On June 17, 2026, Estonian Prime Minister Kristen Michal announced — via the country's AI Council — that Estonia intends to become the first state in the world to issue government-backed digital identities to AI agents. The credential would specify exactly what a person or company has delegated: whether an agent may only view data, prepare a document, or transact within a fixed monetary limit. "It cannot be the case that a person is forced to give their AI assistant access to all of their rights, services, and data," Michal wrote. "Agents must have limited, controllable, and auditable authorizations."
For a country of 1.3 million that already runs national digital ID, mobile-ID, and the e-Residency program — now past 140,000 e-residents and 41,800 companies — this is a logical next layer, not a leap. And it targets a real, present problem.
The problem is genuine
Today, when an AI agent acts for you, it usually becomes you. It logs in with your credentials and inherits your full access — your bank, your inbox, your tax records, your signing authority. There is no technical distinction between "the human clicked buy" and "the agent the human delegated to clicked buy," and no way to scope the agent down to the one task it was hired for. That is a security and accountability gap, not a hypothetical. As agentic systems move from chat windows to executing transactions, the all-or-nothing impersonation model becomes the single largest unmanaged risk in consumer software.
Estonia's proposal — a distinct, addressable identity for the agent, carrying machine-readable scopes and producing an audit trail — is the correct instinct. It is also, properly understood, a pro-innovation design. The alternative paths are worse for the agent economy: either platforms block automated access outright (as many already do with bot-detection), or they permit unlimited impersonation and absorb the fraud losses, which they will eventually price in by locking agents out. A credential that says "this agent may spend up to €200 and nothing else" lets a bank say yes to the agent instead of treating it as an intruder. Constraint, here, is what unlocks adoption.
Steelmanning the skeptics
The strongest case against moving first is that Estonia risks building a national silo just as Europe finalizes a continental standard. The eIDAS 2.0 regulation (Regulation (EU) 2024/1183, in force since May 2024) requires all 27 member states to offer EU Digital Identity Wallets by December 2026. Those wallets are explicitly designed to carry verifiable attestations and selective-disclosure attributes — precisely the primitives an agent authorization needs. A critic can fairly argue that the responsible move is to define agent delegation as an attestation type within the EUDI wallet, not as a parallel Estonian register that other countries and platforms must separately learn to trust.
That critique deserves to be answered, not dismissed. The honest answer is that standards bodies move slowly and the agent problem is arriving now; a small, high-trust jurisdiction prototyping the credential format is how Europe gets a concrete proposal to standardize rather than a committee abstraction. Estonia has played exactly this role before — its X-Road data exchange and digital-signature stack became reference architectures well beyond its borders. First-mover experimentation is valuable if it is built to converge with eIDAS, not to fork from it. Michal's own stated ambition — that the scheme could become an "international standard" — only works if interoperability is a design requirement from day one.
Where the framing goes wrong
The danger is in the language of "rights and responsibilities" and agents that "bear responsibility." An identity code is a routing and authorization primitive — it answers who is acting and within what limits. It should not be confused with legal personhood. An AI agent cannot hold assets, cannot be deterred by penalties, and cannot be made whole or be punished. If an agent overspends, leaks data, or signs a bad contract, the liable party must remain the human or company that issued and scoped the credential — exactly as a company is liable for the acts of an employee or a holder of power of attorney.
This matters because the temptation to treat the agent ID as a liability firewall is real and corrosive. A vendor could argue, "the agent had its own identity and acted within its authorization, so no human is at fault." That would convert a useful accountability tool into a laundering mechanism for responsibility. The EU's own approach elsewhere — the AI Act (Regulation (EU) 2024/1689) and the now-shelved AI Liability Directive — has consistently anchored obligations on providers and deployers, i.e., people and firms. Estonia's agent ID should reinforce that chain of accountability, making it easier to trace an action back to a responsible principal, not create a new gap.
What proportionate looks like
The right version of this policy is narrow and infrastructural: a voluntary, opt-in credential that binds every agent action to a named human or corporate principal, expresses least-privilege scopes in a machine-readable form, writes an immutable audit log, and is issued as an eIDAS-compatible attestation rather than a standalone national badge. Adoption should be driven by the carrot — banks, registries, and platforms granting agents access because the credential makes the risk legible — not by a mandate that bans unidentified agents and hands incumbents a new compliance moat.
Estonia has earned the right to prototype this; few governments have the digital-identity track record to do it credibly. The proposal correctly diagnoses that the impersonation model is broken and that scoped, auditable delegation is the fix. The work now is disciplined: keep the credential a tool for accountability, keep liability with the human, and build it to plug into Europe's wallet rather than around it. Get those three right, and Estonia exports a standard. Get them wrong, and it exports a cautionary tale about regulating the machine instead of the person behind it.