News · 2026-06-24
Anthropic gives AI agents their own work accounts, not yours
There is an unglamorous plumbing problem hiding behind every excited demo of an AI agent doing real work inside a company, and Anthropic has just shipped an answer to it. The question is deceptively simple: when an AI agent opens a pull request, posts in a channel, or queries a database, who exactly is doing that? Until now the usual answer was "it borrows a human's login," and that answer quietly breaks the moment you take it seriously. Anthropic's new agent identity access model replaces it.
Here's the background. An AI agent is software that doesn't just chat but takes actions -- it connects to tools like GitHub, Slack, or a company's data warehouse and does things in them. To do that, it needs permission, and permission systems were all built for humans. So the early workaround was to let the agent act as a specific employee, using that person's credentials. Picture giving a new contractor your own badge, your own keys, and your own login, and telling them to go do your job. It works until it doesn't.
It breaks in three ways. First, what happens when the employee is logged out, on vacation, or has left the company -- does the agent stop working, or worse, keep acting as a ghost? Second, in a team, whose login does a shared agent borrow? Team members have different access levels, so the agent's powers would swing wildly depending on whose badge it happened to be wearing. Third, and most seriously, it's a security and accountability nightmare: when something goes wrong, the logs say a human did it, when really an autonomous program did.
Anthropic's fix is to give the agent its own identity. Instead of borrowing a person's badge, Claude gets its own -- its own scoped accounts for each tool, set up by administrators rather than impersonating a user. The clever part is that these identities are tied to channels, not people. An administrator defines what the agent can do and connect to at the workspace level, and can then narrow that down channel by channel. So what the agent learns or touches in one team's channel stays confined to that channel and doesn't leak into another. The agent gets exactly the access it needs for the job in front of it -- the security principle of least privilege -- and no more.
This solves the three problems at once. The agent can run long, autonomous tasks without a human needing to stay logged in, because it isn't riding anyone's session. A shared team agent has consistent, predictable powers, because they're defined for the agent itself rather than inherited from whoever's nearby. And accountability gets cleaner: actions taken by the agent are logged as the agent, so audits can tell human work from machine work, and revoking an agent's access is as simple as turning off its account rather than untangling it from a person's permissions.
Why it matters: this is the substantive infrastructure story underneath the more visible agent products. The flashy demos get attention, but the thing that determines whether companies actually deploy agents at scale is whether they can do it securely and audit it afterward. Per-agent identity is the kind of boring-but-load-bearing layer that has to exist before "a team of AI agents working alongside humans" goes from a slide deck to a real deployment. It is also the practical counterpart to the demand-side adoption stories -- companies like Samsung rolling AI out to over a hundred thousand workers -- because access control is exactly what an enterprise that size has to get right.
Now the honest caveat. Giving an autonomous program its own standing accounts that can act without a human present is convenient, and it is also precisely the kind of account an attacker most wants to compromise. A human's login at least has a human attached who notices odd behavior, gets locked out, goes home at night. An always-on agent account that can act on its own is a more attractive and more dangerous target, so the entire security burden shifts onto getting the scopes right and watching the audit logs closely. Done well, this is more secure than the borrow-a-human's-badge status quo it replaces -- which was genuinely bad. Done carelessly, it just creates a new class of powerful, autonomous accounts to defend. Either way, the era of AI agents impersonating their human colleagues is ending, and the era of agents as their own kind of employee -- with their own badge and their own paper trail -- is beginning.