Estonia's move to create official digital identities — or "AI ID codes" — for AI agents is a significant governance milestone. It is also only part of the problem.
According to the Government of Estonia, the Eesti.ai advisory board — established on the initiative of Prime Minister Kristen Michal — has agreed that Estonia should move forward with digital identities for AI agents. The goal is to allow AI systems to act on behalf of people, companies, or organisations within clearly defined limits, in a way that is verifiable and auditable.
Official source: Prime Minister Michal: Estonia to become the first country to create digital identities for AI agents (Government of Estonia).
The rationale is straightforward but important. As AI agents increasingly perform digital tasks — from compiling reports to interacting with information systems — it must be clear who the agent is acting for, what rights it has, and who remains ultimately responsible. Equally important, such a system should allow limited, controllable authority rather than forcing people or organisations to hand over broad access to all their rights, services, and data.
Why this matters
This is a strong step toward accountability. Attribution — knowing which agent acted, on whose behalf, and under what authority — is foundational infrastructure for any serious agentic AI ecosystem. Without it, responsibility becomes diffuse and audits become impossible.
But identity infrastructure is not the same as governance maturity. A verifiable AI ID reduces attribution risks such as impersonation and unclear responsibility. It does not automatically answer deeper operational questions that every organisation deploying agentic AI must still address.
The questions identity does not answer
Organisations still need to assess:
- Is the underlying model or system fit for the task it has been authorised to perform?
- Do the permissions granted to the agent reflect real operational risk, rather than just technical convenience?
- Are outputs being reviewed for error, bias, leakage, misuse, or performance drift over time?
- Does "auditable" mean only that logs exist, or that someone is actually reviewing and acting on them?
A digital identity framework creates important infrastructure for accountability. It does not replace the technical and organisational judgment needed to decide whether an AI agent should have authority in the first place — or to detect when it quietly starts underperforming.
The governance gap
The core challenge: The space between adopting AI systems and truly understanding their risks, controls, and operational limits is where most organisations are currently exposed. Identity frameworks address the attribution layer. They do not address the assessment layer.
This distinction matters in practice. An organisation can deploy an agent with a verified identity and still have no clear view of whether that agent's outputs are accurate, within scope, or safe for the decisions they inform. Structural accountability and technical governance are complementary — but they are not the same thing, and one does not substitute for the other.
Estonia's framework is a serious and promising structural step. The next question for any organisation adopting agentic AI is whether its internal governance and technical review processes are mature enough to use that structure responsibly.
Maple Quanta's perspective
We help organisations with AI readiness assessments, AI governance reviews, model and data audits, risk classification, use-case inventories, and independent technical evaluation. Our approach is vendor-independent and focused on giving clients decision-ready findings, not pushing a product.
The governance gap — between adopting AI systems and genuinely understanding their risks, controls, and operational limits — is exactly the space where rigorous, independent assessment is most valuable.
Assess your AI governance readiness.
Independent, vendor-neutral guidance for organisations deploying agentic AI systems.
Contact Maple QuantaThis briefing is for governance and risk discussion only. It is not legal advice.