How We Built Accountable Identity for Shuni, Our AI Coding Agent

Coding Agent Shuni, developed by Descope, is an AI agent designed to automate coding tasks within their GitHub organization while ensuring secure and accountable identity management. Inspired by a team member’s dog, Shuni operates by being mentioned on GitHub issues, subsequently creating pull requests attributed to the engineer who invoked it. This identity management is facilitated through an innovative system that securely stores OAuth grants instead of relying on shared bot credentials, ensuring every action by Shuni is attributable to a specific user. The architecture involves four key identity decisions: authenticating the human user, issuing a scoped credential, preserving the delegation chain, and allowing for easy revocation, which collectively ensure that engineers remain accountable for Shuni’s actions. This system is designed to minimize security risks such as credential leaks and to streamline agent offboarding. The principles applied in Shuni’s design are recommended for any AI agents acting on behalf of users, emphasizing the importance of user-scoped credentials, provable attribution, and separation of authentication from authorization. Moving forward, Descope plans to enhance Shuni’s capabilities by integrating its internal tools with broader organizational policies and secure agent infrastructure, further showcasing the significance of identity management in AI deployment.