We onboard a junior engineer with an email, an MFA token, a scoped role, and a manager who has to sign off when they touch production. Then we deploy an LLM agent with a system prompt and an API key and wonder why audit logs look like a haunted house.
We have spent fifteen years arguing about identity for humans. Every security conference has a slide on it. Every IAM team has a whiteboard with WHO IS DOING THIS THING? underlined twice.
Then we shipped agents. The agent has no employee ID. No role. No manager. It runs under the access of whichever engineer set the env var. When it does something wrong, the closest thing we have to attribution is a Slack channel called #incidents.
What a passport is
Four things, at minimum:
An identity that isn’t borrowed. Not the dev’s account. Not “the key in the env file”. A first-class identity in your IAM, with rotation and revocation built the same way they are for humans.
A scope. Right now most agents carry the equivalent of a diplomatic passport — they go anywhere, talk to anything, write to any bucket. We give them this because permissions are tedious to wire up. Then we are surprised when one of them drops the wrong table.
A stamped trail. Every action the agent takes leaves a record that survives outside its own context window. The model can hallucinate what it did. The audit log cannot.
A consul. Someone — human or a higher-trust agent — who authorizes the actions that matter. Reads flow. Writes ask. Money moves on paper.
The two objections you’ll hear
The first is that an agent is “just a script”, and scripts don’t need passports. This is two years out of date. The script doesn’t write its own instructions; the agent does. The script can’t be socially engineered through a forwarded email; the agent can.
The second is that all this is “too heavy for prototypes”. Sure. Most things are too heavy for prototypes. But the point of the passport metaphor isn’t to slow the agent down. It’s to keep you from retrofitting identity onto code that was never written with it in mind.
We did that once already. Fifteen years of human identity bolted onto systems that originally assumed every user was the operator. It was expensive. Most of us hated it.
We don’t have to do it twice.