Podcast
When governments meet agentic AI: identity, sovereignty, and the urgency to act
Veriff CTO Hubert Behaghel and AI policy expert Luukas Ilves explore what the agentic state means for public administration – and why identity is the foundation on which everything else depends.
What happens when AI agents don’t just assist the government, but start to run it? Not answering questions or summarising documents, but initiating procurement processes, triaging disaster relief, checking regulatory compliance, issuing permits? And in that world, how do we know who – or what – we are actually dealing with?
In the second episode of the Veriff Voices Deepfakes Series, host Anisah Osman Britton brings together Hubert Behaghel, Chief Technology Officer at Veriff, and Luukas Ilves, AI advisor to the Government Office of Estonia and advisor to the Ministry of Digital Transformation of Ukraine. The conversation moves fast: from a landmark vision paper on agentic government, through the sovereignty dilemmas of AI dependency, to the specific security risks that autonomous systems introduce – and, ultimately, to why robust identity infrastructure is not a feature of this future but its precondition.
Produced by Any Other Business
The agentic state: what it is, and why it matters now
The conversation opens with the paper that prompted Luukas Ilves’ invitation: a reference work on what he calls the “agentic state” – a model of government reimagined around the capabilities of autonomous AI agents. The intellectual project, he explains, was to break down what government actually does into its component tasks and workflows, then think carefully through how each of those is transformed when agents can perform them.
The urgency behind that project isn’t hypothetical. Governments, Ilves argues, have spent the last generation, five to ten years behind the private sector in digital transformation. The cost of that lag in the 2010s was friction and inefficiency. The cost of the same lag now, he warns, could be far higher, up to and including the functional collapse of public services in countries that fail to keep pace.
But it’s not just fear driving the agenda. The pull factors are equally compelling. Governments stand to unlock genuinely transformative capabilities: multimodal, proactive citizen services; regulatory compliance processes flipped on their head, with companies generating agentic proofs of compliance rather than wading through bureaucratic reporting; procurement – 11% of world GDP – redesigned around agentic buying. And in crisis scenarios, the difference between a contact center handling a hundred flood-affected residents at once and agents engaging every person in a flooding zone simultaneously, in real time, triaging and dispatching support as they go.
“Time is running out for government adaptation,” Ilves says, but equally, “governments can unlock core capabilities with agents” that were simply impossible before.
Estonia as a model and its limits
Hubert Behaghel presses Ilves on Estonia, the country that has become the world’s reference point for government digital transformation. The Estonian story, Ilves clarifies, is less about government leading the private sector than about a genuine co-evolution: a country rebuilding from scratch in the 1990s, an economy hungry for a competitive edge, a banking sector that produced the world’s first consumer online bank, and a government that chose to digitize in parallel rather than wait.
The lesson he takes from that history isn’t that Estonia’s model can be replicated wholesale. It’s that the co-evolution mattered, that neither government nor economy could have done it alone, and that the ecosystem of partnerships and shared infrastructure was as important as any individual technology choice.
Ukraine, where Ilves also works, offers a different but equally instructive case: a country that has had to leverage technology to survive under a full-scale invasion, and that now faces the challenge of rebuilding – planning, permitting, procurement, health, and mental health – on an enormous scale. The only way those outcomes are achievable, he argues, is with the capabilities agents can now provide.
Sovereignty and the dependency question
The conversation turns to one of the most contested topics in European tech policy: what does it mean to build agentic government infrastructure on top of models and platforms you don’t control? Anisah Osman Britton frames it directly – so much of what governments are building sits on top of US large language models. Is dependency a risk you can manage, or a trap?
Ilves’ answer is characteristically precise. The problem with “sovereignty” as a framing, he argues, is that it focuses attention entirely on the negative – all the things that could go wrong – without forcing a definition of what success looks like. Before you can manage dependencies rationally, you need to know what outcomes you’re trying to protect. Ask what your dependence is at every layer of the tech stack, he warns, and you will either become paralyzed or conclude you need to rebuild everything, a cost that would run to hundreds of billions for any mid-to-large country, for capabilities that may still not be truly autonomous.
The more useful frame: understand your critical business processes, identify which dependencies create genuine vulnerabilities in those processes, and build your architecture with fallback options. “Focus on outcomes, not dependencies,” is how he distills it – use the best tools available while ensuring you’re not locked in without alternatives.
Behaghel adds the ecosystem dimension: the identity verification industry, unlike some adjacent sectors, has no dominant global player. That fragmentation creates both vulnerability and opportunity. The question is who brings the right stack and the right partnerships together first.
Navigating the technical and non-technical divide
One of the more nuanced exchanges of the episode concerns the human change-management problem within large organizations, and specifically governments. Ilves pushes back gently on a common assumption: that the challenge is getting “non-technical” people to adopt tools designed for technical ones. That framing, he argues, is already out of date.
A lawyer, a doctor, or a social scientist who has spent a day working with an agent can become an extraordinarily capable orchestrator of complex workflows. The tools have become fluent enough that the real variable is exposure, not technical background. His wife, who works in public health and is not a technologist, set up Claude Code on his suggestion and, within a day, built workflows that tripled her productivity. The problem isn’t capability, it’s getting enough people through that first encounter.
The harder problem is doing this at scale, in large organizations, without reliable playbooks for what makes the transition work. What seems to matter most, Ilves says, is not lectures but hands-on exposure, ideally with someone who has done it before: a kind of knowledge transmission that spreads like, as he puts it, religion.
Security risks in an agentic world
Here, the conversation becomes sharper-edged. Ilves identifies a specific risk that he believes hasn’t hit at scale yet but is coming: injection attacks on autonomous systems. In a world where agents go out and gather information on behalf of users, an attacker who knows what a foreign ministry analyst’s agent is likely to research can plant malicious payloads in PDFs on relevant topics across the public web. The agent pulls them in, the injection occurs, and the system is compromised, without the human ever being meaningfully in the loop.
“There are a lot of people who are otherwise very security conscious who are practicing the sort of technical equivalent of very unsafe intercourse right now when they let agents on their machines go out and do things,” he says.
Behaghel connects this to a structural shift in how we need to think about online interactions. The internet was designed for humans. Bots were the exception, something to be eliminated. Now, humans and agents operate on the same platforms, and the challenge is no longer elimination but verification. Every interaction must be treated as potentially agentic or human, with the ability to escalate to a human preserved at any time. And every interaction needs a trail – an audit record – because accountability and legitimacy are now the questions that everything else depends on.
There are a lot of people who are otherwise very security-conscious who are practicing the sort of technical equivalent of very unsafe intercourse right now when they let agents on their machines go out and do things.
Identity as the enabler of enablers
Behaghel raises the challenge directly: in Ilves’ vision of the agentic state, is identity not just important but the foundation on which everything else is built? And is the current state of identity infrastructure, even with frameworks like eIDAS 2, actually mature enough to support what’s being proposed?
Ilves concedes the point. The problem of identity in an agentic world, he explains, has two layers that don’t yet have clear answers.
The first is simply having reliable identifiers attached to humans, verifiable credentials that can’t be spoofed by deepfakes. He cites Estonia’s own experience: not technical compromises of the underlying system, but credentials being phished and used by criminals. Biometrics, he argues, address exactly that problem: if there is a biometric check at the point of use, you know the credential is being held by the right person. Ukraine has had biometrics baked into its digital identity stack from the start.
The second layer is more novel: when the interaction mode is no longer a human directly engaging with a service, but an agent acting on that human’s behalf, what does identity even mean? “Now that there is an interaction online, you need to be able to assume it could be an agentic interaction or a human interaction. And you need to be able to escalate to a human being at any moment in time,” Behaghel describes.
The same frameworks for limited delegation that apply to human accountants or lawyers – the ability to grant specific, bounded authorities rather than blanket access – need to extend to agents. Estonia is actively exploring what that looks like technically: proposals have been floated for “agent residency” modeled on e-residency, and for issuing identity codes to agents analogous to the personal identity codes given to citizens.
The question of whether that requires new infrastructure or can piggyback on existing systems is unresolved. So is the question of whether it’s a public or private function. Ilves is clear that it’s probably not purely public – global standards will matter, and private intermediaries will play a significant role – but there is almost certainly a public role in certifying and guiding those intermediaries.
Now that there is an interaction online, you need to be able to assume it could be an agentic interaction or a human interaction. And you need to be able to escalate to a human being at any moment in time.
Guardrails: the honest answer is we’re not there yet
The closing section tackles the guardrails question directly: as agents are given more authority to act, how do we constrain the ones that go wrong?
Ilves is candid that there is no answer yet. He frames it in terms of two types of guardrails: those built into the agentic system itself and those built into the environment the system interacts with. What we can say is that guardrails should be calibrated to risk — the reversibility of a decision, its impact on natural persons versus legal persons, and the severity of potential adverse effects. He would want far stronger controls around moving money than around a regulatory process where a mistake can be corrected. Building permit issuance, where an error has economic consequences, demands different guardrails than a decision touching someone’s immediate medical or financial welfare.
But the abstract principles, he argues, can only take you so far. The real answers have to come empirically, from deploying these systems in controlled ways on lower-risk processes, observing how the controls actually work in practice, learning what cognitive biases emerge in human oversight, and iterating. Starting with the highest-risk applications is clearly wrong. But so is waiting until everything is theoretically worked out.
Behaghel returns to the ecosystem argument: the internet itself, the infrastructure everything here runs on, was designed by academics, not commercial actors, and that matters. He is wary of a world in which commercial interests alone shape the standards governing agentic interactions. Governments and academic institutions, he believes, need to be in the room where those standards are set, not merely consulted after the fact.
Ilves closes with a counterpoint he clearly cares about: for all the legitimate risk discussion, there is an equally serious risk in non-use. The potential of agents to address the fundamental bottlenecks in healthcare, education, and public services – to provide cognitive support and personalized attention that would otherwise require armies of professionals – is genuinely large. “I wouldn’t want to return to the nineteenth century for all the horrors of the twentieth century,” he says, reaching for an analogy that captures the stakes of not embracing transformative technology alongside the challenge of managing its risks.
Listen to the full episode
This is episode two of the Veriff Voices Deepfakes Series. Catch the full conversation between Hubert Behaghel and Luukas Ilves, and stay tuned for more episodes in the series.