Estonia becomes the first in the world to introduce digital passports for AI agents: a revolution in access management

Estonia is taking another step towards total digitalization of public administration. The Eesti.ai Council under Prime Minister Kristen Michal has approved an ambitious project to create a digital identity for AI agents — the so-called AI-isikukood. This is a fundamentally new approach: artificial intelligence will receive an official "digital passport" that allows it to act on behalf of a person, company, or government agency, but within strictly limited and verifiable boundaries.
According to Michal, in the near future, AI will increasingly perform routine digital operations: preparing reports, filling out tax declarations, or interacting with information systems. The key issue is transparency: who exactly is acting, on whose behalf, with what authority, and who bears responsibility for the result. The AI-isikukood project aims to provide clear answers to these questions.
Limited Authority Instead of "Universal Access"
The main problem that the new system solves is excessive access. Currently, users are often forced to grant AI assistants overly broad permissions, creating serious risks. The Estonian model proposes issuing AI agents "limited, controlled, and auditable authority." The agent will only be able to perform pre-defined actions: view specific data, process a payment within a limit, or prepare a particular document. No unauthorized actions or unpredictable operations.
The technical architecture, exact launch timelines, and mechanisms of liability for potential damages have not yet been disclosed. However, it is already clear that the project relies on Estonia's powerful existing digital infrastructure: electronic IDs for citizens and the e-Residency program for foreigners. Starting in 2026, each agency will be able to launch its own personalized AI agent within the unified cooperative network Bürokratt.
A Systematic Approach: From Education to Infrastructure
The Eesti.ai initiative, launched on January 27, has already yielded initial results. On April 9, the council approved 15 projects with high expected impact, covering education, healthcare, entrepreneurship, the public sector, and infrastructure. By June, some projects had moved into the analysis, market consultation, and tender stages. The fastest progress is in AI skills training — which is logical, since without competent users, any technological innovation remains dead weight.
In parallel, the Aruait project is being developed — a sovereign management layer for AI agents in the public sector. It is intended to define the technical architecture, pilot scenarios, and collaboration models for systems acting on behalf of people, companies, or government bodies.
My comment: Estonia once again demonstrates that a digital state is not just about convenient services, but a fundamentally new level of risk management. Introducing digital IDs for AI agents is not a technological fetish, but a pragmatic response to the growing problem of controlling autonomous systems. If the project is successfully implemented, we will see a precedent that other countries will begin to copy within the next 2-3 years. However, the main question remains open: how will the mechanism of legal liability work when an AI agent, acting within its "limited authority," still causes damage?