BIPI
BIPI

AI Agent Identity: Why Agents Need Service Accounts Too

Agentic AI

Agents that act on behalf of users still need their own identity. We explain why impersonation breaks audit and authorization, and how to design agent service accounts with delegated scopes, short lived tokens, and clear accountability.

By Arjun Raghavan, Security & Systems Lead, BIPI · July 23, 2023 · 9 min read

#identity#oauth#service-accounts#agents#iam

The most common identity mistake in agentic systems is letting the agent borrow the user's credentials. It works, it ships fast, and it makes every later audit impossible.

Impersonation versus delegation

Impersonation hands the agent the user's keys. The agent is now indistinguishable from the user in every log and authorization check. Delegation gives the agent its own identity that has been authorized to act on the user's behalf for a specific scope and a limited time.

Why audit needs delegation

When the incident review asks who did this, you want the answer to be the agent, acting for the user, with this task identifier. Impersonation forces the answer to be the user, which is technically true and operationally useless.

Designing the agent identity

  • A stable principal that represents the agent itself
  • Delegation grants tied to user, scope, and expiry
  • Short lived tokens minted per task
  • Audit fields capturing both agent and on behalf of user

OAuth and the on behalf of flow

Standard OAuth flows support delegation via on behalf of tokens. The agent authenticates as itself, then exchanges the user's consent for a scoped token. The downstream API sees both identities and can enforce policy on either.

Scope design

Scopes should be narrow, named for the business operation, and time bound. read_inbox_for_summary is better than mail.read. The narrower the scope, the smaller the blast radius if the agent is compromised or misused.

Rotation and revocation

  1. Rotate the agent's own credentials on a schedule
  2. Expire delegation grants when the task completes
  3. Provide a one click revocation path for users
  4. Alert on tokens reused after task completion
If your agent acts as the user, you do not have an agent, you have a session hijack with good marketing.

Multi agent systems

When agents call other agents, the chain of delegation matters. Carry the original user identity and the chain of agent identities through every hop, and make policy decisions on the full chain, not just the immediate caller.

Closing

Identity is the foundation that audit, authorization, and incident response all stand on. Give the agent its own, scope its delegations narrowly, and the rest of the security program gets easier.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.