Managed agent identity

When a citizen delegates to an AI agent that then deals with a government service, the agency needs to know what that agent is, who authorized it, and what it may do, and to verify that without contacting the citizen. No identity protocol built for natural persons answers this: OAuth, GNAP, and UMA all assume a human is operating the client.

The challenge is an identity layer for agents as delegates, with verifiable provenance and revocation a relying agency can act on.

Frontier for an identity layer that lets an agency prove an agent's chain of authority and halt it; no identity protocol designed for natural persons supplies this, and the response is undesigned.

Agent Identity Protocol (AIP). Proposes Invocation-Bound Capability Tokens (IBCTs) combining public-key verifiable delegation (the delegation chain is cryptographically signed), holder-side attenuation (each intermediary can only narrow permissions, never expand), chained policy via Datalog (machine-evaluable rules governing what the agent may do), provenance-oriented completion records (an audit trail of what the agent actually did), and transport bindings for MCP, A2A, and HTTP.

AI Agent Identity research (arXiv 2604.23280, April 2026). A survey paper titled "AI Identity: Standards, Gaps, and..." mapping the current landscape of agent identity standards and identifying gaps.

Verifiable Credentials for AI Agents (arXiv 2511.02841). Proposes equipping AI agents with Decentralized Identifiers (DIDs) and Verifiable Credentials (VCs), addressing "limited support for delegation of authority, insufficient contextualisation of trust decisions, and reliance on static trust models that fail to adapt dynamically."

Binding Agent ID (arXiv 2512.17538). Proposes binding agent identity for "accountability and credibility."

Agent Interoperability Protocols (MCP, A2A, ACP). As of early 2026, the landscape includes MCP (Anthropic, tool integration), A2A (Google/Linux Foundation, agent-to-agent communication), and ACP (emerging). None natively solves agent identity or delegation, but all provide transport layers that agent identity protocols must bind to.

These frameworks are at the research and early-specification stage. For government services, the question that matters is less which protocol to adopt than what properties the delegation infrastructure must have: verifiable provenance (any relying party can verify the delegation chain from citizen to agent without contacting the citizen); attenuation (delegation can be narrowed at each hop but never widened); revocability (revocation must propagate in near-real-time); audit (a complete, tamper-evident record of actions taken under the delegation); and interoperability (works across multiple government services, not locked to a single system).

Government services should track these standards but avoid premature commitment. The prudent approach: define the requirements (the five properties above), participate in standards development, and build to an abstraction layer that can adopt whichever protocol matures first.