User-scoped auth vs service accounts for AI agents
Quick answer
Section titled “Quick answer”Use user-scoped auth when the agent should inherit the user’s visibility, permissions, and audit trail. Use a service account only when the task is truly system-owned, narrowly bounded, and easier to govern as infrastructure than as delegated user action.
The expensive mistake is defaulting to service accounts because they are convenient. That usually expands power faster than review discipline.
Why this boundary matters
Section titled “Why this boundary matters”Once agents can search docs, read tickets, edit records, or trigger automation, the real control problem is no longer the model. It is the identity under which the tool call runs.
That determines:
- what the agent can see,
- what it can change,
- who the action appears to belong to,
- and how approvals should work.
The healthiest default
Section titled “The healthiest default”For user-facing agent systems, the healthiest default is:
- user-scoped auth for user-owned context and actions,
- service accounts for narrow system tasks,
- and explicit approval when the agent crosses into higher-risk actions.
This keeps authority closer to the actor who requested the work.
When user-scoped auth is the right answer
Section titled “When user-scoped auth is the right answer”User-scoped auth is usually better when:
- the action should respect the requesting user’s permissions,
- the user should only see what they already have access to,
- audit trails need to map cleanly back to the requester,
- or the workflow depends on user-specific scope in systems like docs, CRM, issue trackers, or files.
This is often the right model for internal copilots and workspace assistants.
When service accounts make sense
Section titled “When service accounts make sense”Service accounts are more appropriate when:
- the task is system-owned rather than user-owned,
- the workflow is tightly bounded and repeatable,
- permissions can be minimized and monitored centrally,
- and the organization is ready to own stronger policy around that system identity.
Examples include:
- nightly sync jobs,
- index refreshes,
- bounded background processing,
- or system-level maintenance tasks.
Where teams go wrong
Section titled “Where teams go wrong”The most common failure modes are:
- service accounts used because delegated auth feels annoying,
- broad system identities reused across too many tools,
- user intent without user authority,
- and audit logs that show the system acted but not whose request caused it.
That creates governance debt fast.
The control rule that usually works
Section titled “The control rule that usually works”Use this split:
| Task class | Healthier auth model |
|---|---|
| User-specific search and read access | User-scoped |
| User-requested edits in user-owned scope | User-scoped plus approval as needed |
| Shared background maintenance jobs | Service account |
| High-risk write operations | Narrow identity plus approval, often not fully autonomous |
This is simpler and safer than trying to make one auth model fit every tool.
Approval design changes with auth choice
Section titled “Approval design changes with auth choice”If the agent uses user-scoped auth, approvals can often be modeled as:
- user confirmation,
- role-based policy,
- or workflow-specific gating.
If the agent uses a service account, approvals need to be stricter because the system identity can otherwise outrun normal user boundaries.