Summary
- Estonia says it wants to become the first country to create official digital identities for AI agents.
- The model is intended to give agents limited, controllable powers when acting for people or companies.
- The proposal brings AI-agent governance into identity, authorisation, accountability, and public-sector digital trust.
Estonia’s government is moving towards official digital identities for AI agents, placing machine identity and delegated authority at the centre of its next phase of digital state policy.
Prime Minister Kristen Michal said Estonia wants to become the first country in the world to create official digital identities for AI agents. The plan is designed to allow an agent acting on behalf of a person or company to operate with limited and controllable powers, rather than inheriting broad access to all of the user’s rights, services, and data. Government examples include an agent that may only view data, prepare a document, draft a payment, or act within a specific financial limit.
The policy grows from Estonia’s long-standing digital state model, including digital identities, digital signatures, X-Road data exchange, and audit trails. Extending that architecture to AI agents brings a familiar Estonian trust model into an environment where software may increasingly interact with public services, enterprise systems, financial workflows, and regulated data.
The government’s statement on AI-agent identities identifies a control problem that is already emerging inside enterprise environments. AI agents are not just chat interfaces. They may call tools, read documents, create tickets, trigger workflows, query databases, draft emails, initiate code changes, or prepare transactions. Once they begin to act across systems, identity becomes a control plane.
Traditional access models were built around people, service accounts, applications, and devices. Agentic systems disturb that separation because one software actor may act on behalf of several human users, invoke several services, and operate across a chain of delegated tasks. Without explicit identity, permissions, and logging, organisations are left with a weak evidential record: a human account may appear to have acted, while the operational decision path passed through an autonomous or semi-autonomous agent.
Estonia’s approach points towards a more disciplined model in which agents have distinct identities and bounded mandates. That could support audit logs showing which agent acted, for whom, under what authority, against which data, and within what limits. In regulated sectors, those details support incident investigation, liability analysis, access review, fraud control, and confidence that automated systems have not exceeded their authority.
Identity alone will not be enough. AI agents need reliable authorisation policies, strong credential handling, runtime monitoring, revocation mechanisms, and safeguards against hostile inputs. An agent allowed to prepare a payment may still be vulnerable to prompt injection, poisoned context, malicious instructions in documents, or compromised integrations. The identity layer can show what acted, but it must be paired with controls that restrict what the agent can do when its inputs become untrustworthy.
The European relevance extends beyond Estonia’s domestic services. The EU AI Act, NIS2, the Cyber Resilience Act, GDPR, and sector rules are all creating pressure for clearer evidence around automated processing, cyber risk, system accountability, and data access. If Estonia’s model develops into a practical architecture, it may become an early reference point for how governments and enterprises treat agentic software as accountable actors rather than invisible extensions of a user session.
Vendors selling AI agents into European organisations will increasingly need to explain how identity, delegation, auditability, and revocation work in practice. Systems that can automate work but cannot prove the boundaries of their authority will face harder scrutiny in environments where cyber governance is moving towards evidence, accountability, and resilience.





