Nominated-agent authorization model
A client-authenticated nomination screen that registers a chosen agent at a typed authorization level, supporting several concurrent agents for different services.
As citizens authorize software agents in government services, an agency must let a citizen nominate that agent through their own authenticated session, at a defined level of authority, with an accountable operator standing behind it. The difficulty is preventing an agent from authorizing itself and fixing who is responsible when it acts. Long-standing tax-agent authorization, refined over decades, is the closest precedent for how to do this.
An agency needs the nomination of an agent to be client-initiated, scoped to a typed level of authority, and tied to an accountable operator, so that an agent cannot authorize itself and responsibility for its actions is fixed.
Requiring the client to nominate an agent from within their own authenticated session is a barrier for clients who rely on an agent precisely because they cannot use digital services independently, leaving them unable to authorize the help they need. Keep the path open with telephone-based nomination (call a government service center, verify identity through knowledge-based authentication, nominate the agent verbally), in-person nomination at a government shopfront, or nomination by a trusted intermediary (with its own delegation chain requiring verification).
Typed levels of authority, from full representation through view-only to discussing a single return, are offered as a per-agent permission picker the citizen sets from their own dashboard.
No surface has been built yet; the approach above is the brief for one.
Established
Australian Taxation Office (ATO) — tax agent authorization. The ATO's model includes agent registration (tax agents must be registered with the Tax Practitioners Board, creating a regulated class of delegates); client nomination (clients must actively nominate their agent through their own authenticated session, not via the agent's system); ongoing authorization (typically ongoing until the client revokes it); Digital ID and RAM integration (agents use myID and RAM to access ATO online services on behalf of clients, binding delegation to verified digital identity); and multiple agent support (a client can authorize different agents for different roles: tax agent, BAS agent, payroll services provider).
IRS — Power of Attorney (Form 2848). The IRS model includes typed authorization levels (Power of Attorney for full representation, Tax Information Authorization for view only, Third Party Designee to discuss a specific return, Oral Disclosure for a one-time phone conversation); digital authorization (individual taxpayers can authorize practitioners through their IRS online account); and representative eligibility limited to registered categories (attorneys, CPAs, enrolled agents), with restricted access for others.
HMRC — Making Tax Digital agent authorization. HMRC's model is evolving toward granular authorizations (see Pattern 2.7). Research indicates HMRC is developing multiple-agent functionality, allowing different agents to have different permission scopes for the same taxpayer, the closest existing precedent to a "scoped agent delegation" model.
The tax agent model is the strongest existing analogue for AI agent delegation. Transferable elements: agent registration/accreditation (AI agent operators could be required to register with a regulatory body analogous to the Tax Practitioners Board, making the operator rather than the software responsible); client-initiated nomination (the citizen must actively nominate the agent through their own authenticated session, preventing self-authorization); typed authorization levels (view only, submit, represent, with appropriate ceremony for each); and multiple concurrent agents for different services.
Critical gap: tax agents are natural persons who bear professional liability. AI agent operators can be corporate entities, but the AI agent itself has no professional standing, no liability insurance, and no disciplinary body. The institutional scaffolding (registration, professional standards, complaints mechanisms) would need to be built for AI agent operators.
Where this goes wrong is agents self-authorizing, with no one bearing liability when an automated process fails at scale. Client-initiated nomination through the citizen's own session prevents self-authorization, and registering the operator as an accountable party fixes responsibility.