Software Booked It in Your Name. Good Luck Proving You Didn't.

Here's something that will mess with your head a little: right now, software can book a flight, fill out a form, send an email, or make a purchase — all in your name, without you clicking a single button. That's not science fiction. That's an AI agent (basically, software that doesn't just answer questions but actually does things for you). And the wildest part? Most of the systems those agents interact with have absolutely no way to confirm the agent was actually authorized to act. By anyone. At all.

We've spent years figuring out how to prove a human is who they say they are online. Facial recognition, two-factor authentication (the code texted to your phone), passwords — all of it built to verify a person. But AI agents aren't people. They don't have faces. They don't get text messages. And the identity systems we built weren't designed with them in mind. That gap — between "software that acts" and "systems built to verify humans" — is turning into a real governance problem, and fast.

The Moment a Chatbot Becomes an Actor

There's a clean line worth drawing here. A chatbot that answers your questions is just a very smart search engine. The second that same software can do something — submit a request, move money, schedule a meeting, click "confirm" — it becomes an agentic AI (an AI agent, meaning software that takes independent action in the world). That distinction changes everything about accountability.

When a human employee does something at work, there's a chain of identity attached to it. They logged in. Their badge was scanned. Their name is on the action log. If something goes wrong, you know exactly who to call. When an AI agent does the same thing? Often, there's nothing. No chain. No name. Just a transaction that happened, connected to a credential (think of a credential like a digital key — a code that says "this software is allowed in") that might be shared across dozens of agents, or never tied to a specific human decision-maker at all.

According to Biometric Update, this is the accountability gap that's moving from theoretical to real as companies start deploying agents in production environments — meaning not test systems, but actual live operations where real money, real data, and real decisions are at stake. This article is part of a series — start with One Stolen Badge Shouldnt Unlock Your Whole Office Heres Wha.

Why "Just Use a Strong Password" Doesn't Fix This

Here's where most people — including a lot of people building these systems — get it wrong. And it's an easy mistake to make, so no judgment.

The instinct is: give the agent a strong credential. A good API key (a long, complex code that proves the software is authorized to connect to a system), a secure token, maybe OAuth (a standard method for letting one app access another on your behalf). Done, right? The agent is authenticated — meaning the system knows it's a "real" authorized connection.

But here's the thing. Authentication (proving what something is) is only half the problem. The other half is authorization — proving what it's allowed to do. A strong key just opens the door. It doesn't say which rooms the agent can enter, what it can pick up inside, or whether a human actually approved the visit.

As researchers at GitGuardian explain, there's a critical distinction between impersonation and delegation. Impersonation is when software pretends to be you. Delegation is when software is explicitly, formally permitted to act for you — within specific limits. Most current AI agent setups do the first and pretend it's the second.

Nearly one in three teams building AI agents has given up on proper authorization systems and jury-rigged something custom. That means inconsistent rules, no common audit trail, and nobody reviewing whether the agent's permissions still make sense six months later. It's the software equivalent of every employee in a company making up their own security badge system.

The Three Things Every AI Agent Needs to Prove

So what does a real fix look like? Researchers and governance specialists are coalescing around three layers — think of them as three questions every system should be able to answer before an AI agent takes any action. Previously in this series: Meta Smart Glasses Face Recognition Pentagon Supplier.

1. Who owns this agent? Every agent needs a unique identity — not a shared key, but something tied to a specific team, system, or individual. Shared credentials (one key used by many agents) are especially dangerous. If something goes wrong, you can't tell which agent caused it, whether it was a mistake or something worse, or which human to call. The arXiv research on agentic AI governance describes this as a system of record — a central registry where every agent has a unique entry, like an employee ID in an HR system.

2. What is it allowed to do? This is the scope problem. An agent authorized to book domestic travel shouldn't be able to approve international travel or access payroll. Researchers call this "least privilege" — give the agent access to exactly what it needs for the specific task, nothing more. And critically, that scope should expire. A one-time task shouldn't leave a permanent open door.

3. Who is accountable when it goes wrong? Every agent needs a human sponsor — a specific person or team whose name is attached to that agent's actions. Not a department. Not a vendor. A person. Because when an AI agent makes a $40,000 mistake (and they will), "the software did it" is not an acceptable answer.

"The identity layer is the most effective governance enforcement point." — Biometric Update, reporting on enterprise AI agent deployment

The analogy that clicks for me: imagine a junior buyer at a company gets a purchase-order stamp. That stamp is only valid for purchases under $5,000. Every time it's used, the date and amount get logged automatically. If the stamp is lost, it's invalidated within 24 hours. And anything over $2,000 needs a senior co-signature. That system isn't paranoid — it's just basic accountability. Now imagine the junior buyer has a stamp with no dollar limit, no log, and no expiration date. That's most AI agents today.

Why Speed Makes This So Hard

One more thing that makes this genuinely tricky — not just policy-meeting tricky, but technically hard. Traditional access reviews happen quarterly. Maybe annually. Someone sits down, looks at who has access to what, and cleans it up. That works fine for a team of 50 humans whose job roles don't change much.

AI agents can make thousands of access decisions per minute. They don't wait for your quarterly review. They act, right now, based on whatever permissions were set up when someone deployed them — which might have been months ago, for a different task, under a different risk tolerance. The governance has to be baked into every single action in real time, not reviewed after the fact. Up next: Why Passkey Adoption Is Stalling Recovery Problem.

This is actually where identity expertise — the kind built around verifying humans, like facial recognition systems — turns out to be surprisingly relevant. At CaraComp, the work of proving "this face matches this person, right now, with a verified chain of custody" maps directly onto what AI agents need: not just a credential, but a verifiable, auditable link between an action and an authorized source. The infrastructure is different, but the core question is the same: can you prove who was responsible, and can you prove it holds up?

Estonia — not usually the first country you think of when AI governance comes up — has already started assigning digital identities to AI agents, treating them almost like legal entities with traceable records. If a small northern European country can stand up that system, it's not some distant future possibility. It's operational infrastructure, today.

So here's the question worth sitting with: if an AI agent made a mistake using your account tomorrow — booked the wrong flight, submitted the wrong form, approved the wrong charge — who would have to prove what happened? You? The company that built the agent? The platform that let it in? Right now, in most systems, nobody has a clean answer to that. The agent acted. The credential was valid. And the trail stops there.

That's not an AI problem. That's an identity problem. And identity problems, it turns out, are exactly the ones we know how to solve — as long as we start treating AI agents less like smart tools and more like what they actually are: actors who need ID before they can walk through the door.