A scathing analysis posted to PromptQL on June 25 dismantles Anthropic's "Agent Identity" concept for Claude Tag, arguing the framework represents a security anti-pattern disguised as a new paradigm. The teardown, which surfaced on Hacker News with limited visibility, challenges each major claim Anthropic made about why agent-based systems need static privilege sets defined per-channel rather than enforcing user-level permissions.

What Agent Identity Actually Means

"Agent identity" is Anthropic's term for giving multiplayer AI agents a fixed set of privileges scoped to specific channels or groups, regardless of which human user is interacting with the system at any given moment. Under this model, Claude Tag operates under its own service account rather than acting on behalf of the person asking it to do something. The original Anthropic post argued that "act as user" breaks down in two scenarios: when agents need autonomous long-lived access to schedule tasks and respond to events after the requesting user has logged off, and when multiple people collaborate in shared threads with conflicting permission levels.

The Core Security Counterargument

The PromptQL analysis rejects both justifications outright. For autonomous scheduling, the author points out that OAuth server-side authentication was literally designed for this exact use case—granting services long-lived tokens to act on behalf of users without exposing credentials. Rather than building a new permission framework around channels as security boundaries, pass your own HTTP client that injects user credentials per request. For shared thread scenarios involving multiple stakeholders with different clearance levels—like the three engineers and one PM debugging together in Anthropic's example—the solution is straightforward: have the agent adopt whoever it's responding to at any moment. "This is what a human would do," the analysis states, "and is a natural and expected experience. If the PM asks to update the spec, allow it. Disallow the engineers. If the PM wants to update DNS, disallow it, but allow the engineers."

The Audit Trail Problem Nobody Is Talking About

Perhaps the most damning critique concerns logging and security auditing. Anthropic's framing presents agent-level actions landing in "each connected system's own logs" as a feature. The PromptQL author calls this a "huge problem" because no existing security or compliance framework is built around channel identifiers—it operates on users and data classification. When something goes wrong, knowing it happened in the #frontend-engg Slack channel provides zero actionable forensic information.

Anthropic's Motives Under Scrutiny

The analysis doesn't pull punches when theorizing why Anthropic would push an apparently inferior security model. Two motivations surface: lock-in at both the model layer and the data access layer. "Building Claude Tag takes about 30 minutes for a prototype and about a day for something production-grade with a pass-through user identity auth mechanism," the author notes, suggesting the complexity is artificial. More pointedly, the analysis flags Fable 5's shift away from zero data retention—meaning chat transcripts are now actively analyzed by Anthropic systems.

Inside Claude Tag's Actual Prompt

The teardown includes a revealing look at Claude Tag's Slackbot prompt, which governs how the system introduces itself and manages conversation flow. The prompt instructs Claude to classify channels as PERSONAL, BROADCAST, or TEAM based on member count and naming conventions, then enforce strict tool budgets—maximum one fetch_channel call and two searches before posting its first reply. "Do yourself a favor and build your own company AI slackbot," the author concludes. "You'll probably do a better job than the prompt above anyway."

Key Takeaways

  • Agent identity creates confused deputy risks that user-identity enforcement eliminates entirely
  • OAuth server-side authentication already solves long-lived token access for autonomous agents
  • Channel-scoped permissions break audit trails since security frameworks operate on users, not channels
  • Anthropic's data retention policy change means Slack threads go to their servers for analysis

The Bottom Line

Anthropic's Agent Identity framing reeks of solution-first engineering—building toward a product lock-in story rather than solving actual security problems. User-identity enforcement is simpler, more auditable, and already understood by enterprise security teams. If Claude Tag requires channel-scoped permissions to function, that's a fundamental architecture problem, not an emerging paradigm.