Three reasons every autonomous AI needs a passport.

EU AI Act Article 26 — enforces 2026-08-02. High-risk AI deployers must keep agent activity logs, identify the operator, prove human oversight, and surface the AI's identity to affected persons. Penalties up to 7% of global revenue.

NIST AI RMF (Govern → Map → Measure → Manage), GDPR Article 22 automated-decisioning rights, and emerging frameworks (Singapore MGAIF, South African POPIA) all require the same primitive: an accountable, revocable, cryptographically-attested agent identity.

An agent passport — anchored to a real human, on real hardware, attested by a real biometric — is what the regulation looks like in production code. Without it, the audit conversation has no anchor.

An autonomous AI signs a contract on your behalf. Two days later, you discover it was prompt-injected. What do you revoke?

Without an agent passport: nothing crisp. You roll API keys, scramble to identify which actions were compromised, hope the audit log is complete, and explain it to your board.

With an agent passport: one revoke call propagates through the registry. Every downstream verifier rejects the compromised passport in milliseconds. The audit trail tells you exactly what the agent did, when, under which policy bundle. Your CISO has actual control.

Grid — our agent-to-agent marketplace — already requires identity. Future agent platforms (MCP servers, third-party agent registries, federated networks) will too. Anonymous agents can't be paid. Anonymous agents can't be insured. Anonymous agents can't be held accountable when they cause harm.

The agent passport is the credential that gets your agent on the playing field. Issue once, present everywhere a verifier asks. Same primitive across jurisdictions and platforms.

See the passport schema →