By Direction: The Agent Needs a Mandate, Not Your Identity

EssayExposure series

By Direction: The Agent Needs a Mandate, Not Your Identity

Who authorised the act, within what scope, and who answers for it. That was always the question, and it has an old answer.

For twenty years I signed and received correspondence that carried two words most people outside a navy never notice: "By direction."

The convention is precise. A commanding officer cannot personally sign everything a command produces, so certain officers are designated, in writing, to sign specified classes of correspondence on the commanding officer's behalf. The signature block says so plainly. The authority being exercised is the commanding officer's. The accountability remains the commanding officer's. The signer is an instrument, acting within a scope that was defined before the pen moved, and everyone reading the document can see all of this at a glance: what was authorised, by whom, and who answers for it.

The convention is defined as much by its refusals. It does not issue the signing officer a second identity. It does not pretend the signature is the captain's. It does not create a new legal person to absorb the consequences if the letter is wrong. It binds an act to an authority, keeps the authority attached to its owner, and limits the act to its scope. That is the whole design, and it has survived every technology the military has adopted since, because the problem it solves is not technological. It is the problem of letting someone act for you without becoming you.

We are now rebuilding that problem at scale, badly.

The identity reflex

AI agents are beginning to act on people's behalf: booking, filing, corresponding, transacting. The instinctive response, visible in proposals across Europe and in most of the agent-identity schemes now being drafted, is to give the agent an identity. Estonia, characteristically early, has floated identification codes for AI agents; the prime minister backed the idea, and nothing is yet enacted. The instinct is understandable. Identity infrastructure is what Estonia has, and what built its reputation; when a new kind of actor appears, you reach for the tool that worked last time.

The sharpest criticism came from within Estonia's own legal community. Peeter P. Mõtsküla, an attorney with a quarter-century in IT, argued in ERR that the proposal reverses Estonia's own method by making a press release first and improvising the architecture after, and that the label does active damage: calling authority an identity code invites everyone to debate what the agent is instead of what it may do and who answers for its mistakes. His image for the right object is a collar, not a passport. A collar confers nothing on its bearer; it points to an owner. He is right about the label. An identity code answers "which agent is this?", which was never the hard question. The question that determines whether anyone downstream can rely on the act is: on whose behalf, within what scope, under whose accountability, and can you prove it afterwards? That is not an identity. That is a mandate. Or, in Mõtsküla's vocabulary, a collar with the ownership written on it.

A claim is not a credential

Most agent-identity schemes being drafted today have the agent, or the operator who deployed it, sign its own credentials. The signature verifies; everyone moves on. The verification-infrastructure engineer Zeeshan Khan has written a short, exact series on why this is hollow: a signature proves the document was not altered since signing, and proves nothing about whether the document is honest when the signer and the subject are the same party. His image for it is the business card. Anyone can print one; it can say anything; the printing press does not object. A passport is a different object entirely, not because it is harder to forge but because someone other than you issued it, staked a reputation on it, and can take it back. The word is doing different work here than in Mõtsküla's collar image: Khan's passport stands for the independent issuer, not for personhood. Strip the vocabulary and the two prescriptions are the same object; the issuer is the other end of the collar.

Three properties separate the two. Independent issuance: a party other than the subject, with standing and something to lose, put its name behind the claim. Revocability: the vouching can be withdrawn, which is what lets the credential track reality as circumstances change. Recourse: when the claim proves false, there is someone other than the liar to turn to. This is the test any mandate architecture has to pass, and a self-signed agent credential fails all three parts of it. It is, in Khan's phrase, a business card with a cryptographic flourish.

In the setting where agents will first act consequentially on people's behalf, the workplace, the issuer question answers itself. The general schemes agonise over who should sign: the model provider, the platform, the enterprise, an auditor, a regulator. But when an employee's agent acts within an organisation's business, the natural issuer of the mandate is the organisation. It is independent of the agent. It can revoke. And it is already, in law and in practice, the party that answers when acts done under its authority go wrong. The mandate is not a new liability being invented; it is an old liability being made legible. Employers have issued scoped, revocable, accountable authority to human agents for as long as there have been employers. "By direction" is simply what that looks like when it is done honestly.

The mandate is also the privacy boundary

If the object the agent carries is a mandate rather than an identity, then a counterparty can verify everything it actually needs: that authority exists, what its scope is, that it has not been withdrawn, and who stands behind it, without ever resolving who the human principal is. Mõtsküla named the general gap in a public exchange we had on this: attribution rather than identification. This is the privacy corollary, attribution without identification of the principal. The relying party learns "this act is authorised and owned"; it does not learn a name, a role, a health condition, a legal status, or any of the other attributes that ride along whenever identity is used as the carrier of authority.

This matters because identity leaks. Every system that authenticates people accumulates a record of who did what, where, and when, and those records outlive their purposes. For most people that is a privacy irritation. For the people I build for, people whose characteristics are criminalised, surveilled, or punished somewhere in the world, it is a target inventory. The essays that precede this one made the general argument: the safest data is the data never collected. The mandate is that argument applied to delegation. An agent that borrows its principal's identity turns every action into a disclosure; an agent that carries limited authority instead discloses one fact, that the act was authorised. Scope travels; the person stays home.

Users love the idea of controlling their privacy and hate doing any work for it, as an architect in the telecoms world put it to me in a public thread. Every wallet-based scheme quietly assumes a diligent human curating credentials. A mandate issued by the organisation requires nothing from the person at all. The protective default is set above their head, which is where protective defaults belong.

The alibi

In early 2024 a Canadian tribunal decided a small case with a large implication. An airline's website chatbot had given a passenger incorrect information about bereavement fares; the passenger relied on it and lost money; and the airline argued, in effect, that the chatbot was a separate legal entity responsible for its own actions; the characterisation is the tribunal's own. The tribunal called the submission remarkable and rejected it, holding the airline responsible for information on its own website however delivered. The passenger recovered just over eight hundred Canadian dollars, most of it the fare difference. The award was trivial; the defence was not. The first instinct of a large organisation, when its software agent misled a customer, was to point at the agent. Mõtsküla builds on the same case from the liability side, and his conclusion is the sharper for being a lawyer's: courts already attribute the agent's acts upward to the operator, so a personal status for the agent would not fill a gap, it would open one, handing everyone behind the agent a place to hide. His bleakest version is the state's own agents: give a tax agent an identity and "the official decided" becomes "the system decided", an alibi at national scale.

A Munich court reached the same wall from the other side in May 2026, holding that Google's AI-generated search summaries are Google's own statements, not third-party content it merely surfaced; the generated answer made claims that appeared in none of its sources, and the ability of users to check those sources, the court said, does not exempt whoever made the claim. The ruling is under appeal and is an injunction rather than settled precedent, but the instinct it rejected is the one that matters here. Two legal systems, two years apart, the same submission refused twice: the machine is not a place to put the blame.

Give agents identities and you industrialise that instinct. A pseudo-personal agent, with its own register entry, its own credentials, its own legible personhood, is a ready-made defendant. The operator points at the agent; the deploying organisation points at the operator; the person harmed stands in front of an empty chair. I have written elsewhere about how databases do their dehumanising in advance, abstracting a person into a category before any harm is proposed. Agent identity is the same machinery run in the opposite direction: it de-responsibilises the operator in advance. One abstraction prepares the target; the other prepares the alibi.

In Khan's formulation, an independently issued credential does one precise thing: "It moves the cost of failure onto a party who agreed to bear it." That relocation is what the mandate has and the identity lacks. A mandate has an issuer, and the issuer agreed, by issuing, to own the consequences within the granted scope. An identity has no such structure; it merely names a new party onto whom cost can be shifted. The mandate concentrates accountability; the identity diffuses it. The difference between those two verbs will decide whether anyone harmed by an agent ever finds someone answerable.

The honest limit

One objection is simply correct: revocation, the property that makes a mandate a credential rather than a promise, degrades exactly when you need it most.

A mandate that can only be checked by calling its issuer stops working the moment the issuer is unreachable, and the places agents are most useful, the edge, the field, the crossing, are precisely where connectivity fails first. Khan's essays are candid about this in a way most of the industry is not: shorter validity periods and aggressive re-checking shrink the window in which withdrawn authority is still honoured, but nothing closes it. There is always an interval in which a disconnected verifier acts on authority that no longer exists.

The design answer is to stop treating the mandate as a binary. Give it a freshness window and let its powers decay as it ages: full scope while fresh, a narrower read-only scope past a threshold, then nothing, all of it checkable offline, with the failure posture chosen in advance rather than left to whatever the code does unwatched. Revocation stops being "is this authority live right now?", a question the disconnected edge cannot answer, and becomes "how much staleness will I accept for this action?", a question it can answer locally, per action, against a policy someone accountable wrote down. Degradation becomes a property of the credential, not the verifier. The gap in revocation does not close; it becomes bounded, legible, and owned. Which is all any honest trust system has ever offered.

One limit remains to be stated just as plainly. Decay handles age, not theft. A mandate that has been compromised needs to die the moment its issuer knows, and no freshness window carries that signal to a verifier that cannot be reached; until the clock takes its powers away, a stolen mandate keeps whatever scope its age still allows. Decay bounds what a compromised credential can do while the signal is in transit. It does not deliver an instant kill, and a design that claims otherwise is hiding the interval rather than declaring it.

What to build, whatever we call it

Estonia's instinct to move early is right; the register is the wrong object. The requirement underneath it stands, and it needs no invented person: every consequential act by an agent should carry proof of a mandate, independently issued by a party with something to lose, scoped in advance, revocable in a way whose limits are declared rather than hidden, and owned by an accountable principal a harmed party can actually reach. That holds for an agent acting for another agent too; the chain of mandates must survive the same test at every link, a problem hard enough to deserve its own treatment. And none of this stops an agent acting without a mandate. It makes the absence legible, which is all any credential has ever done for the party checking it. Not a name for the agent. A signature block for the act.

There is a version of "world's first" still available here, and it is the better one. Mandates will need a common format the way signatures needed one; a counterparty has to be able to read a collar from an issuer it has never met. A state that moved early on standardising the mandate schema, what it must contain, how scope is expressed, how revocation and its limits are declared, would be building the layer everyone else inherits, which is what Estonia actually did the last time it earned the reputation. That is the announcement worth making.

The navy solved this with two words and a designation letter, and the solution has outlasted every officer who ever used it, because it refuses the one move that feels most natural and costs the most: turning the instrument into a person. The agent does not need your identity, and you should decline, firmly, every architecture that offers to lend it. What the agent needs is what any junior officer signing for the captain has always needed. Authority, in writing, with limits, from someone who answers for it.

By direction is enough.

Share this essay

If this resonates with someone in your security, privacy, or policy network, pass it along.

Levi Hankins is founder & CEO of Third Rail Systems OÜ (Tallinn). Twenty-year US Navy veteran. Writes on data exposure, minimum-disclosure architecture, and the corporate ethics of duty-of-care. Follow on LinkedIn.
v1.0 · Tallinn · EU-Native