The problem with AI agents was never their identity. It is authorization and attribution — what the thing may do and who answers when it does it, writes Peeter P. Mõtsküla.
Estonia did not earn its standing as a digital state by being first to announce things. It earned it by doing the unglamorous work before the announcement. The ID card was never just a card; the cryptographic and legal protocols ensured it could be used to uniquely identify its holder and the holder's intent. The plastic was incidental. The architecture was the point. The plan to give AI agents their own identity codes runs that order backwards. The press release came first; the architecture is going to be improvised afterwards. And the question the headline answers — what is the agent's status? — is the one that does not matter.
There is a principle from an old IBM training manual: a computer can never be held accountable, therefore a computer must never make a management decision. We are now building agents whose whole purpose is to make those decisions — to pay the invoice, file the return, move the money — and we are reaching for an identity code to plug the accountability hole that opens. But an identity is not an answer to "who is accountable." A number on a thing tells you which thing it is. It does not tell you who calls the shots or who pays if something goes wrong.
The variables that matter are two, and neither is identity. The first is authorization: what is this agent permitted to do? The second is attribution: when it acts, who answers for the act? Get those right and the agent's status is a non-question. Get them wrong and no identity code will save you.
To be fair to the government, its described objective is the defensible one. Limited, controllable, auditable authorization — a scoped mandate, logged and revocable — is exactly right. The trouble is the label bolted on top. Calling it a personal code (isikukood) invites everyone to argue about what (or who) the agent is, rather than what it may do and who owns its mistakes.
A valid problem, and an invalid solution
The problem the proposal points at is real. Today, to let an agent act for you, you hand it your credentials and your PIN. It then inherits everything you can do, without limit, as the service on the other side cannot tell it apart from you. That is genuinely bad. But it is a delegation and scoping problem and we already know how to solve those: scoped tokens, OAuth-style consent, the attestations the European digital identity wallet is built to carry — the rail to build this on, rather than as a sovereign silo of our own. You bound what an agent may do by issuing it a narrow, revocable mandate — not by giving it a self.
An identity adds nothing to that bounding. What you actually need is three things: that the counterparty can tell this is an agent and not a person, that the agent carries a scoped mandate and that the mandate points at the human (or a legal person) responsible for it. That is a collar, not a passport. A passport confers status — it says the bearer is someone, with standing of their own. A collar confers nothing on the wearer; it is an owner's tag that says whose this is and who answers for it. Roman law had the structure already: the acting instrument (the slave) was, in law, a thing, and its acts were attributed not to itself but to the one who owned and deployed it. And when the owner appointed that instrument to run a business or a ship, the owner's resulting liability was uncapped, fixed by the act of appointment rather than by ownership. That is the model for a correctly designed agent identity: a property tag, not a personhood, and an attribution rule that bites hardest precisely on whoever puts the thing to work.
And the premise underneath the whole proposal — that the agent is otherwise a legal nobody, so it needs a code to become someone — is already false. Liability is already being assigned, in two directions. A civil resolution tribunal in Canada had no difficulty holding an airline responsible for what its chatbot told a customer, rejecting as "remarkable" the airline's argument that the bot was a separate legal entity answerable for itself. A Munich court has provisionally gone further, treating an AI system's output as the operator's own statement rather than a third party's. And in the other direction, Target's terms of use now deem anything its shopping agent buys to be a transaction authorized by the user. Courts attribute upward to the operator; contracts attribute upward to the principal. Either way, any act of the agent is already someone else's act. Personhood would not fill a gap; it would prize one open, by giving the agent its own pocket to pay from and everyone above it a place to hide. But that is an argument for another day.
A press release standing in for the thinking
So why reach for an identity code at all, if scoped authorization does the work and the law already supplies the attribution? Because a personal identity code makes a world-first headline and a scoped-token specification does not. The universally unique identifier (UUID) these agents need has existed, standardized, for decades; pair it with a public directory that resolves the identifier to the party behind it — the kind of plumbing the open internet already runs on — and the attribution problem is answered without a prime minister, a council or a press release.
None of which would matter if the branding were harmless. It is not. A personal code actively invites the reading the defensible core does not need: that the agent is enough of a someone to carry its own responsibility — which is the first step toward the agent carrying it instead of its owner.
Where it stops being abstract
There is one place where all of this stops being theoretical, and it is the place the proposal is most silent. The state's own strategy commits Estonia to deploying agents that read a citizen's data and pre-fill their decisions for them. Good — provided we answer one question first: when a state agent gets it wrong, who pays?
The proposal's own rule — bind the agent to a responsible human — gives the wrong answer here, because the responsible human is the state itself. When a tax-board agent quietly fills in the wrong figure, any citizen or entrepreneur may suffer the damage. Hand that agent an identity and you have built the perfect alibi: not "the official decided," not even "the ministry decided," but "the system decided." That is the IBM warning arriving precisely where it was aimed — a machine making a management decision no one can be held to — only now at the scale of the whole population.
What to legislate instead
The honest response to "the responsible-human assumption might break" is to harden it, not to abolish it. Three measures would do that, and none of them is an identity code.
First, classify the agent in law as what it is — a thing, a tool — and write a hard rule of upward attribution: the act of the agent is the act of its operator, secured by cryptographic keys and digitally signed, non-disclaimable logs, so that custody and liability cannot be disowned after the fact.
Second, make containment a legal duty of the operator. Insufficient guardrails, inadequate monitoring or a missing kill-switch should themselves be the actionable fault; autonomy does not dissolve responsibility, it creates a duty to bound the blast radius, so that the excuse "no one could have foreseen it" becomes the accusation "someone owed a duty to contain it and breached it."
Third, consider requiring bonded insurance, bound to the agent, for the irreducible residue that attribution and containment cannot reach — at least where the agent is granted substantial authority. This is the number-plate model, where the tag finally earns its keep.
That is the whole program. None of it needs the agent to be a someone.
The question was never "who is the agent?" It is four other questions and they are the only ones that matter: who authorized it, whose decisions does it make, where does it break and who pays when it does? Answer those and the agent's status takes care of itself. Leave them unanswered and the code, the personal code, the "world first" — all of it is theater.
Give the thing a collar. It does not need a passport.
-- Editor: Marcus Turovski