DEV Community

Breach Protocol
Breach Protocol

Posted on • Originally published at groundtruth.day

Anthropic gives AI agents their own work accounts, not yours

Anthropic has shipped a new agent identity access model that gives AI agents their own scoped credentials instead of borrowing human employees' logins. The model ties agent permissions to channels rather than people, applies the principle of least privilege, and logs agent actions separately from human actions — solving the security, continuity, and accountability problems that arise when autonomous software impersonates a person.

Key facts

  • What: Anthropic's new 'agent identity' model lets Claude agents hold their own scoped accounts for tools like GitHub and Slack, tied to channels -- instead of borrowing a human employee's login.
  • When: 2026-06-24
  • Primary source: read the source

An AI agent is software that doesn't just chat but takes actions — it connects to tools like GitHub, Slack, or a company's data warehouse and does things in them. To do that, it needs permission, and permission systems were all built for humans. The early workaround was to let the agent act as a specific employee, using that person's credentials. That is equivalent to giving a new contractor your own badge, your own keys, and your own login, and telling them to go do your job. It works until it doesn't.

It breaks in three ways. When the employee is logged out, on vacation, or has left the company, the agent either stops working or keeps acting as a ghost. When a team shares an agent, whose login does it borrow? Team members have different access levels, so the agent's powers swing wildly depending on whose badge it happens to be wearing. Most seriously, it is a security and accountability nightmare: when something goes wrong, the logs say a human did it, when really an autonomous program did.

Anthropic's fix is to give the agent its own identity. Instead of borrowing a person's badge, Claude gets its own — its own scoped accounts for each tool, set up by administrators rather than impersonating a user. These identities are tied to channels, not people. An administrator defines what the agent can do and connect to at the workspace level, and narrows that down channel by channel. What the agent learns or touches in one team's channel stays confined to that channel and doesn't leak into another. The agent gets exactly the access it needs for the job in front of it — the security principle of least privilege — and no more.

This solves the three problems at once. The agent can run long, autonomous tasks without a human needing to stay logged in, because it isn't riding anyone's session. A shared team agent has consistent, predictable powers, because they're defined for the agent itself rather than inherited from whoever's nearby. Accountability gets cleaner: actions taken by the agent are logged as the agent, so audits can tell human work from machine work, and revoking an agent's access is as simple as turning off its account rather than untangling it from a person's permissions.

This is the substantive infrastructure story underneath the more visible agent products. The flashy demos get attention, but the thing that determines whether companies actually deploy agents at scale is whether they can do it securely and audit it afterward. Per-agent identity is the boring-but-load-bearing layer that has to exist before "a team of AI agents working alongside humans" goes from a slide deck to a real deployment. It is also the practical counterpart to the demand-side adoption stories — companies like Samsung rolling AI out to over a hundred thousand workers — because access control is exactly what an enterprise that size has to get right.

The honest caveat: giving an autonomous program its own standing accounts that can act without a human present is convenient, and it is also precisely the kind of account an attacker most wants to compromise. A human's login at least has a human attached who notices odd behavior, gets locked out, goes home at night. An always-on agent account that can act on its own is a more attractive and more dangerous target, so the entire security burden shifts onto getting the scopes right and watching the audit logs closely. Done well, this is more secure than the borrow-a-human's-badge status quo it replaces — which was genuinely bad. Done carelessly, it creates a new class of powerful, autonomous accounts to defend. Either way, the era of AI agents impersonating their human colleagues is ending, and the era of agents as their own kind of employee — with their own badge and their own paper trail — is beginning.


Originally published on Ground Truth, where every claim is checked against the primary source.

Top comments (0)