MICKAI
Article · 8 July 2026

AI Agents as Identities: Per-Action Permissions and Hardware-Attested Authorisation

When an autonomous agent can act on your behalf, the question is no longer what it can do but who authorised each thing it did.

AI Agents as Identities: Per-Action Permissions and Hardware-Attested Authorisation
Author
Micky Irons
Published
8 July 2026
Follow Micky Irons
LinkedInX
ai agentsidentityhardware attestationauditsovereign ai

An autonomous agent that reconciles invoices, moves funds, files a regulatory return or amends a patient record is no longer a passive assistant. It is an actor. It reads systems of record, holds credentials and produces consequences that outlast the session that created them. Through 2026 the practical question in most enterprises has shifted from whether to deploy such agents to how to hold them to account when they act.

The problem is that almost every agent in production today runs as a borrowed human. It inherits a person's login, a shared service account or a long-lived token, and the logs record the human, not the reasoning machine that actually pressed the button. When the EU AI Act reaches full application on 2 August 2026, and as ISO/IEC 42001 becomes the reference for AI management systems, that ambiguity stops being a technical inconvenience and becomes a governance failure. Regulators, and the security leaders answering to them, are beginning to ask a blunt question: who, or what, authorised this specific action, and can you prove it?

An agent is an identity, not a feature

The cleanest way to reason about an autonomous agent is to stop treating it as a capability bolted onto a human account and start treating it as a first-class identity with its own lifecycle. It is issued, scoped, monitored and revoked. It has an owner, a purpose and a boundary. It holds a distinct set of permissions that are not a copy of any person's.

This reframing matters because agents do not behave like users. A human clicks a handful of times a minute; an agent can attempt thousands of actions in the same window, chain them across systems and improvise routes that no designer anticipated. Access models built for human tempo and human judgement leak badly under that load. Identity, in the agentic world, is the unit of control, and everything downstream depends on getting it right.

AI Agents as Identities: Per-Action Permissions and Hardware-Attested Authorisation, illustration 1

Per-action permissions, not standing access

Standing access is the original weakness of most identity systems. A credential is granted once, lives for months and quietly accumulates reach. For a person that is merely risky. For an agent operating continuously and unsupervised it is a far larger exposure.

The alternative is to bind authority to the action rather than the identity as a whole. Under this model an agent holds no useful power at rest. When it needs to move money, alter a record or call a sensitive system, it requests a narrowly scoped, short-lived authorisation for that one action, checked against policy at the moment of use. A read is not a write. A £50 payment is not a £50,000 payment. A query against anonymised data is not an export of the underlying records. Each rung on that ladder is a separate decision, evaluated on its own terms.

Within Mickai, our Sovereign Intelligence Operating System, every consequential action is gated this way before it is allowed to complete. The agent proposes, policy disposes, and nothing of consequence happens on the strength of a token that was minted hours ago for a different purpose.

AI Agents as Identities: Per-Action Permissions and Hardware-Attested Authorisation, illustration 2

Why the authorisation must be hardware-attested

Per-action permission is only as trustworthy as the proof that the right party requested it. A software token can be copied, replayed or forged by whatever has compromised the host. If the answer to who authorised this is a string that any sufficiently privileged process could have produced, the audit trail is theatre.

Hardware-attested identity closes that gap. The agent's identity and its authorisations are anchored in a hardware root that a remote or local verifier can challenge and confirm. The machine attests to what it is and what is running on it before an action is honoured, so a consequential step is provable rather than merely asserted. For the most sensitive actions this pairs naturally with a voice-gated human confirmation: a spoken, live authorisation from a named operator, bound to the specific request, that a replayed recording cannot satisfy. The result is a decision that carries evidence of both the machine that made it and the person who sanctioned it.

An agent you cannot revoke, scope to a single action and hold to a sealed record of what it authorised is not a colleague you have hired, it is a liability you have deployed.

AI Agents as Identities: Per-Action Permissions and Hardware-Attested Authorisation, illustration 3

The audit chain has to survive scrutiny

An audit trail is worthless if the thing being audited can rewrite it. Because agents operate at machine speed and machine volume, and because the most damaging incidents are precisely the ones an attacker would want to erase, the record of what an agent did must be tamper-evident by construction, not by policy.

Each action is sealed into an append-only chain, where every entry is cryptographically linked to the one before it and signed so that any later alteration breaks the chain visibly. These records are signed with post-quantum algorithms, because an audit trail that must stand up in a dispute years from now cannot rest on signatures that a future adversary can quietly counterfeit. The point is not cryptographic ornament. It is that a regulator, an auditor or a court can be handed the record and shown that it has not been touched since the moment each action occurred.

AI Agents as Identities: Per-Action Permissions and Hardware-Attested Authorisation, illustration 4

Sovereignty is what makes the proof credible

None of this holds up if the agent, its keys and its logs live inside infrastructure the operator does not control. An audit trail held on a third party's servers is an audit trail that a third party can read, lose or be compelled to disclose. For the NHS, for public bodies weighing data sovereignty, and for anyone the UK Sovereign AI programme is meant to serve, that dependency is the concern, not a footnote.

Mickai runs offline, on the operator's own hardware, behind a zero-egress inbound perimeter. Data comes in to be worked on; nothing of the operator's leaves without an explicit, sanctioned action. The sovereign models that reason about a request never phone home, and the identity, permission and audit machinery sits entirely within the operator's control. For high-stakes decisions the system can require cross-model consensus, where more than one independent model must agree before an action is authorised, so a single model's error or manipulation does not carry the day on its own.

This architecture is the subject of a substantial part of our filed intellectual property. Mickai LTD owns 104 filed UK patent applications with approximately 2,340 claims, patent pending, spanning the attestation, authorisation and sealed-audit mechanisms described here. None of these applications is granted or patented at this stage.

What operators should be asking now

The organisations that will come through the next two years cleanly are not the ones that deployed agents fastest. They are the ones that can answer, for any action an agent took, three questions without hesitation: which identity did this, what authorised this specific step, and where is the record that proves it. Those questions are becoming the baseline that auditors, regulators and buyers apply.

Agentic autonomy is worth having. It is also worth governing as seriously as we govern the people it stands alongside. Treating each agent as an accountable identity, granting authority one action at a time, anchoring that authority in hardware, and sealing the outcome into a record that cannot be quietly rewritten, is how autonomy earns the trust it will need to do consequential work. The technology to do this exists today, offline and verifiable, and the sooner it becomes the default the less any organisation will have to take on faith.

Subscribe
Get every new Mickai article by email.

Long-form essays on sovereign AI from Micky Irons. One email per article. No tracking, no marketing, no third parties. Every email includes a one-click unsubscribe link.

Prefer RSS? Subscribe at /articles/feed.xml.

Originally published at https://mickai.co.uk/articles/ai-agents-as-identities-per-action-permissions-hardware-attested. If you operate in a regulated sector or want sovereign AI on your own hardware, the audit form on mickai.co.uk is the entry point.
More articles