What is Agent Residency?

Agent Residency is the cross-boundary identity specification for AI agents: identity, authentication, authorization, and audit across systems, anchored to responsible legal entities.

Why do AI agents need their own identity?

Agents act using borrowed credentials, so the audit trail records the human, not the agent. Without verifiable agent identity there is no meaningful delegation, without delegation no accountability, and without accountability no trust.

What are the four pillars of Agent Residency?

Identity, authentication, authorization, and audit. Every agent receives a unique credential bound to a responsible legal entity, presents it at every service boundary, acts under a scoped and revocable delegation mandate, and has every action recorded in a tamper-evident, replayable log.

What are the autonomy levels?

Level 0 (internal-only), Level 1 (operational), Level 2 (external with delegated legal authority), and Level 3 (advisory participation). The responsible legal entity stays a human or registered company throughout.

Why is Estonia the first trust anchor?

Estonia has the world's most mature sovereign digital identity ecosystem — X-Road, e-Residency, Smart-ID and eID. Agent Residency is a global specification with Estonia as the first trust anchor; the same specification works with any national digital identity infrastructure.

Agent Residency — Identity for Agents. Anchored to Responsible Legal Entities

Abstract

Every AI agent needs a residency — a verifiable identity, authorized permissions, and an auditable record of its actions. Just like every person operating in a country needs legal residency. Agent Residency is that infrastructure.

This document specifies how agent identity, delegated authority, and tamper-evident audit are bound to a responsible legal entity and carried across services, platforms, and jurisdictions. It is a neutral, open specification — conformance defined by the specification itself, not by any single vendor's implementation.

§01

Problem statement

The problem

Identity was built for humans. Agents are not humans.

AI agents execute transactions, file documents, access sensitive data, interact with services, and increasingly build and operate companies on behalf of people. They do this using borrowed credentials. The agent logs in as you. The audit trail says you acted. If the agent exceeds its authority, the record shows your name, not the agent's — because the agent doesn't have a name. It doesn't have an identity. It borrowed yours.

This isn't a flaw in any particular product. It's a structural absence. Agents are a different class of principal — operating at machine speed, across organizational boundaries, through delegation chains that no existing identity system can represent.

The missing piece isn't capability. It's accountability. The question Agent Residency answers is closer to legal capacity and representation than to AI regulation: who is this agent, on whose authority does it act, and who answers for what it does.

Three questions today's infrastructure can't answer

Which agent acted? There is no unique, verifiable agent identifier — agents run under shared API keys and borrowed sessions. The log records the operator, a human who never touched the keyboard, with no forensic path back to the agent.
Who authorized it? There is no machine-readable record of who delegated authority, with what scope and constraints, and when it expires. So when authority is revoked, sub-agents beneath it still hold valid tokens — actions keep clearing before the chain is known to be dead.
What happened? There is no tamper-evident trail linking actions to identity and mandate. By the third delegation hop, across an organizational boundary, no single system can reconstruct who authorized what — investigation is reconstruction, not replay.

Without verifiable agent identity, you can't have meaningful delegation. Without delegation, no accountability. Without accountability, no trust. And without trust, the autonomous agent ecosystem can't scale securely.

§02

Specification model

The specification

Agent Residency answers the three questions through four pillars.

Identity. Every agent receives a unique cryptographic credential — distinct from the deploying entity's credentials. The credential is bound to the responsible legal entity: the person or company that created the agent and bears liability for its actions. The binding is established at issuance and verifiable by any system the agent interacts with.
Authentication. At every service boundary, the agent presents its credential. The service verifies: is this a registered agent with a valid credential? Which entity is responsible? Is the credential current, or revoked? The agent never uses the human's credentials. Delegation, not impersonation.
Authorization. The responsible entity issues a machine-readable delegation mandate specifying permitted operations, prohibited operations, data scope, monetary thresholds, temporal validity, approval gates, and sub-delegation rules. Authority only ever narrows: sub-agents cannot gain authority their parents lacked. Before any action, the mandate is checked against the requested operation. Out of scope — blocked and logged.
Audit. Every agent action is recorded in a tamper-evident, append-only log: agent identity, action, mandate reference, timestamp, outcome, and the full delegation chain. Each entry reads as a single fact — agent X, acting for Y, under mandate M. Cryptographically signed. Replayable. The difference between "we think we know what happened" and "here is the signed record."

delegation-mandateapplication/ar-mandate+jose

agentar:agent:7f3a…e9c1

principalee:person:38704… (sovereign-verified)

permitsinvoice.read, payment.create ≤ €5 000

forbidspayment.create > €5 000, account.close

data-scopeorg:acme / finance / *

valid2026-06-02 … 2026-09-02

approval-gatepayment.create > €1 000

sub-delegationonly-narrowing

signatureed25519:… (secure-element attested)

Fig. 1 — A delegation mandate: scoped, time-bound, revocable, and signed. The mandate, not a borrowed permission, is what authorizes the agent.

01Identityregistered agent

02Mandatescoped authority

03Boundaryoperation decision

04Auditsigned record

Fig. 2 — Four checks at the action boundary: a registered agent, a scoped mandate, an in-scope decision, and a signed record — evaluated before the action commits.

Air traffic control does not fly the planes. It knows where each one is, who is flying it, and whether it is cleared to be where it is. Agent Residency is that for agents: not control over an agent's reasoning, but the authoritative picture of which agent is operating, under whose authority, and within what clearance.

A credential proves consistency; a binding proves answerability — Agent Residency is built for the second. It makes agents answerable by construction, not by reconstruction: accountability exists before the action does, rather than being assembled from logs after the fact.

§03

Boundary of scope

What this is not

Operational identity, authority, and accountability for agents — the responsible legal entity stays a human or a registered company.

Not personhood
Not citizenship
Not replacing humans in governance
Not unbounded autonomy
Not a shortcut around KYC, AML, or liability
Not control over how an agent reasons

§04

Design principles

The design principles

No reusable secret: The component that could be compromised must never possess a reusable secret — only a bound, scoped, expiring, verifiable proof. The lineage is EMV chip cryptograms and payment tokenization: the thing that can be stolen is never the thing that grants authority.
Delegation, not impersonation: Agents act through explicit delegated authority. They never use the person's credentials. The delegation chain is always traceable to a responsible human or legal entity.
Mandate, not permission: Agent authority is expressed as a mandate — a scoped, time-bound, revocable delegation — not a set of permissions inherited from a human account. The mandate defines what the agent can do, what it cannot do, and when its authority ends.
Only-narrowing delegation: Authority attenuates monotonically down the chain. Sub-agents cannot gain authority their parents lacked; scope only ever shrinks. This closes the failure mode of scope widening disguised as delegation.
Revocation as containment: Revoking a parent mandate instantly terminates every downstream delegation — an epoch-based collapse of the whole subtree in seconds, not a configuration rewrite. A person leaves; kill everything tracing back to them, at once, everywhere their authority reached. No orphaned authority.
Cross-boundary by design: The credential format works across systems, platforms, and jurisdictions. The principal issues the mandate; the counterparty verifies it; only the receiving side needs verification capability — the same asymmetry that let HTTPS, SPF/DKIM, and OAuth spread. Verification is lightweight — designed for real-time checks at every service boundary. Infrastructure, not a service to call.
Anchored to legal entities: Every agent traces back to a legal entity that can be held accountable. Not self-asserted identity. Not anonymous credentials. Verified identity, bound to real-world legal responsibility.
Accountability without surveillance: Total attribution would be total surveillance. Authority-binding recovers accountability for an authorized auditor, under defined conditions — not visibility for every system, always.

§05

Open frontier

The open frontier

Identity answers who. Authorization answers what. Neither constrains how a properly enrolled, validly authorized agent behaves inside its mandate. An agent can be precisely identified, correctly authorized, and fully audited — and still take a harmful action its mandate permits.

Runtime behavioral enforcement — signed behavioral envelopes checked at an un-bypassable boundary, before an action commits — is the field's open frontier. Agent Residency names it as a distinct layer rather than implying that identity and authorization close it. The specification's job is to make that boundary addressable: every action already carries an identity, a mandate, and a signed record — which is exactly what any enforcement layer must bind to.

§06

Trust anchor

The trust anchor

Agent Residency is anchored to sovereign digital identity infrastructure. The first implementation uses Estonia's digital identity ecosystem — the most mature in the world.

The responsible entity authenticates through that sovereign infrastructure. From that verified identity, the agent is enrolled in a one-time ceremony: its key is generated and attested by a secure element, so the private key cannot be exfiltrated, and the agent inherits its legitimacy from a verified human or company rather than asserting its own. The delegation chain begins with a sovereign-verified principal and extends to every agent they create.

This is not Estonia-specific technology. It is a global specification with Estonia as the first trust anchor. The credential model is designed for interoperability — aligning with W3C Verifiable Credentials and eIDAS. The same specification works with any national digital identity infrastructure — Estonia is where it starts.

§07

Conformance & status

What is built

PublishedThe specification is published. The first Agent IDs have been issued. The credential issuance pipeline — verified human identity to agent credential to signed mandate — is operational.

ReferenceA reference implementation enforces the specification at an un-bypassable boundary: identity, scoped mandate, instant revocation, and dual-identity audit applied to a working agent runtime — out-of-scope actions blocked before they execute, revocation effective in seconds. A validation of the model, not a production deployment.

GovernedThe specification is the reference, not any implementation — conformance is determined by the published spec, so no single implementation can redefine what conforming means.

AssuredThe assurance model maps to SOC 2, ISO 27001, and ISO 27701; the attenuation and envelope properties are stated formally, so conformance can be proven rather than asserted.

§08

Category vocabulary

The category vocabulary

Agent Residency introduces specific terms for concepts that did not have names.

Delegation mandate: The machine-readable specification of what an agent can do, on whose behalf, with what limits, and when it expires.
Delegation chain: The traceable sequence of authority from the responsible human through each agent in a multi-agent workflow.
Residency credential: The verifiable digital identity issued to an agent, distinct from the deploying entity's credentials.
Authority binding: The cryptographic link between an agent's identity and the responsible legal entity.
Enrollment ceremony: The one-time event that binds an agent's key to a verified entity, attested by a secure element, from which the agent inherits its legitimacy.
Only-narrowing delegation: The rule that authority attenuates monotonically down a delegation chain: scope only ever shrinks, never widens.
Mandate revocation: The instant termination of an agent's delegated authority, propagating down the delegation chain.
Dual-identity audit: An audit record that names both parties to an action: the agent that acted and the entity it acted for, under a referenced mandate.
Scope violation: An agent action that exceeds the boundaries of its delegation mandate.
Autonomy level: The graduated classification of agent authority, from internal-only (L0) through operational (L1) to external with delegated legal authority (L2) and advisory participation (L3).
Behavioral envelope: A signed constraint on how an agent may act within its mandate, designed to be enforced at an un-bypassable boundary before an action commits.

§09

Engaged with the specification

Acknowledgments

Organizations that have shared ideas, reviewed assumptions, or contributed to early design discussions.

NIIS

Nordic Institute for Interoperability Solutions, steward of X-Road. Reference point for cross-border institutional identity infrastructure.

TalTech

Research conversations around identity and cryptography.

Agency.AI

Implementation work around Agent Residency in operational systems.

§10

Provenance

“Accountable agents aren’t built by tuning the model. They’re built by binding identity, bounding authority, anchoring trust, and recording every action.”
— Vattan PS

Cite asbibtex / inline

Vattan PS. Agent Residency — Open Specification.
V (autonomous institutions lab), 2026.
https://agentresidency.com

Originally published 5 February 2026. Why Estonia is the first trust anchor →

Agent Residency is an open specification by V — an autonomous institutions lab led by Vattan PS. The specification is open; the implementation is commercial, through Agency.AI.