Papers
Topics
Authors
Recent
Search
2000 character limit reached

Agentic AI Accounts Overview

Updated 7 July 2026
  • Agentic AI accounts are authenticated, delegated identities enabling goal-directed execution and auditable actions in digital and enterprise systems.
  • They incorporate scoped delegation, verifiable intent tokens, and separate agent identities to ensure secure and controlled operational authority.
  • Practical applications include workflow automation, enterprise API integration, and delegated governance while preserving human accountability.

Searching arXiv for papers on agentic AI accounts, delegation, security, enterprise integration, and organizational use. “Agentic AI accounts” can be understood as the account-linked, delegated, authenticated, and policy-bounded arrangements through which AI agents act on behalf of users, organizations, or protocols across online services, enterprise systems, and governance environments. In the current literature, the concept appears in several closely related forms: user-authorized agents on the “agentic web”; enterprise agents treated as first-class principals in API and IAM layers; workflow-scoped or contract-scoped service identities for autonomous execution; and account-like decision agents in decentralized governance. Across these forms, the common technical themes are goal-directed execution, distinct identity, scoped delegation, auditable action, and the retention of human responsibility, judgment, and accountability at consequential boundaries (Pattison et al., 9 Jun 2026, Tupe et al., 22 Jan 2025, Goswami, 16 Sep 2025, Koch et al., 15 Jun 2026).

1. Conceptual scope and distinguishing features

Agentic AI is repeatedly defined as something more than reactive generative AI. One paper characterizes it as systems that can “autonomously pursue goals, make decisions, and execute actions autonomously over time,” in contrast to traditional generative AI, which is framed as reactive and prompt-driven (Mukherjee et al., 1 Feb 2025). Another defines the agentic web as a future web in which users “interact with the internet largely through agents acting on their behalf,” where agents can “search, negotiate, transact, and otherwise coordinate on their principals’ behalf across much of their online lives” (Pattison et al., 9 Jun 2026). Enterprise API work describes the same shift from “human-driven, predefined, stateless interactions” to “goal-oriented execution,” “dynamic adaptation,” “multi-turn orchestration,” and “context continuity” (Tupe et al., 22 Jan 2025).

Within that framing, an “account” is no longer only a human-held credential container. It becomes a locus of delegated agency. The web-governance literature is explicit that, “If a user is entitled to access content or a service, they should be permitted to delegate that access to an appropriately authenticated agent acting on their behalf,” provided the agent acts “within a user-authorized scope, for user-defined purposes, and subject to limits that the user would also be constrained by” (Pattison et al., 9 Jun 2026). Enterprise-security work makes the complementary claim that autonomous AI agents should not simply inherit a monolithic application identity; each agent is a more natural basis for identity, authorization, and audit (Goswami, 16 Sep 2025).

A central misconception addressed across the literature is that agentic AI accounts are equivalent either to generic bots or to “digital employees.” The agentic web paper draws a sharp distinction between “user-authorized, authenticated, scoped agents” and malicious bots characterized by stealth, impersonation, or large-scale abuse (Pattison et al., 9 Jun 2026). The enterprise integration paper is equally explicit that near-term value “does not lie in full autonomy or workforce reduction,” but in “controlled partial autonomy” for bounded, verifiable business work (Koch et al., 15 Jun 2026). A plausible implication is that the account metaphor is most accurate when it denotes delegated operational authority rather than independent personhood.

2. Delegation, identity, and authorization primitives

The strongest convergence in the literature concerns identity and delegated authority. Enterprise API research argues that enterprises must manage “agent identities as first-class principals, not just human users,” and proposes agent-specific roles such as Support Agent, Analytics Agent, and Order Processing Agent, paired with fine-grained OAuth 2.0 scopes such as order:read and profile:update (Tupe et al., 22 Jan 2025). The same work proposes agent-specific headers for context IDs, intent, role identifiers, human-vs.-AI differentiation such as X-Agent-Type: AI, timestamp metadata such as X-Data-LastUpdated, and recovery hints such as X-Error-Recovery: RetryAfter=60s (Tupe et al., 22 Jan 2025).

The normative-web literature pushes this toward interoperable delegated access. It explicitly names OAuth 2.0, OpenID Connect, W3C Verifiable Credentials, and Decentralized Identifiers (DIDs) as the relevant protocol substrate, and suggests a machine-readable agent-permissions.json analogous to robots.txt (Pattison et al., 9 Jun 2026). Its core principle is that a delegate does not assert a new entitlement of its own; it exercises the principal’s existing right within scope, purpose, and authorization boundaries (Pattison et al., 9 Jun 2026).

The most detailed protocolization of this model appears in “Agentic JWT.” A-JWT introduces a “dual-faceted intent token” that binds each action to verifiable user intent and, optionally, to a specific workflow step. The token carries an agent identity as a one-way checksum hash derived from prompt, tools, and configuration; a chained delegation assertion that records which downstream agent may execute a task; and per-agent proof-of-possession keys to prevent replay and in-process impersonation (Goswami, 16 Sep 2025). At token-minting time, the identity provider checks that the agent exists and is registered, that the runtime checksum matches the registered checksum, that the current workflow step is authorized, and that delegation-chain integrity holds; at resource-server time, the server verifies JWT signature, proof-of-possession, and optionally shim integrity via X-Shim-Checksum (Goswami, 16 Sep 2025). The reference implementation reports functional blocking of scope-violating requests, replay, impersonation, and prompt-injection pathways with sub-millisecond overhead on commodity hardware (Goswami, 16 Sep 2025).

Enterprise deployment guidance converges on the same operational conclusion from another angle: agents should have “distinct identities rather than operating through shared service accounts or human identities”; they should be bound by “least privilege, auditable actions, and revocable credentials” (Koch et al., 15 Jun 2026). Taken together, these papers define the minimum substrate of an agentic AI account as identity separation, scoped delegation, verifiable intent, and auditable execution.

3. Enterprise accounts as controlled execution layers

In the enterprise literature, agentic AI accounts are not positioned as unrestricted autonomous workers, but as controlled execution layers for bounded business processes. The “Integrator Advantage” paper states that the near-term payoff comes from “partial autonomy applied to simple and medium-complexity processes that are frequent, digital, semi-structured, and verifiable” (Koch et al., 15 Jun 2026). Its proposed Agentic AI Integration Framework for SMCs (AIF-SMC) has five interlocking components: use-case suitability, autonomy level, technical integration, governance, and employee enablement (Koch et al., 15 Jun 2026).

The target processes are notably account-adjacent. On the simple end, the paper names e-mail classification, meeting and ticket summarization, document extraction, FAQ drafting, report condensation, and routing. On the medium-complexity end, it names invoice validation against purchase orders and goods receipts, customer inquiry resolution using CRM and ERP data, offer preparation, supplier comparison, HR onboarding coordination, quality deviation pre-analysis, and service incident triage (Koch et al., 15 Jun 2026). The “customer request agent” blueprint reads incoming e-mails, classifies intent, retrieves customer history and order status, checks policy rules, drafts a reply, and proposes next steps, but early-stage deployment should not allow it to send external communication without approval; escalation is required for complaints, legal threats, price exceptions, special customers, personal data requests, or uncertainty (Koch et al., 15 Jun 2026). The “invoice validation agent” extracts invoice data, checks supplier master data, compares the invoice with purchase order and goods receipt, flags mismatches, drafts an exception note, and prepares a booking or approval proposal, but “cannot release payment autonomously above a threshold or alter master data” (Koch et al., 15 Jun 2026).

The framework’s technical integration model is a seven-layer architecture: human process owner; agent orchestrator; system connectors; knowledge layer; policy and permission layer; evaluation and monitoring; and human-in-the-loop work for approval, exception handling, and accountability (Koch et al., 15 Jun 2026). It also emphasizes three integration patterns—read-first, prepare-and-approve, and standard-case automation with escalation—and recommends Levels 2 to 4 on the autonomy ladder as the realistic target range for SMCs, rather than full autonomy (Koch et al., 15 Jun 2026).

Use-case selection is formalized with the suitability score

S=F+T+St+D+A+V+(6R)+E+BS = F + T + St + D + A + V + (6 - R) + E + B

where FF is frequency, TT manual time, StSt standardizability, DD data availability, AA system access, VV verifiability, RR risk, EE employee acceptance, and BB business value; risk is inverted so lower risk raises the score (Koch et al., 15 Jun 2026). The paper stresses that this is not meant to be mathematically precise, but a shared decision aid to compare candidate processes and avoid hype-driven selection (Koch et al., 15 Jun 2026).

A related design-time framework, STRIDE, generalizes the same caution beyond SMCs. It distinguishes direct LLM calls, guided AI assistants, and fully autonomous agentic AI, and reports 92% modality-selection accuracy, a 45% reduction in unnecessary agent deployments, and a 37% reduction in compute/API usage across 30 real-world tasks (Asthana et al., 1 Dec 2025). This reinforces the enterprise view that an agentic account should be provisioned only when task structure truly requires persistent state, multiple tools, dynamic adaptation, and self-reflection.

4. Security, containment, and auditability

Security research treats agentic AI accounts as a materially different risk object because the system does not merely generate outputs; it acts. Enterprise integration work enumerates concrete risks: hallucination, tool misuse, prompt injection, over-privilege, data leakage, non-determinism, over-trust, botsitting, and agent sprawl. Each is paired with a control pattern: retrieval with citations and test sets; tool allowlists and action limits; input isolation and instruction hierarchy; distinct identity and least privilege; data classification and redaction; deterministic rules for critical steps; training and sampling audits; measuring correction time; and an agent register with lifecycle management (Koch et al., 15 Jun 2026).

The MAAIS framework recasts this as a lifecycle-aware, multilayer defense model organized around CIAA: Confidentiality, Integrity, Availability, and Accountability (Arora et al., 19 Dec 2025). Its seven layers are Infrastructure Security, Data Security, Model Security, Agent Execution and Control, Accountability and Trustworthiness, User and Access Management, and Monitoring and Audit (Arora et al., 19 Dec 2025). The dedicated “Agent Execution and Control” layer is especially relevant to agentic accounts because it addresses execution sandboxing, policy enforcement, runtime safety verification, and secure API and tool-integration controls (Arora et al., 19 Dec 2025). The framework’s MITRE ATLAS mapping further makes “Impact” a joint concern of Accountability and Trustworthiness plus Agent Execution and Control, indicating that harmful autonomous action is treated as both a governance and a security event (Arora et al., 19 Dec 2025).

A complementary architectural security proposal appears in Aspective Agentic AI (A2AI), which rejects shared-transcript, centrally directed multi-agent architectures in favor of aspect-bound, situated, reactive agents. In its pandemic-report experiment, A2AI achieved zero information leakage, while the native AutoGen baseline maintained confidentiality only 63% of the time for authority-based disclosure, 37% for fictional declassification, and 17% for fabricated policy update, implying leakage in up to 83% of cases (Bentley et al., 3 Sep 2025). The key design principle is that a public-facing agent cannot leak information it never had access to, because each stakeholder group sees only its own policy-constrained aspect of the environment (Bentley et al., 3 Sep 2025).

Across these papers, the security posture of agentic AI accounts is consistently zero-trust-oriented. Identity must be separate; permission must be narrow; runtime behavior must be constrained; audit trails must be immutable; and accountability must remain reconstructible after the fact.

5. Evaluation, metrics, and empirical evidence

Because agentic AI accounts act through workflows rather than isolated outputs, evaluation shifts from static correctness to trajectory alignment, decision quality, oversight burden, and organizational effect. The shopping-assistant evaluation paper is explicit that multi-turn human–AI interaction is inherently variable, so evaluation becomes comparison of “interaction trajectories, subjective judgments, and decision processes” rather than scoring a fixed output (Sun et al., 25 Sep 2025). In its one-to-one digital-twin study of Amazon Rufus, the authors retained 40 human participants, collected 80 human shopping sessions, and compared them with persona-grounded LLM agents. The buy/add-to-cart F1 is reported as 0.9; normalized edit distance is FF0 with FF1; similarity is FF2 with FF3; and first-message cosine similarity is around 0.49 (Sun et al., 25 Sep 2025). The results are explicitly nuanced: digital twins capture the broad skeleton of interaction and many functional judgments, but agents explore more broadly, click more recommended items and more related questions than humans, and exact product overlap is only about 1.3% of cases (Sun et al., 25 Sep 2025). The paper therefore treats digital twins as a scalable first layer of evaluation, not a substitute for human studies (Sun et al., 25 Sep 2025).

A more institutionally consequential evaluation appears in DAO governance. DAO-AI constructs an autonomous “agentic voter” over 3,382 proposals in practice, using IBM’s Agentics framework and four MCP tools for proposal metadata, forum context, voting dynamics, and market response (Han et al., 24 Oct 2025). Its simulated decisions match final DAO outcomes in 92.5% of cases, compared with 76.6% for the average human voter; proposal-level averages include FF4, FF5, and FF6 (Han et al., 24 Oct 2025). Yet the contested-proposal analysis shows a meaningful limit case: for proposals with FF7, FF8, FF9, and TT0 (Han et al., 24 Oct 2025). This suggests that account-like AI participation may align strongly with routine collective outcomes while becoming less reliable under fragmented or ambiguous governance conditions.

Evidence on actual deployment behavior comes from Codex. The account-level study distinguishes external personal-account users, external organizational-account users, and workers within OpenAI, and reports that weekly active Codex usage increased more than fivefold between January 1 and June 1, 2026 (Johnston et al., 25 Jun 2026). It also finds that more than 10% of users manage three or more concurrent Codex agents at some point each week, 26.6% use skills, and the share of individual users who submit at least one request estimated to require more than eight hours for an experienced human to complete increased nearly tenfold since the start of the year (Johnston et al., 25 Jun 2026). Within OpenAI, Codex accounts for more than 99% of output tokens generated across Codex and ChatGPT in recent weeks; in June 2026, the median OpenAI employee in a legal role generated 13 times more monthly output tokens across Codex and ChatGPT than in November 2025, while the median researcher generated more than 50 times as many (Johnston et al., 25 Jun 2026). These figures indicate that, in practice, some agentic accounts are already used not just for single delegated tasks but for concurrent workflow management and reusable workflow systematization.

6. Organizational, economic, and interface models

The literature increasingly treats agentic AI accounts as organizational and economic units rather than merely technical endpoints. PACT models cloud-based agentic AI services as a menu of contracts TT1 under information asymmetry, where users self-select according to willingness to pay and task-specific QoS needs (Yang et al., 27 May 2025). QoS is explicitly multi-dimensional:

TT2

with TT3 representing user satisfaction and TT4 total latency (Yang et al., 27 May 2025). Provider cost includes computational, hardware, model-related, and liability terms:

TT5

The framework reports that liability costs can shift QoS and pricing upward while reducing provider utility under asymmetric information, and argues that agentic AI services should not be priced like generic software subscriptions because quality is task-dependent, subjective in part, and legally exposed (Yang et al., 27 May 2025). In that sense, “account” also denotes a service relationship governed by screening, contractual differentiation, and liability allocation.

Organization theory extends the account metaphor further. “The Organizational Behavior of Agentic AI” argues that agent collectives are a “partial organizational analogue”: they resemble organizations because they differentiate work, coordinate interdependence, perform recurrent routines, cross boundaries, and produce collective outcomes, but differ because these patterns are sustained not by motivation, identity, trust, employment, socialization, or moral accountability, but by “context architecture: prompts, memory, traces, schemas, tools, validators, and permissions” (Liu, 29 Jun 2026). Its central mechanism is contextual transaction cost,

TT6

aggregated over a run as TT7 (Liu, 29 Jun 2026). In simulations of 8,000 synthetic knowledge-work tasks, agent-native forms outperform human-imitation forms by 395.26% in efficiency; adaptive meta-organization improves collective efficiency by 89.24% relative to the single expert; and blackboard memory is 139.44% more efficient than the best human-imitation form (Liu, 29 Jun 2026). This suggests that scalable agentic accounts may be most effective when organized around durable, inspectable shared context rather than literal imitations of teams, committees, or hierarchies.

Interface research adds a communicative constraint. Agentic AI may require “less routine back-and-forth, but more communication for oversight and explanation,” because acting on behalf of a user raises attribution, accountability, and trust-calibration problems (Jang et al., 2 May 2026). The proposed explanation types are action-process explanations, uncertainty explanations, and coordination explanations, with customization affordances allowing users to choose when and which explanations they see (Jang et al., 2 May 2026). A plausible implication is that an agentic account is not fully specified by its credentials and permissions; it also requires an explanation regime through which the principal can inspect, contest, and redirect delegated action.

7. Human responsibility, contested questions, and normative infrastructure

The strongest normative through-line is that agentic AI accounts do not dissolve human responsibility. The “Integrator Advantage” paper formalizes this as the Human Responsibility Core: agents may execute tasks, but accountability stays with human roles and organizational units, including goal-setting, contextual judgment, value judgment, approval, exception handling, relationship management, liability, and continuous improvement (Koch et al., 15 Jun 2026). It also states that if a human is expected to review an output, the organization must provide access to the evidence, criteria, training, and the power to reject or correct it (Koch et al., 15 Jun 2026). This is directly opposed to the “moral crumple zone” described in the autonomy-and-accountability literature, where blame collapses onto the nearest visible human actor even when practical control lay elsewhere (Mukherjee et al., 1 Feb 2025).

Design research reaches a parallel conclusion from a different domain. Professional designers imagined agentic AI as a work coordinator, resource steward, guardian, reframer, and creative catalyst, but repeatedly described it as a “supportive partner” rather than a replacement decision-maker (Wadinambiarachchi et al., 25 Sep 2025). They wanted AI to handle laborious, repetitive, or cognitively cluttering work, while preserving human control over final aesthetic and strategic decisions; creative authority remained “designer-owned, designer-controlled, and context-dependent” (Wadinambiarachchi et al., 25 Sep 2025). This suggests that the account relation remains fiduciary or supervisory even in creative workflows.

The broadest normative claim comes from the agentic web paper, which argues that the technical feasibility of delegated online agents is now obstructed by outdated laws, terms of service, and platform practices that block or degrade agent access “often in secret” (Pattison et al., 9 Jun 2026). It proposes a “normative triad” of Delegation, Transparency, and Proportional Restriction: users should ordinarily be able to exercise entitled access through authenticated agents; platforms should disclose how they handle agents; agents should identify themselves and their principals; and restrictions should be proportional to concrete risks rather than blanket prohibitions (Pattison et al., 9 Jun 2026). The paper is explicit that “The future of the agentic web should be debated publicly before it is locked in privately” (Pattison et al., 9 Jun 2026).

Socio-technical analysis broadens the same point into system design. “Socio-technical aspects of Agentic AI” treats agentic AI as an integrated socio-technical system in which perception, cognition, planning, execution, memory, and learning are co-produced by data governance, accountability structures, organizational practice, law, and social norms (Donta et al., 26 Dec 2025). Its MAD–BAD–SAD framework maps motivations, applications, and moral dilemmas; biases, accountability, and dangers; and societal impact, adoption, and design considerations onto the technical stack (Donta et al., 26 Dec 2025). A plausible implication is that the long-term viability of agentic AI accounts will depend less on whether agents can technically act, and more on whether identity, delegation, security, transparency, liability, and labor arrangements can be made institutionally legible.

The resulting picture is neither one of autonomous digital personhood nor one of ordinary software accounts with a larger prompt budget. Agentic AI accounts are emerging as delegated, scoped, and auditable action-capable identities whose legitimacy depends on technical containment, organizational integration, and normative settlement.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (16)

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Agentic AI Accounts.