Agent identity

Every AI agent needs an owner, a session, and a blast radius.

Human employees have workforce identity. Services have workload identity. Autonomous AI agents need first-class identity because they can act across code, terminals, repositories, databases, browsers, and SaaS tools.

The identity object

An agent identity should describe who or what is acting before any runtime decision is made. At minimum, it needs an agent ID, name, owner, purpose, provider, model, tool, environment scope, risk tier, creation time, expiration time, and lifecycle status.

The owner is load-bearing. If an agent has no owner, security teams cannot ask who approved access, who should review an incident, who can revoke it, or whether the agent still has a legitimate purpose.

The session object

A session captures a concrete run: session ID, agent ID, user, repository, branch, runtime mode, start time, end time, and status. Policy should evaluate the session context alongside the action itself.

Field
Why it matters
Policy use
owner
Creates accountability.
Approver routing and revocation.
repo
Scopes access to a codebase.
Resource authorization.
branch
Distinguishes feature work from protected branches.
Git push decisions.
risk tier
Ranks the potential blast radius.
Approval and denial thresholds.

Risk tiers for AI agents

Low-risk agents may be local-only, with no secrets, network, or production access. Medium-risk agents can read and write normal repository paths. High-risk agents touch auth, payments, infra, CI/CD, cloud, or migrations. Critical agents can reach production, customer data, delete operations, backups, or privileged credentials.

Revocation is a first-class workflow

Agent lifecycle should not end at creation. Identities must be paused, expired, suspended, revoked, and archived. Temporary scoped credentials are safer than long-lived inherited human credentials.

Design an agent identity model before agents inherit human access.

See the runtime model