Claude Tag: Agent Identity and the NHI Governance Gap

AI agent at the center of a network connected to many systems, representing an AI agent's own identity and standing access across an enterprise
Marta Dern

Marta Dern

Product Marketing

Published on

Jul 1, 2026

Updated

Jul 1, 2026

Read Time

8

minutes

Share

Table of Contents

Last week, Anthropic shipped Claude Tag, currently in public beta, starting on Slack. Tag @Claude in a channel and it does real work for the team: charts last week's signups, fixes a failing deploy test, delivers a daily standup summary. An admin first connects it to the tools and code it can access. After that, anyone in the channel can hand it work.

It is the clearest mainstream example yet of a pattern every major AI vendor is moving toward: the agent acts under its own identity, not yours. In a channel, Claude does not act as you or as anyone else in it. It acts as itself, under its own NHIs that an admin provisions. Anthropic calls the underlying access model agent identity. One agent, one set of access, shared by everyone in the channel.

What is an agent identity

Agent identity is an access model in which an AI agent is treated as its own security principal. It gets its own credentials, its own account in each system it touches, and its own audit trail, instead of borrowing the identity of the human who invokes it. The access question changes from "what can this user delegate to an agent?" to "what can this agent do, and in what context?"

What Anthropic actually built

Diagram showing how Claude Tag gives an AI agent its own identity to access systems like GitHub and monitoring from a Slack channel
Claude Tag's request path. A Slack channel reaches connected systems like GitHub and monitoring through Anthropic's sandbox, and an Agent Proxy injects the credential at the network boundary. Source: Anthropic, Claude Tag documentation.

Let’s get into the details. The agent never holds the credentials. When an admin connects a tool, the credential is stored separately, mapped to that channel's identity, and has the Agent Proxy inject it at the network boundary at request time. The proxy blocks outbound traffic to any host an admin has not allowed. Anthropic tells admins to scope each channel's access to its least-privileged member, and on Enterprise plans to decide who can invoke Claude at all.

Anthropic has said what is coming: just-in-time credential grants, and user-level checks that weigh the requester's own permissions and not only the channel's. For now, everyone in the channel gets the same capability.

What agent identity changes

Agent identity moves the access decision. It used to be per user, group or role,your identity team decided through requests and reviews, and it ran through your IGA. Now it is per agent, decided by who is in a channel. The grant your IGA was built to own just moved somewhere it cannot see.

Picture a private launch channel for a new billing feature. An admin has attached an access bundle to it: the named set of credentials, repository grants, and instructions Claude uses on behalf of anyone in the channel. This one connects the product analytics warehouse and reads access to two repositories, including the checkout service.

A marketer gets added for the launch. She has never been granted the warehouse, and she has never had those repos. She tags Claude and asks how many enterprise accounts signed up last week. She gets the number, straight from the warehouse. She could just as easily ask Claude to read the checkout service source and the API keys committed to it. No SSO prompt, no request, no approval. The Agent Proxy injected the credential at the boundary. Her own permissions were never checked, because in this model the channel's access counts, not the person's.

Then the feature ships. The channel goes quiet. The access bundle stays live, and so does everyone in it.

A Slack invite is now an access grant.

Why you won't run just one agent

Here is why this is bigger than Claude Tag. No enterprise runs a single agent. You will run Claude Tag, and Microsoft Copilot, and Glean, and something built in-house, and whatever launches next quarter. Each one arrives with its own identity model, its own credential store, its own audit log. Each is a non-human identity with standing access to real systems. 

Every vendor will harden its own product. Anthropic already is. But none of them governs the others, and none answers the question your security team has to answer across all of them: which agents exist, what can each one reach, who is allowed to use it, and who approved that.

Attribution is not Governance

This is where agent identity stops short. Because the agent acts under its own accounts, its actions show up cleanly in each tool's log. That is real and useful: attribution is solved, but governance is not.

Governance is the security team's side of the problem, and it is the same work non-human identities have always needed:

  • Discovery and ownership. Every agent credential is an NHI. It has to be found and given a human owner, not left as a shared account nobody is accountable for.
  • Consumer mapping. The credential is one thing. Its consumers are the channels attached to it, and the people in those channels are who can actually use it. Here is the credential, here are the channels that reach it, here are its members. That map turns an invisible grant into something you can review.
  • Lifecycle. Rotate, certify, decommission. Revoke the credentials given in the Access Bundle when a project ends. Recertify when membership changes.
  • One audit view. Attribution scattered across a dozen tools is not a trail your team can use. It has to come back together.

None of that is a feature any agent vendor is promising, because it is not a product feature. It is governance, and it has to span every platform at once.

Treat agents as the identities they are

The fix is not to keep agents out of Slack. They are useful there. The fix is to treat every agent connection as a non-human identity and govern it the way you already govern the rest: discovered, owned, mapped to its consumers, watched, and retired on a schedule, across every platform it shows up on.

Be clear about what Claude Tag is today. It is standing access: one credential set per channel, shared by everyone in it, live until an admin takes it away. Anthropic's roadmap moves toward just-in-time, per-task grants, and that is the right direction. But a perfectly scoped agent inside Slack is still one agent inside one product. It cannot tell you what your Copilot agent can reach, who can invoke the one you built in-house, or who approved any of it.

That is the gap the Oasis Platform closes, on two fronts. Agentic Access Management replaces standing access with intent-based access: it evaluates what an agent is trying to do and issues an ephemeral credential scoped to that task, which expires when the task ends. And because every agent credential is a non-human identity, Oasis governs it as part of your NHI estate: discovered, owned, mapped to who can actually use it, and decommissioned on schedule, wherever it runs. The vendors secure their own products. Governing the identities across all of them is a different job, and it does not come in the box.

Three questions for your team:

  • Which agents in your environment have their own standing access, and who owns each one?
  • For each, which channels or groups can invoke it, and who is in them right now?
  • When a project ends or someone leaves, what revokes the agent's access, and how would you prove it?

This is part one. Next, we get practical: how to find which channels and people can reach your systems through an agent, and how to bring that access under governance.

Frequently Asked Questions

Yes. An admin connects tools and code to a Slack channel, and from then on anyone in that channel can tag Claude to act on those systems, under the agent's own identity, not theirs. A person can have Claude read a repo or pull metrics they were never personally granted, because in this model the channel's access counts, not the individual's.

Agent identity is an access model where an AI agent acts under its own credentials instead of borrowing a user's. An admin provisions the agent its own non-human identities, and everyone in the channel shares that one set of access. It makes the agent's actions show up cleanly in each tool's logs. But attribution is not the same as governance.

Treat every agent connection as a non-human identity and govern it the way you already govern the rest: discover it, give it a human owner, map which channels and people can reach it, and rotate, certify, or revoke it on a schedule. No single vendor does this for you. Governance has to span every agent platform you run at once.