REFERENCE · §1 · LAST REVIEWED 2026-04-27
ACF §1 — Identity & Authorisation
Agent identity & authorisation is the discipline of establishing, attributing, and revoking the authority under which an autonomous AI agent takes action on behalf of a regulated firm or its customers — and producing the cryptographic and procedural evidence to prove it.
Existing compliance frameworks assume actions originate from natural persons whose identity is verified at onboarding and re-verified at session level. Agentic systems break both assumptions: actions originate from a model invocation chain, often on behalf of a delegated principal, sometimes triggered by another agent. Identity & Authorisation governs how that chain is rooted, attributed, and revoked. It maps directly to FCA SYSC 6.3, EU AI Act Article 14 (human oversight), MiCA Article 36 (operating conditions), and ADGM FSRA conduct-of-business rules on customer authorisation.
Regulatory anchors
- FCA SYSC 6.3
- EU AI Act Art. 14
- MiCA Art. 36
- ADGM FSRA COBS
- NIST AI RMF Govern 1.6
What this covers
- Principal-agent attribution: which natural or legal person is liable for an agent action
- Delegation and re-delegation chains across multi-agent systems
- Session-level authorisation lifecycle: grant, refresh, revoke
- Customer consent for agents acting on their behalf
- Cryptographic signing of agent actions for non-repudiation
Common gaps
- No documented principal-agent attribution policy — actions land in audit logs without a responsible human
- Customer onboarding consent does not extend to agentic execution
- Revocation is theoretical — there is no kill-switch tested in the last 30 days
- Multi-agent delegation is untracked — agent A invokes agent B with no provenance trail
Related sections
- §2 — Action Perimeter
What an agent must NOT do — technical and policy guardrails on action space.
- §3 — Audit Trail
Every agent action logged with sufficient detail to reconstruct intent and outcome.
- §9 — Customer Disclosure
When and how to disclose to end-users that an agent is taking actions on their behalf.
- §12 — Incident Response
When the agent does the wrong thing — runbook, regulator notification, customer remediation.
Take action
Score your firm's readiness across all twelve dimensions with the Agent Compliance Scorecard →
Reference compiled by Sebastian Heine. Editorial perspective at The SHeine Brief.