Estonia intends to give AI agents digital IDs

Estonia plans to give AI agents their own digital identities so public agencies, companies and users can see who authorized an agent, which task the agent may perform and who carries responsibility after the agent acts.

Prime Minister Kristen Michal said the state needs a record of the person behind an agent, the powers that person delegated and the party that answers for harm. Estonia's Eesti.ai advisory board wants identity to serve as the control point. Officials would assign ID codes to agents, connect those codes to authorization records and log transactions for audit.

Estonia's plan

Estonia built its public services around digital identity. The country's e-ID system lets residents sign documents, vote online, use health records and handle banking. Officials now want to extend that model from people to software that acts for people.

An AI-agent ID would not give software personhood. Officials describe the ID as an accountability tool. A user would delegate a task, such as preparing a tax declaration or retrieving a file. Public systems would check the agent's ID, confirm the user's authorization and record the transaction.

That model matters because agents can change the state of the world. A chatbot can give bad advice. An agent can submit a form, spend money, disclose data or bind a user to a contract. Once software crosses that line, users need revocation controls, audit logs and a path to challenge errors.

Security engineers have worked on related plumbing. Researchers under the OWASP banner proposed the Agent Name Service, a DNS-style directory for agent discovery and interoperability. Estonia's proposal takes a governance angle: who granted authority, which system accepted it and who pays after damage.

Legal basis

The European Union already gives regulators tools for AI systems and data processing. The EU AI Act sets risk-based duties for providers and deployers. EU lawmakers placed strict duties on high-risk systems, including logging, documentation, human oversight, cybersecurity and accuracy. The AI Act text allows fines up to €35 million or 7% of worldwide annual turnover for banned AI practices, and up to €15 million or 3% for many operator duties.

EU data protection authorities would enforce the General Data Protection Regulation when an agent handles personal data. GDPR Article 83 allows fines up to €20 million or 4% of worldwide annual turnover for violations that involve basic processing principles, data-subject rights or unlawful transfers.

California regulators would look to the California Consumer Privacy Act when an agent touches California residents' personal information. The CCPA reaches for-profit businesses that do business in California and meet thresholds such as more than $25 million in gross annual revenue or personal information from 100,000 or more residents or households. California Civil Code Section 1798.155 allows administrative fines up to $2,500 per violation, or $7,500 for intentional violations and violations involving children under 16.

User impact

A working agent-ID system would give users a record they can read. You should see which agents act for you, which services they can reach, which data they can use and when their authority ends. You should also revoke access from one place.

The privacy risk sits in the delegation layer. If a user grants an agent broad access to email, banking, health records or government services, the agent can expose more data than the task requires. Regulators will ask whether the company or agency limited the agent's access to the stated purpose, logged each action and gave the user a way to contest mistakes.

Identity also helps third parties. A tax agency, retailer or bank should not have to guess whether a request came from a person, a bot with permission or a scraper. The ID code gives the receiving system a hook for fraud checks and dispute review.

Company duties

Companies that accept agent actions will need new controls. Product teams will need authorization screens that show the scope of access in plain language. Security teams will need token limits, revocation paths and logs that tie each action to a user, an agent and a time. Legal teams will need terms that state who bears loss when an approved agent buys the wrong item, submits the wrong form or shares protected data.

Target has moved first in retail terms. Its terms and conditions tell customers that approved agentic commerce agents may sign in, modify carts, place orders and start returns within approved limits. Target also tells customers they remain responsible for reviewing agent activity and for authorized purchases.

That approach shifts much of the risk to the customer. Financial services firms may choose a different allocation if they want users to trust agentic purchases. Merchants, banks and card networks will need evidence of consent, logs that survive disputes and rules for agent error.

Open questions

Estonia still needs to define the authorization process. Officials must decide who can create an agent ID, how long an ID lasts, which entity verifies the agent and how a user revokes access after a compromise.

Cross-border recognition will create another test. An Estonian agent ID may work inside national systems first. Banks, marketplaces and cloud platforms outside Estonia will ask whether the ID maps to their own trust frameworks. EU member states will also need common rules if agents act across borders.

The enforcement question remains hard. Courts and regulators can fine companies, developers and users. They cannot punish software in a human sense. Georgia Tech professors Mark Riedl and Deven Desai make that point in AI Agents and the Law: human agency law assumes an agent can bear duties, but software cannot pay damages from its own pocket or face criminal penalties.

Estonia's proposal gives regulators a practical starting point. Name the agent. Name the person who authorized it. Record the task. Preserve the log. Those steps will not settle liability on their own, but they give users and investigators evidence before an agent's mistake turns into an argument over who clicked what.