Agents Need Badges

The strangest new workplace object may be the badge for something that does not have a body.

Not a logo. Not a chatbot avatar. A real identity in the directory: scoped, governed, expiring, auditable, sponsored by a human, allowed into some rooms and kept out of others.

That sounds like security plumbing, which is why it is easy to miss the social change inside it.

OpenAI's Frontier platform now talks about agent identity and access management as part of operating AI coworkers in production. Microsoft Entra goes further into the administrative grain: agents can have identities, access packages, sponsors, lifecycle controls, and expiry. Google Workspace has added an AI control center for agent access to Workspace data. NIST is asking the standards version of the same question: how should agents authenticate, receive least privilege, prove authority, delegate action, log intent, and bind back to human authorization?

Agents are being admitted into the institution.

For the last few years, a lot of AI design has treated the agent as a tool attached to a person. The person asks, the tool helps, the output lands somewhere nearby. Even when the tool acts, the fiction remains simple: it is an extension of the user's intent, a smart handle on existing software.

That fiction gets thin once agents begin operating across systems of record, customer data, codebases, calendars, drives, tickets, invoices, and internal apps. A tool that can act in many places cannot remain socially invisible. It needs a name, a scope, a reason to be there, and someone accountable for turning it off.

This is where the badge becomes more than a metaphor.

A workplace badge is not just proof of identity. It is a compact with the building. It says this person can enter these doors, during these times, under these rules, as part of this organization. It means their presence is legible enough for the system to decide what they may do and for other people to ask why.

Agent identity is trying to create a version of that compact for nonhuman workers.

The temptation will be to treat this as an enterprise security problem and leave it there. That would be too narrow. Identity is also interface design. It is how a person understands who touched the work, under whose authority, with what permissions, and for what purpose. It is how a teammate sees the difference between a human decision, an agent action, and a human-approved agent action that passed through three systems on the way to looking ordinary.

Without that legibility, agent work becomes uncanny in the worst way: present everywhere, accountable nowhere.

The old software world had plenty of nonhuman identities. Service accounts, API keys, bots, applications, and integrations have acted inside organizations for decades. AI agents make the old problem more unstable because they do not merely execute a fixed script. They interpret, select tools, infer, retry, escalate, and sometimes ask for more access because the task changed shape. Least privilege is clean when the job is known in advance. It becomes stranger when the agent's path is partly discovered while working.

NIST's concept paper names the hard questions plainly: what counts as strong authentication, how authorization changes when context changes, how an agent conveys intent, and how logs bind back to human authorization. Those questions determine whether delegation remains delegation or becomes institutional fog.

Microsoft's sponsor model points toward one necessary answer. An agent identity should not float around the organization as a little autonomous orphan. It should have a human sponsor responsible for its lifecycle and access. If that sponsor leaves, the responsibility should move. If access expires, someone should decide whether it still belongs. No active worker, human or otherwise, should be allowed to drift beyond relationship.

The Cloud Security Alliance's recent note on an Entra Agent ID Administrator boundary flaw is a useful warning, even after Microsoft's patch. The point is not to panic about one incident. The point is that new agent roles, scopes, and object types are already entering the privileged identity inventory. They can reach the deeper machinery of the organization if designed or governed poorly.

This is the less cinematic side of AI adoption.

The impressive demo is an agent completing a workflow across ten tools. The durable question is whether anyone can explain why it had access to the ninth tool, who approved that access, whether it should still exist next month, and what the agent did once it got there.

Most organizations are not very good at that question even for humans.

People accumulate permissions because projects change, teams reorganize, urgency wins, and nobody wants to break the workflow that appears to be working. Agents inherit that mess and accelerate it. They make permission debt less visible because they do not complain or sit in meetings where someone notices they have too much authority.

That is why agent identity has to be designed as a living surface, not a static credential.

People should be able to see an agent's purpose in plain language: the systems it can reach, the actions it can take, the human sponsor behind it, the recent work it performed, and the point at which its access expires. The interface should make old access feel old. It should make broad access feel heavy. It should make "acting on behalf of" visible enough that responsibility does not dissolve into convenience.

This will feel bureaucratic to teams intoxicated by speed.

But bureaucracy is not always the enemy of humane work. Bad bureaucracy hides responsibility under process. Good bureaucracy preserves accountability when power spreads out. A badge, a sponsor, an expiry date, and a readable audit trail are how a group admits that action has consequences.

The future of agents will not be decided only by benchmark scores or how smoothly a tool can move through enterprise software. It will also be decided by whether organizations can make these new actors socially understandable.

A workplace full of invisible agents may look efficient for a while. Requests move faster. Tickets close. Drafts appear. Reports update. Systems talk to systems while humans are spared the tedious middle.

Then someone will ask a simple question.

Who did this?

The answer should not require a forensic investigation.

If agents are going to work among us, they need more than capabilities. They need a place in the moral architecture of the workplace: named enough to inspect, limited enough to trust, connected enough to be useful, and owned enough that nobody mistakes autonomy for absolution.

The badge is not the future.

It is the minimum condition for letting the future through the door.