Anthropic just changed how AI agents get access. Worth understanding why it matters.

Table of Contents

Claude Tag (their new Slack-native agent) introduces a different authorization model. Instead of the agent acting as the user who invoked it, the agent gets its own identity — scoped per channel, with its own credentials and permissions.

What changes:

  • Old model: “What can this user do?” → agent inherits the requester’s permissions.
  • New model: “What can this agent do in this channel?” → permissions attach to the agent, not the human.

The engineering is solid, and the innovation is amazing. But security and risk seems a bit neglected.

The problems:

  1. Confused deputy. Any channel member can invoke the agent. So a user with no access to a repo can ask the agent to read it, if the channel grants the agent that access. The human’s own permissions are never checked — privilege escalation by design.
  2. Long-lived NHI sprawl. Every channel gets its own scoped identity. That’s a fleet of long-lived, broadly-scoped credentials multiplying by design — the exact problem the industry has spent years failing to contain with human service accounts, now reborn for agents and scaling faster.
  3. Audit gaps. Actions land under a shared service account. In ambient mode across many channels, you lose attribution — you can see that the agent acted, not which human triggered it or why. The log captures identity and config lifecycle, not the substance of what was done.
  4. Missing guardrails. Access is granted at the channel level, not the action level. There’s no least-agency enforcement — once the agent holds a credential, nothing constrains which actions it takes with it. Anthropic’s own advice is “grant generous access from the start.”

What should’ve been done:

  • Effective permissions = agent scope ∩ requesting user’s scope. The agent should never do what the human couldn’t.
  • Action-level least-agency, not channel-level grants.
  • Audit that ties every agent action back to a responsible human.
  • Open the auth layer to an emerging standard like ID-JAG, Identity Assertion JWT Authorization Grant. instead of a proprietary, single-vendor model. It lets the enterprise IdP broker cross-domain access — so agent identity travels across IdPs and tools under central control, not just inside Anthropic’s walls.

Credit where due: Anthropic’s own “What’s next” addresses two of these directly — just-in-time credential grants (approve a single sensitive action in the moment without permanently widening scope) and an identity-aware overlay that adds user-level checks, so Claude only acts when both the channel’s profile and the requesting user’s permissions allow it. That’s the agent ∩ user model, and it’s the right direction. The gap is that it’s roadmap, not shipped — and the access model went live with “grant generously” as the default in the meantime.

Still Using Secrets?

Let's Fix That.

Get a Demo

Still Using Secrets?
Let's Fix That.

Get a Demo