Why AI agents need their own identity
An agent acting on patient data is not a user, and it is not a service account. Treating it as either is how access sprawls, provenance disappears, and your audit stops meaning anything. Here is the case for giving every agent a first-class identity of its own: scoped, delegated, and short-lived.
Standing access is the risk
For decades, identity had exactly one shape: a person at a keyboard. Every model we still rely on assumes a human is present, consenting, and accountable for what happens next. Then software started taking actions on its own.
An AI triage agent reads images, drafts notes, and queries records. Hand it a long-lived API key with broad scope and you have created the most dangerous account in the building: one that never sleeps, never gets rotated, and acts with no human attached. When something goes wrong, the log says a key did it. That is not an answer a regulator, a patient, or a clinician will accept.
Not a user. Not a service account either.
The instinct is to reuse what we have. Both options fail in ways that matter:
- Treat the agent as a user and you imply a human is present and consenting. None is. You also inherit password/MFA flows that make no sense for software.
- Treat it as a service account and you get a static, shared, over-broad credential with no notion of who it is acting for, no expiry, and no per-task scope.
Both collapse into the same three failures:
- Over-broad scope. The agent can do far more than its task requires, so a single compromise is a wide breach.
- No provenance. You cannot prove which human the action was taken for, so accountability evaporates.
- No expiry. Access granted for one task lingers forever, accumulating into standing risk.
What a first-class agent identity looks like
An agent is its own kind of principal. At OrthID, an agent identity is:
- Scopedto a single task: least privilege, never “read everything.”
- Delegated.It borrows a real human’s authority through OAuth token exchange (RFC 8693), carrying an
actclaim that records exactly who it is acting for. - Short-lived. Minutes, not months. It expires on its own, so revocation is the default, not a cleanup task.
- Audited. Every call lands on the same tamper-evident trail as the humans and organisations it works alongside.
Issuing one is five lines:
const agent = await orthid.agents.issue({ onBehalfOf: "usr_4Qd2", // a real, verified human scope: ["imaging:read"], // one task, nothing more ttl: 900, // 15 minutes, then gone region: "au-syd-1", }); // → agt_7K2f91x · act-claim sealed to the audit trail
The credential never touches the agent
Delegation is brokered, not handed over. The agent presents a request; OrthID validates the delegating human, mints a scoped, expiring token, and exchanges it at the gateway. Long-lived secrets stay inside sovereign storage. The agent only ever holds something narrow and short-lived, so a leak is small and self-healing.
Why this matters more in healthcare
Patient data does not get a second chance. When an automated system touches a record, you need to prove three things at once: that a real clinician authorised it, that the agent could do nothing beyond the task, and that the whole exchange stayed inside your jurisdiction. A first-class agent identity is what makes all three provable instead of hopeful.
An agent should be able to do exactly one thing, on behalf of exactly one person, for exactly as long as it takes, and leave a receipt.
Where to go next
Scoped identities for AI agents are live across every OrthID plan. See how the gateway, scopes, and token exchange fit together on the AI Agents page, or read how every action is sealed in the Trust Center.
Give every agent a leash and a receipt.
Scoped, delegated, short-lived identities for every non-human workload, on one sovereign trail.