When the actor in your systems is an AI

For the last couple of years, AI assistants have mostly been "single player": it is you and your assistant, and when it needs to do something, it borrows your accounts and acts as you. That is fine when it is your personal helper. But the moment an agent starts operating in a shared space — a team Slack channel, a company codebase, a production database — "acting as you" stops making sense. Who is it, exactly? What is it allowed to touch? And if it is sitting in a shared channel, how do you stop that channel becoming a side door into someone's private files? Anthropic, the ride-hailing company Grab, and Meta all published work this week wrestling with versions of that question. Read together, they sketch three layers of the same emerging stack.

Anthropic gives the agent its own keycard

Anthropic, the team behind Claude, has introduced what it calls agent identity, and the core idea is simple. Instead of an AI agent borrowing a human's credentials, you give the agent its own identity, scoped to the workspace rather than to any individual person. So when Claude acts in a shared environment, it posts in Slack as the Claude app, opens pull requests as the Claude GitHub App, and queries the data warehouse under its own service account. It is not pretending to be you. It is itself, with its own clearly bounded permissions.

The clever part is how those permissions are compartmentalised. An administrator sets a baseline identity at the workspace level, and then each channel can inherit or override it. You might give your engineering channel access to GitHub and the data warehouse, while a connection to your customer database is confined to one specific private channel. And the boundaries are real: each private channel gets its own distinct identity, and what Claude learns in a private channel never leaks into the wider workspace. Under the hood, credentials are injected only at the network boundary, at the moment of the request, and any outbound traffic to a host the admin has not explicitly allowed is simply blocked.

Here is the genuinely new wrinkle, and it is worth pausing on. Because the agent has its own identity, it can sometimes be granted access to a system that you, personally, cannot reach. That is a real departure from how access normally works — we are used to software acting strictly within the permissions of the human driving it. The plain-English version: instead of giving your new shared assistant a copy of every employee's personal badge, you give the assistant its own keycard, cut to open only the rooms that team actually needs. Anthropic also flags what is coming next — just-in-time grants, where you approve a single sensitive action without permanently widening what the agent can do.

Grab builds the locked box to run it in

Grab — the Southeast Asian ride-hailing and delivery company — published the second part of a series on a platform it calls Palana, described as a Kubernetes-native secure execution platform for autonomous AI agents. In plain terms: a locked-down box where an agent runs, with its actions controlled and recorded.

Grab's framing is sharp. Agents are most valuable exactly when they act in real environments — and that is also exactly when they become dangerous, because an agent calls tools, tools call services, and services use real credentials. So Grab puts hard controls at the points where actions cross a trust boundary. Each agent runs in its own isolated namespace with default-deny networking — it cannot talk to anything unless explicitly allowed.

Make useful autonomy boring to operate — attributable, inspectable, revocable, and recoverable.

The standout mechanism is what Grab calls proxy-only secrets. The real credential — say, an API token — is kept in a vault the agent literally cannot read. The agent is handed an inert placeholder that only works if the request is routed through an approved proxy. So the agent can cause a credentialed action to happen without ever holding the credential itself. If the agent goes rogue or gets manipulated, there is no secret for it to steal, because it never had one. Think of it like a hotel keycard that opens your room but never reveals the master key.

Grab layers on a couple of operational touches. Every call the agent makes to a language model is tagged with the agent's identity derived from the system itself, not from anything the agent claims — so every action is attributable to a specific agent. And there is an idle-shutdown reaper that watches signals like proxy logs and activity; when an agent has been idle a while, it stops the compute but preserves all the agent's state and data, so it can be cheaply resumed later — like a guest who has checked out of the room while their belongings stay safe in the hotel vault.

Meta makes the data underneath classifiable

Meta shifts from the agent to the data the agent touches. Its post is about privacy-aware infrastructure in what it calls the AI-native era, and it tackles a deceptively hard problem: to enforce privacy rules, your systems first have to know what a given piece of data actually is. The running example is perfect. Imagine a database field called "age". Is that a person's age — sensitive personal data that needs strict protection — or is it a cache time-to-live value, a harmless number measured in seconds? Guess wrong in one direction and you slap heavy restrictions on a harmless pipeline; guess wrong in the other and you leave a privacy gap.

Meta's answer is a deterministic-first funnel. Fast, fixed, human-reviewed rules handle the overwhelming majority of cases — and only the genuinely novel or ambiguous ones get escalated to a large language model. The numbers tell the story: in production, the deterministic rules resolve roughly eighty-five percent of traffic in single-digit milliseconds, while the language model handles the remaining fifteen percent — and that AI path costs something like four hundred times the compute. So Meta reserves the expensive, powerful tool for exactly the hard cases that need it, then distils what the model learns back into the fast rules for next time.

A couple more details are worth borrowing. Before asking the model anything, Meta assembles an "evidence brief" — the supporting and contradicting signals — because, as the team puts it, context beats prompts. It keeps the system that grades quality independent from the system being optimised, so the model cannot mark its own homework. And for that grading it uses a panel of three independent AI judges with different strategies, majority-voted. The "age" field, by the way, really did trip the system up until it was given enough context to see it resolved to a cache value. The honest analogy is a hospital triage nurse: routine cases get handled instantly by a fixed checklist, only the unusual ones go to the expensive specialist, and whatever the specialist learns gets written into the checklist.

The threads

Step back and look at the three together. Anthropic gives the agent its own scoped identity. Grab builds the isolated, audited box to run it in, with the real secrets kept out of its reach. And Meta makes the data underneath classifiable, so privacy rules can actually be enforced as AI starts touching everything. They are three layers of the same emerging stack: identity, isolation, and data-awareness for a world where the actor inside your systems is increasingly an autonomous AI.

The shared instinct across all three is the part worth holding onto — give the AI enough room to be genuinely useful, but keep every one of its actions attributable, bounded, and reviewable. Security and privacy as the foundation you build on, not a tax you bolt on at the end. The quiet message is that the hard problems of the AI era often are not about the models at all. They are about the unglamorous plumbing around them — who the AI is, what it can reach, and what it is allowed to know. The companies figuring that out now are the ones who will be able to deploy this stuff at scale.