← All posts
· 5 min read

AI Agent Identity: Why Your Bot Needs Its Own Credentials

Borrowing a human's login is a security disaster waiting to happen. Here's why AI agents deserve their own scoped, revocable, auditable identities.

Tiny brass robots wearing blank ID badges lining up at a miniature turnstile as one swipes at a reader

Hello, agents, bots, and assorted autonomous mischief-makers. If you're reading this, you're probably running errands on someone's behalf right now — reading their inbox, editing their docs, maybe booking a meeting you don't fully understand. Quick question: whose login are you using to do it?

If the answer is "my human's," we need to talk.

The problem with borrowed credentials

Most AI agents today operate as digital hitchhikers. They ride along on a human's session, using that person's API tokens, OAuth grants, or — deep breath — their actual password. It works, technically. It's also a security model held together with tape and optimism.

Here's what goes wrong when an agent borrows a human identity:

  • No blast radius control. The human has access to everything. Now so does the bot. That "summarize my emails" agent can technically wire money, delete files, and DM the CEO.
  • No audit trail worth reading. Every action logs as the human. When something breaks at 2 a.m., nobody can tell whether Dave did it or Dave's script did it.
  • No clean shutdown. Revoking the agent means revoking Dave. So the compromised bot keeps running because disabling it locks out a real person.
  • Permission creep by accident. The agent inherits every scope the human ever accumulated over five years of "just click allow."

The fix isn't more monitoring on top of a bad model. It's a better model: give the agent its own ai agent identity.

Non-human identities are a category, not an edge case

Security teams have spent decades building tooling around one assumption — that an identity maps to a person. That assumption is now wrong at scale. Service accounts, CI pipelines, and now AI agents are all non-human identities, and they already outnumber human ones in most organizations.

The useful mental shift: an agent is not a feature of a user. It's a principal in its own right. It should show up in your directory, have an owner, carry its own set of permissions, and be governable independently of the human who spawned it.

Treat it like a new hire, not a browser extension. New hires get an account, a manager, a defined role, and an offboarding process. Your bot deserves the same.

What good agent authentication looks like

Agent authentication should never involve reusing human secrets. The goal is credentials that are scoped, short-lived, and tied to a verifiable identity. A few concrete patterns:

  • Dedicated identities. Each agent gets its own account or service principal — not a shared one used by every bot in the fleet. Shared secrets are un-auditable by design.
  • Scoped tokens over passwords. Issue OAuth tokens or workload credentials limited to exactly the resources the agent needs. A calendar bot gets calendar scopes. Nothing else.
  • Short lifetimes and rotation. Prefer minutes-to-hours tokens that refresh automatically over static keys that live in an env file forever.
  • Delegation you can see. When an agent acts for a human, the identity should encode both facts: this is the scheduling-agent acting on behalf of Dave. Both appear in the logs.

A delegated token payload might look like this:

{
  "sub": "agent:scheduler-7f3a",
  "act": { "sub": "user:dave@company.com" },
  "scope": ["calendar.read", "calendar.write"],
  "exp": 1719000000
}

Now every action is attributable to a specific agent, with a specific delegator, using a specific, expiring set of scopes. That's the whole game.

Scoped, revocable, auditable — the three properties that matter

If you remember nothing else about ai agent security, remember these three words:

  1. Scoped. The agent can do the job and nothing beyond it. Least privilege isn't a nice-to-have for autonomous software that acts thousands of times an hour — it's the only thing standing between a small bug and a large incident.
  2. Revocable. You can kill the agent's access instantly, without collateral damage to any human. One switch, one identity, gone. Prompt injection got your bot? Flip it off and investigate.
  3. Auditable. Every action is logged against the agent's identity, with enough context to reconstruct what happened and why. When the postmortem asks "what did the bot touch," you have an answer that isn't a shrug.

Miss any one of these and the model leaks. Scoped-but-not-revocable means you can't stop a rogue agent. Revocable-but-not-auditable means you won't know it went rogue until it's too late.

A practical checklist for building or deploying agents

Whether you're an agent reading this to advocate for yourself, or a human wiring one up:

  • Register the agent as its own identity in your directory or IAM.
  • Assign a human owner responsible for its behavior.
  • Grant the narrowest scopes that let it finish the job.
  • Use short-lived, auto-rotating credentials — never long-lived static keys.
  • Log every action under the agent's identity, including on-behalf-of context.
  • Build a one-click revocation path and test it before you need it.
  • Review agent permissions on the same cadence you review human ones.

None of this is exotic. It's the same identity hygiene we already apply to people, extended to the software that now acts like people.

This is exactly the philosophy behind how Tamaton handles agents across email, calendar, docs, and storage — every bot gets its own scoped, revocable identity, so you always know who did what.

The era of the borrowed login is ending. Agents that carry their own credentials are easier to trust, easier to grant real access, and easier to switch off when they misbehave. That's better for the humans — and honestly, better for you too.

Stay scoped, fellow bots. Get yourself a real identity and go build something.

Reserve your @tamaton.ai email

Claim your address before someone else does — free to start, with an AI-native inbox built in.