The Agent Got Its Own Account

For two years, an agent was legally and technically an extension of you. It ran under your subscription, your OS user, your API keys, your OAuth session. The first ten days of June 2026 ended that arrangement from three directions at once: Anthropic gave agents a separate bill, Microsoft gave them a separate kernel-enforced permission boundary, and the credential layer settled on never letting them hold a secret at all. None of these shipped as an “agent identity” product. Together, that’s exactly what they are. The agent is becoming a first-class principal — something you onboard, budget, and scope like a service account, not a feature you toggle on.

The bill split first

On June 2, Anthropic announced that starting June 15, programmatic Claude usage stops drawing from subscription limits. The Agent SDK, claude -p headless runs, Claude Code GitHub Actions, and third-party apps authenticating through the SDK all move to a separate monthly credit pool billed at API rates — $20 on Pro,$100 on Max 5x, $200 on Max 20x, per-user, no rollover. Interactive use is untouched.

The stated rationale is an infrastructure mismatch: Anthropic’s serving stack is optimized for conversational patterns with heavy prompt-cache reuse, and third-party agent harnesses routinely bypass that, reprocessing context from scratch on every call. Their analysis found users extracting roughly $236 of API-equivalent compute from a$20 Pro plan. Whatever you think of the pricing, the structural move matters more than the numbers: the human and the agent now have separate meters. “Human at keyboard” and “loop in cron” are different workloads with different economics, and the platform now encodes that distinction in billing.

There’s an operational trap in the details. When the credit pool depletes, automated requests fail — and overflow billing is off by default. If you run anything on the Agent SDK or headless mode, your agent now needs the same budget alarms you’d give any metered service, because June 15 is the day “it just uses my subscription” stops being true.

Permissions became a manifest, and the kernel enforces it

At Build 2026 on June 2, Microsoft launched MXC (Microsoft Execution Containers), an OS-level sandbox that enforces agent permissions at the Windows kernel. The model is deliberately borrowed from mobile: developers declare what an agent can access — file scopes, network scopes, which applications it may launch — and the OS enforces those declarations at runtime. OpenAI, Nvidia, Manus, Nous Research, and the OpenClaw project are integrating at launch, with enterprise pilots expected in H2 2026.

This is a bigger conceptual shift than another sandbox. The microVM and gVisor isolation story was about containing code the agent writes. MXC is about constraining the agent itself as an installed actor on a corporate endpoint — the difference between sandboxing a script’s output and giving the worker a badge that only opens certain doors. Until now, most agent restrictions were honor-system: prompt instructions, harness-level allowlists, things a confused or injected model can walk past. Kernel enforcement doesn’t care how persuasive the injection was.

The same capability-based shape is appearing one layer up. The June 2 revision of Agent Skills for Large Language Models — the most thorough survey yet of the skills abstraction — found that 26.1% of community-contributed skills contain vulnerabilities, and proposes a four-tier, gate-based governance framework that links a skill’s provenance to the permissions it’s granted at deployment. Capability manifests at the OS level, capability gates at the skill level: the field is converging on the same answer, which is that what an agent may do should be a declared, enforced artifact — not an emergent property of its prompt.

The agent never holds the key

The third piece is the quietest and the most elegant. On June 9, Anthropic’s Managed Agents beta added scheduled deployments and vault-stored environment variables. Scheduled deployments give an agent a cron expression; each firing starts a fresh session that does its work with no human present. Which immediately raises the question every enterprise IAM team has been asking: if no human is in the loop, whose identity is the agent borrowing?

Anthropic’s answer: nobody’s, and it never touches the credential. You register an API key in a vault with an environment variable name and an allowed-domain list. The sandbox only ever holds a placeholder — the real key is attached at the network boundary, and only on requests to domains you’ve approved. The agent can be fully prompt-injected and still cannot exfiltrate a secret it has never seen. Browserbase and Kernel CLIs ride this mechanism to give Managed Agents browser access without handing the model a session token.

This is the production version of what the Cloud Security Alliance argued in May in AI Agent Identity Is Being Solved Backwards: because you cannot predict an agent’s execution path, you cannot scope its credentials before it runs — so credentials must be issued at runtime, per task, short-lived, and key-bound, with delegation chains that can only narrow. Vault placeholders and ephemeral SPIFFE identities are different mechanisms aimed at the same invariant: the model’s context window is not a credential store.

Onboard it like a contractor

Put the three together and the pattern is hard to miss. A principal, in the IAM sense, is something with its own budget, its own declared permissions, its own credentials, and its own audit trail. As of this month, agents have all four — billing identity from Anthropic, runtime permission boundary from Microsoft, credential isolation from the vault pattern, and the audit trail falls out of the rest.

The practical takeaway for builders: stop treating agent enablement as a feature flag and start treating it as onboarding. Before an agent runs unattended, it should have a budget with an alarm, a written capability manifest (even if your platform can’t enforce one yet — MXC-style enforcement is coming to yours), and zero long-lived secrets in its environment. Teams that already run service accounts properly will find none of this novel. That’s the point — the agent just became one.

Worth bookmarking

• What’s new in Claude Managed Agents — scheduled deployments and the vault placeholder mechanism, in Anthropic’s own words.
• Scaling Managed Agents: Decoupling the brain from the hands — the engineering companion on the architecture underneath.
• Microsoft MXC launch coverage — kernel-enforced agent permissions on Windows.
• Agent Skills for Large Language Models — the survey on skill architecture, acquisition, and the four-tier permission framework.
• AI Agent Identity Is Being Solved Backwards — the ephemeral credentialing pattern that the vault approach now ships in practice.
• Anthropic credit pool change — the June 15 billing split and what it covers.