Local agents still need strict controls. Keeping inference on a user’s machine does not make file access, shell execution, network calls, browser automation, or tool use safe.
A better local path combines private execution with narrow authority. Our local Ollama agent workflow shows how tool use can run on owned hardware, while the Friendly Fire security review shows why agents still need credential isolation, read-only analysis, and approval before dangerous actions.
Local should mean independently operable and privately controlled. It should not mean unaccountable or unrestricted.
A workable identity standard should therefore support local issuance, internal validation, offline operation where appropriate, and credentials that remain portable when a user changes model providers or agent software. A cloud identity service can be one option without becoming a technical requirement.
More on AI agent security:
What a good AI agent identity standard should require
A practical standard should make safe delegation easier without creating a universal permission authority.
▪ Multiple trust roots
Services should be able to trust different issuers for different purposes. The ecosystem should not depend on one government, vendor, cloud platform, certificate authority, or payment network.
▪ Scoped authority
Credentials should describe what the agent may do. “May purchase office supplies up to $200 before Friday” is safer and more useful than a broad statement that the agent acts for Jane Doe.
Scope should include relevant resources, action types, destinations, spending limits, data classes, and time windows. A relying service should reject an action that falls outside those limits even when the identity is valid.
▪ Short validity periods
Agent permissions should expire quickly. Long-lived credentials create standing access that can survive after the task, employment relationship, incident, or user intent has changed.
Short validity also reduces the damage caused by theft. Rotation should be routine rather than an exceptional recovery procedure.
▪ Selective disclosure
An agent should reveal only the attributes needed for the transaction. Proof of a $200 spending limit should not require disclosure of the owner’s full identity, unrelated credentials, or complete activity history.
Selective disclosure also limits cross-service tracking. Different relying parties should not automatically receive a shared identifier that lets them reconstruct the owner’s behavior.
▪ Pseudonymous and self-controlled identities
Public and low-risk services should be able to accept pseudonymous or self-controlled agents. Higher-risk services can demand stronger evidence when the action warrants it.
The assurance level should follow the consequence of the action, rather than the mere fact that software is involved.
▪ Transparent revocation
Owners need a fast way to disable compromised credentials. They also need to know who revoked a credential, why it was revoked, which access was affected, and how to correct an error.
Revocation records should preserve evidence without exposing unnecessary personal information or creating a universal blacklist.
▪ Local and offline operation
Credential issuance, storage, validation, and policy enforcement should not require a permanent connection to a commercial identity provider. Private networks need to be able to validate agents internally.
Offline support will be especially important for industrial systems, secure environments, edge devices, and users who deliberately keep sensitive workflows away from cloud services.
▪ Open protocols and portable records
Users should be able to change agent software, model providers, hosting environments, and identity vendors without losing every credential or audit record.
Portability should cover more than an identifier. It should include delegated authority, revocation state, relevant audit evidence, and the ability to rebind credentials safely to a new runtime.
▪ Approval for irreversible actions
A valid identity should not remove human confirmation from high-consequence actions. Payments, deletions, public statements, credential changes, contract acceptance, and access to critical infrastructure may still require explicit approval.
The credential should make approval more precise by showing the action, scope, and consequences. It should not become a substitute for judgment.
▪ Independent enforcement
The model should not be the final judge of whether its own proposed action is permitted. Identity and authorization policies need enforcement outside the model, at the tool, operating system, network, API, or transaction boundary.
This requirement turns permissions into controls rather than instructions the agent can reinterpret.
Identity cannot replace runtime enforcement
A perfectly identified agent can still make a dangerous decision.
That is why identity must be paired with controls at the moment an action is attempted.
The open-source ClawGuard research project places deterministic checks at the tool-call boundary. It derives a user-confirmed rule set and evaluates proposed tool calls before they create a real-world effect. The design aims to make enforcement auditable and less dependent on the model recognizing every indirect prompt injection.
This model addresses a problem that a passport cannot solve by itself.
A credential may prove that an agent is authorized to work on a repository. Runtime policy can still prevent it from reading an SSH key, contacting an unknown server, writing outside the workspace, or executing a binary that was never part of the approved task.
Identity answers which agent is asking. Runtime enforcement decides whether this particular action may proceed under the current policy.
That approach follows NIST’s least-privilege, per-request access model, in which authentication and authorization are distinct decisions and access is evaluated around the resource being requested.
A serious agent system needs both. It also needs monitoring, revocation, incident response, and evidence that lets an operator reconstruct what happened after the fact.
The same separation should apply to human approval. A model-generated message saying “the user approved” is weak evidence. Approval should be bound to a specific action and captured by a system outside the model’s editable context.

What developers should do now
Developers do not need to wait for the ITU process. The core practices are already clear.
Give every production agent its own identity. Several agents should not hide behind one shared service account.
Separate identities make it possible to assign different permissions, trace actions, and revoke one agent without disrupting every workflow.
Existing workload-identity systems such as SPIFFE already provide cryptographically verifiable identities and short-lived credentials for software workloads, offering a practical model for separating one agent from another.
Keep human credentials out of the agent runtime. Avoid handing an agent a reusable master token, browser session, SSH key, or employee password when a temporary delegated credential can do the job.
Set task-specific permissions. Limit files, tools, APIs, destinations, spending, execution time, data classes, and action types. Default access should be narrow.
This is an important qualification. Least privilege cannot depend on users manually designing a perfect policy for every temporary agent. Platforms will need to derive narrow permissions from the task, request confirmation for exceptional access, and expire that authority automatically.
Use short-lived credentials. Expire permissions automatically. Rotate them after incidents, major software changes, ownership changes, and transfers between environments.
OAuth’s current security guidance recommends restricting token privileges to the minimum required and using sender-constrained tokens or token rotation to reduce the usefulness of stolen credentials.
Enforce policy outside the model. The model can propose an action. A separate control should decide whether the action matches the allowed scope.
Record the chain of authority. Logs should capture the user or system that delegated authority, the agent identity, credential, requested action, policy decision, approval event, tool result, and final outcome.
Prepare for credential theft. Build rotation, revocation, recovery, and forensic procedures before connecting the agent to sensitive systems. Test those procedures with harmless credentials.
Separate identity from reputation. A valid identifier should not silently inherit a global behavioral score. Risk signals should be specific, explainable, and tied to the current transaction.
Keep a local fallback. Avoid making the identity provider inseparable from the model provider or runtime. Users should retain an independent way to operate and migrate their agents.
Review trust dependencies. Document which issuers, certificate authorities, platforms, and registries the system relies on. Decide what happens when one becomes unavailable or changes policy.
Require step-up approval for consequences. A low-risk credential may be enough to browse a catalog. A payment, deletion, publication, or production change should trigger stronger evidence and explicit confirmation.
Test rejection paths. Confirm that expired, revoked, over-scoped, incorrectly issued, and stolen credentials fail safely. A system that validates only the happy path is not ready for autonomous action.
These measures improve security today while leaving room for future standards. They also reduce the chance that organizations will adopt an overly broad passport model simply because their current agents have no usable identity or delegation controls.
What remains undecided
The ITU group has identified the problem, but its most consequential design choices remain open.
In the United States, a NIST concept paper on software and AI agent identity and authorization is separately examining how existing identity standards and security practices could be applied to agentic systems.
It is not yet clear which identity architectures will be recommended, whether common credentials will bind agents to legal identities, how pseudonymous agents will be handled, how local and offline agents will participate, which organizations will issue recognized credentials, or how services will choose trusted issuers.
The process also needs answers for revocation disputes, behavioral trust signals, selective disclosure, credential portability, open-source implementations, audit retention, cross-border recognition, and the treatment of users who cannot or will not complete legal-name verification.
Those questions matter more than the word “passport.”
A decentralized technical format can still produce centralized enforcement when major services accept only favored issuers. A voluntary standard can become effectively compulsory when banks, marketplaces, cloud providers, governments, and enterprise systems make it a condition of access.
The strongest safeguards should therefore be built into the architecture before credential recognition becomes widespread. Multiple trust roots, minimal disclosure, scoped authority, transparent revocation, local operation, and independent enforcement are easier to preserve at the start than to recover after a few institutions become dominant.
Standards bodies should also distinguish safety requirements from business preferences. A service may need to know that a credential is valid and appropriately scoped. It should have to justify any demand for the owner’s legal identity, model provider, full activity history, or global reputation score.
Frequently asked questions
Do AI agents need digital passports now?
No. The ITU has started pre-standardization work on identity and trust for humans and agentic AI. It has not created a mandatory credential, registration system, or global passport. Developers can still run local agents without seeking ITU approval.
Will a local AI agent need an identity?
A local agent can operate inside a private machine or network without a globally recognized identity. It may need a credential when it accesses an external bank, platform, API, marketplace, payment system, or enterprise service. The credential should be scoped to that interaction rather than becoming a universal identifier.
Can an AI agent operate anonymously?
An agent can technically use a pseudonymous or self-controlled identifier. Whether a service accepts it depends on the action and the service’s trust policy. Public and low-risk interactions can support pseudonymity, while high-consequence actions may justify stronger evidence.
Who will issue AI agent credentials?
That remains unsettled. Possible issuers include users, employers, platforms, banks, governments, certificate authorities, industry consortia, and decentralized identity systems. Different issuers may be appropriate for different tasks, which is why multiple trust roots are important.
What happens when an agent credential is stolen?
An attacker may be able to impersonate the agent until the credential expires or is revoked. Credentials should be short-lived, tightly scoped, protected from export where possible, easy to rotate, and backed by audit evidence that includes the runtime and authorization context.
Is identity enough to make an AI agent safe?
No. Identity establishes which agent is making a request. Authorization, sandboxing, approval gates, spending limits, tool restrictions, network controls, runtime enforcement, and audit logs determine what the agent can actually do.
Could an AI passport become mandatory even without a law?
Yes, in practice. A voluntary credential can become a condition of access when banks, cloud platforms, marketplaces, employers, or government services require it. This is why issuer recognition and appeal rules deserve as much scrutiny as the credential format.
What should developers avoid today?
Avoid shared service accounts, reusable human credentials, long-lived tokens, broad tool permissions, model-controlled approval, and identity systems that cannot be separated from one provider. Give each agent narrow, temporary authority and enforce the limits outside the model.
AI agent identity should expand user control, not platform power
AI agents need better identity, delegation, and authorization. Giving autonomous software a human password and trusting the model to remain within the user’s intent is not a serious security model.
The answer should also avoid one universal passport office for software.
A sound standard would let an agent prove that it holds limited authority for a specific action without exposing more information than necessary or forcing the owner through one approved platform. It would support local agents, multiple issuers, pseudonymous use, portable credentials, short validity periods, fast revocation, and deterministic controls at the tool boundary.
The test is simple.
Agent identity should help users control their agents. It should not become a system that lets institutions decide which users are permitted to have agents.
Explore more from Popular AI:
Start here | Local AI | Fixes & guides | Builds & gear | Popular AI podcast








