Before starting govern.sh, I watched a Fortune 500 team hand an autonomous agent the same production API key their backend services used. Not out of carelessness — out of necessity. The key was the only credential their infrastructure understood. That key could read every customer record, issue unlimited refunds, and delete resources, and it now belonged to a process that decides its own next action. Everyone in the room knew it was wrong. Nobody had a better primitive to reach for.
API keys answer the wrong question
An API key answers one question: is the caller allowed in? It says nothing about who the caller is, what subset of allowed things they should do, or whether this particular call is one anyone intended. That was fine for the software of the last twenty years, because the code was the intent — a deploy script does what its author wrote, so authenticating the script effectively authenticated the author.
Agents break that equivalence. An agent's behavior isn't fixed at deploy time; it's chosen at runtime, in response to inputs its author never saw. When an agent acts with your API key, the audit log attributes the action to you, the scope of the action is whatever the key allows, and the intent behind it is reconstructable by no one. Identity, authority, and intent all collapse into a single bearer token — and a bearer token is precisely the thing that carries none of them.
The incident reports all read the same way: the log says the service account did it. The service account is forty agents, three cron jobs, and an intern's notebook. That line in the log is where every investigation goes to die.
What a passport is
A passport, in the physical world, is not permission to do anything. It's a verifiable claim of identity, issued by a party others trust, carrying a history — visas, stamps — of where its holder has been and what they were admitted to do. Permission is decided at each border, by each authority, with the passport as input. That separation of identity from authorization is exactly what agent infrastructure is missing.
- An Agent Passport is a per-agent Ed25519 keypair: the agent signs its actions, so attribution is cryptographic, not inferred from which key was in the environment.
- Identity is stable while authority is contextual. The same agent can hold broad scopes in staging and narrow ones in production, without becoming a different principal in your logs.
- Revocation is surgical. Pulling one agent's passport doesn't rotate a shared secret across every service that embedded it.
- History accrues to the right subject. Reputation, incident involvement, and behavioral baselines attach to the agent itself — which is what your reviewer wants to evaluate when it asks for more authority.
Identity is the foundation, not the feature
It's tempting to treat agent identity as a compliance checkbox — something to add once the agent 'works.' We think the causality runs the other way. Scoped permissions are meaningless if you can't say which agent holds them. Budgets can't bind an actor you can't distinguish from its siblings. Approvals are theater if the requester is a shared credential. Audit trails without stable actor identity are a list of things that happened to be done by someone. Every control your risk team will eventually demand presupposes the same primitive: a durable, verifiable answer to 'who is acting?'
This is also why we made passports portable rather than proprietary. A passport's public key and signed history can be verified by any tool an agent touches, not only ones behind our gateway. The long-term bet is that agents will present identity the way servers present TLS certificates — as an ambient expectation of the ecosystem, not a feature of one vendor.
The window is now
Shared credentials became the norm for services because we retrofitted identity after the fleet already existed — and we've spent fifteen years paying that down with service meshes and workload identity projects. Agent fleets are still small. Most companies run dozens, not thousands. The cost of giving each one a real identity today is one API call at creation time. The cost of retrofitting identity onto ten thousand agents that share keys with your production services will be measured in years.
Agents are becoming actors in the economy — they buy things, file tickets, write code, talk to your customers. Actors need identity papers. The API key was never that, and stretching it further is how we get a decade of incident reports attributed to svc-prod-01. Mint the passport first. Everything else — policy, budgets, approvals, audit — has somewhere to attach.